实验如何通过strongswan快速配置四通道vpn。
1.场景说明
图1
上图引自strongSwan官方网站,涉及三个网段子网,左边10.1.0.0/16,中间192.168.0.0/24,右边10.2.0.10/16。接下来的演示以图1作为场景。moon与sun之间以自签证书的方法相互认证身份。不考虑nat穿越,192.168.0.1与192.168.0.2都是静态网址。四通道vpn指的是:
net-to-net: 10.1.0.0/16 <=> 10.2.0.0/16
host-to-host: 192.168.0.1 <=> 192.168.0.2
host-to-net: 192.168.0.1 <=> 10.2.0.0/16
net-to-host: 10.1.0.0/16 <=> 192.168.0.2
2.实现步骤:
安装strongSwan。分别在主机"Gateway moon"与"Gateway sun"执行如下命令,完成软件安装:
apt-get install strongswan
创建自签发证书。在"Gateway moon"与"Gateway sun"任意一台主机上签发证书,最好是先创建一个单独的目录,用于存放生成的秘钥、证书等。执行如下命令:
ipsec pki --gen > caKey.der
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
ipsec pki --gen > moonKey.der
ipsec pki --pub --in moonKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=CH, O=strongSwan, CN=192.168.0.1" > moonCert.der
ipsec pki --gen > sunKey.der
ipsec pki --pub --in sunKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=CH, O=strongSwan, CN=192.168.0.2" > sunCert.der
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert moonCert.der > mooncrl.der
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert sunCert.der > suncrl.der
以上命令总共生成了8个文件,分别是:caKey.der、caCert.der、moonKey.der、moonCert.der、sunKey.der、sunCert.der、mooncrl.der、suncrl.der。
安装证书。将刚才生成好的8个文件分别复制到"Gateway moon"与"Gateway sun"的指定目录下,既可完成证书的安装。安装完成后,主机"Gateway moon"的文件分布应该如下:
/etc/ipsec.d/private/moonKey.der
/etc/ipsec.d/certs/moonCert.der
/etc/ipsec.d/certs/sunCert.der
/etc/ipsec.d/cacerts/caCert.der
/etc/ipsec.d/crls/mooncrl.der
主机"Gateway sun"的文件分布应该如下:
/etc/ipsec.d/private/sunKey.der
/etc/ipsec.d/certs/moonCert.der
/etc/ipsec.d/certs/sunCert.der
/etc/ipsec.d/cacerts/caCert.der
/etc/ipsec.d/crls/suncrl.der
上述过程涉及到7个文件,复制完成以后请仔细核对。另外有一个没有用到的文件是caKey.der,这个是CA的私钥,用来签发证书,请仔细保管,以后还需要用它来签发新的证书。执行完成以上步骤后就完成了证书的安装,IPsec会根据设置自动加载以上文件。
修改IPsec配置文件。分别在"Gateway moon"与"Gateway sun"主机中修改/etc/ipsec.conf与/etc/ipsec.secrets两个文件。"Gateway moon"主机中的文件内容如下。
/etc/ipsec.secrets
: RSA moonKey.der
/etc/ipsec.conf
conn host-host
left=192.168.0.1
leftcert=moonCert.der
right=192.168.0.2
rightcert=sunCert.der
auto=route
conn net-net
leftsubnet=10.1.0.0/16
rightsubnet=10.2.0.0/16
also host-host
conn net-host
leftsubnet=10.1.0.0/16
also host-host
conn host-net
rightsubnet=10.2.0.0/16
also host-host
"Gateway sun"主机中的文件内容如下。
/etc/ipsec.secrets
: RSA sunKey.der
/etc/ipsec.conf
conn host-host
left=192.168.0.2
leftcert=sunCert.der
right=192.168.0.1
rightcert=moonCert.der
auto=route
conn net-net
leftsubnet=10.2.0.0/16
rightsubnet=10.1.0.0/16
also host-host
conn net-host
leftsubnet=10.2.0.0/16
also host-host
conn host-net
rightsubnet=10.1.0.0/16
also host-host
分别在"Gateway moon"与"Gateway sun"主机上启动ipsec服务:
ipsec restart
至此,服务器"Gateway moon"与"Gateway sun"之间的四通道vpn搭建完成。
排查错误方法: tail -f /var/log/syslog | grep charon
---------------------
作者:五星上炕
来源:CSDN
原文:https://blog.csdn.net/dkfajsldfsdfsd/article/details/79535674
版权声明:本文为博主原创文章,转载请附上博文链接!
支付宝微信扫一扫,打赏作者吧~本文链接:https://www.kinber.cn/post/411.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝:
您阅读本篇文章共花了: 
