Hello World!
Toggle navigation
Home
开发
运维部署
旧博客搬家
About Me
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Archives
Tags
StrongSwan搭建IPSec/IKEV2为Windows10和IOS11提供VPN接入
2018-06-02 03:10:51
475
0
0
lion
安装和搭建流程网上太多,就不重复了。 注意事项: ####1、注意安装认证插件 不安装会认证失败 apt instal libcharon-extra-plugins apt install strongswan-* ###主要说一下ipsec.conf配置: #ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup uniqueids=never #允许多个客户端使用同一个证书,多设备同时在线 #一些共用的配置项 conn %default keyexchange=ike #ikev1 或 ikev2 都用这个 left=%any #服务器端标识,%any表示任意 leftsubnet=0.0.0.0/0 #服务器端虚拟ip, 0.0.0.0/0表示通配. right=%any #客户端标识,%any表示任意 conn IKE-BASE leftca=ca.cert.pem ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 leftcert=server.cert.pem #服务器端证书 rightsourceip=172.18.32.0/24 #分配给客户端的虚拟 ip 段 # for IOS, use PSK key 这是给IOS用的,IKEV1,也就是显示cisco的那种,测试成功,帐号密码和预共享密钥都写在/etc/ipsec.secret中。 conn IPSec-IKEv1-PSK also=IKE-BASE keyexchange=ikev1 fragmentation=yes leftauth=psk #psk表示预共享密码 rightauth=psk rightauth2=xauth #xauth表示帐号验证,不使用证书 auto=add # for andriod,安卓用,IKEv1,也是预共享密钥+用户名密码写在/etc/ipsec.secret中。 conn IPSec-xauth also=IKE-BASE leftauth=psk leftfirewall=yes right=%any rightauth=psk rightauth2=xauth auto=add # for win xp l2tp,use psk L2tp/Ipsec,IOS11下测试成功,Windows不成功 conn L2TP-PSK keyexchange=ikev1 authby=secret leftprotoport=17/1701 #l2tp端口 leftfirewall=no rightprotoport=17/%any type=transport auto=add # compatible with "strongSwan VPN Client" for Android 4.0+ # and Windows 7 cert mode. Win7证书模式,暂时没测试成功 conn networkmanager-strongswan keyexchange=ikev2 left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightsourceip=172.18.32.0/24 rightcert=client.cert.pem auto=add #Win7的mschap模式,测试成功,帐号密码写在/etc/ipsec.secret中。 conn windows7 keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-mschapv2 rightsourceip=172.18.32.0/24 rightsendcert=never # rightcert=client.cert.pem eap_identity=%any auto=add #IOS_11的IKEV2帐号密码模式,测试成功,帐号密码写在/etc/ipsec.secret中。 #需要安装证书 #IOS安装证书:先将client.cert.pem和key生成p12证书,再将ca.cert.pem和client.cert.p12用邮件附件发送到ios下,安装证书 #IOS设置ipsec:远程ID和本地ID分别填写leftid和rightid中的值,鉴定选用户名,用户名密码填写/etc/ipsec.secret中设定的值 conn iOS-IKEV2 auto=add #dpdaction=clear keyexchange=ikev2 # left=%any leftsubnet=0.0.0.0/0 leftauth=pubkey leftid=ipsec.ever2010.com leftcert=server.cert.pem leftsendcert=always # right=%any rightsourceip=172.18.32.0/24 rightauth=eap-mschapv2 # rightauth=pubkey # rightcert=client.cert.pem rightid=ipsecclient.ever2010.com rightsendcert=never #StrongSwan.conf配置(DNS的坑) vi /etc/strongswan.conf charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/*.conf } #指定DNS(如果vpn访问网页不通,但能访问IP地址,则修改此处) # dns1 = 8.8.8.8 # dns2 = 8.8.4.4 # nbns1 = 8.8.8.8 # nbns2 = 8.8.4.4 } include strongswan.d/*.conf #ubuntu下nat设置 #防火墙默认规则接受转发 vi /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT" #防火墙层启用转发 vi /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 #SNAT项配置 vi /etc/ufw/before.rules 在*filter前加入以下语句,从*nat 到Commit都不能省略。 # nat Table rules *nat :POSTROUTING ACCEPT [0:0] #表示来自172.18.30段的请求都走nat,不指定-o eth0,以支持出口多网卡 -A POSTROUTING -s 172.18.32.0/24 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT #Openwrt下防火墙设置 在自定义规则(/etc/firewall.user)中加入以下规则: iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
Pre:
N2N安装和配置(Windows服务、ubuntu、centos、openwrt)
Next:
教你蓝牙局域网让你的电脑通过手机360免费Wifi上网
0
likes
475
Weibo
Wechat
Tencent Weibo
QQ Zone
RenRen
目录
lion