openswan & strongswan-HQY 一个和谐有爱的空间

24

2024
01
15:45:20

openswan & strongswan

IPSec是虚拟私密网络的一种实现,在server & client间建立加密隧道传输数据,分两个阶段

Phrase1
交换密钥建立隧道,使用IKE协议(Internet Key Exchange)
IKE分两个版本(IKE1/IKE2)
IKE1有两种模式,主力模式(main mode),积极模式(野蛮模式,aggressive mode),不同开源/闭源软件实现版本不同,不同网络设备实现版本也不同
Phrase2
对隧道中的数据加密传输,使用ESP协议(Encapsulate Security Payload)

Phrase1 & Phrase2可以使用不同的加密算法(cipher suites)

IKE1:

main mode:
6个ISAKMP包
aggressive mode:
3个ISAKMP包

OpenSwan:

Prerequisite:

开启转发

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl --system

iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -o eth0 -j MASQUERADE

```
yum install  openswan
```
默认安装的是libreswan,配置文件

修改内核参数,允许IP转发,永久性禁止redicret,关闭反向路径校验(reverse path filtering)

net.ipv4.ip_forward=1net.ipv4.conf.all.rp_filter=0net.ipv4.conf.default.rp_filter=0net.ipv4.conf.eth0.rp_filter=0sysctl -a 2> /dev/null|egrep '(.*)(accept_redirects|send_redirects)'|awk '{print $1" = "0}' >> /etc/sysctl.conf

sysctl --system

ipsec.conf

config setup
    protostack=netkey # IPSec stack
    logfile=/var/log/pluto.log
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
    dumpdir=/var/run/pluto
    
    
conn site-to-site
    type=tunnel  #transport
    authby=secret # 定义认证方式PSK
    auto=start # 可选择add,route,start
    ikev2=never # 关闭IKEv2
    rekey=no
    #aggrmode=yes # aggressive mode
    
    ## phase 1 ##
    keyexchange=ike # ike密钥交换方式
    ike=aes128-sha1;modp1536 # 按照对端配置定义ike阶段算法和group
    #ike=3des-sha1;modp1024
    ikelifetime=86400s # ike阶段生命周期
    
    ## phase 2 ##
    phase2=esp # 二阶段传输格式
    phase2alg=aes128-sha1;modp1536 # 按照对端配置定义ipsec阶段算法和group
    compress=yes
    pfs=no # 开启PFS
    type=tunnel # 开启隧道模式
    
    ## left ##
    #left=%defaultroute
    left=192.168.1.10 # 本地IP,nat场景选择真实的主机地址
    leftid=116.236.134.26 # 本地标识ID
    leftsourceip=116.236.134.26 # 存在nat源地址,选择nat后的公网ip
    leftsubnet=192.168.0.0/16 # 本地子网
    leftnexthop=%defaultroute # nat场景下一跳选择nat后的网关ip
    ## right ##
    right=47.101.219.24 # 远端VPN网关ip
    rightid=47.101.219.24 # 远端表示ID
    rightsourceip=47.101.219.24 # 远端源地址,选择VPN网关ip
    rightsubnet=172.16.0.0/12 # 远端子网
    rightnexthop=%defaultroute # 远端路由按缺省配置

ipsec --status
ipsec auto --up connctionname

```
ip xfrm policy
```
查看tunnel信息

StrongSwan:

prerequisite:

RSA认证(PSK跳过)

cp cacert.pem /etc/strongswan/ipsec.d/cacerts/cp server.crt /etc/strongswan/ipsec.d/certs/cp server.key /etc/strongswan/ipsec.d/private/cp client.crt /etc/strongswan/ipsec.d/certs/cp client.key /etc/strongswan/ipsec.d/private/

/etc/strongswan/ipsec.conf

config setup
    uniqueids=never # 允许单账号多终端同时登录
    
        
conn %default
    type=tunnel # tunnel模式 type=transport
    ikelifetime=60m
    keylife=5m
    dpddelay=10s
    rekeymargin=3m
    keyingtries=3
    conn ios_cert_authentication  # 证书认证
    fragmentation=yes
    auto=add
    
    
    ## phase 1 ##
    keyexchange=ikev1
    
    ## left ##
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.crt
    
    ## right ##
    right=%any
    rightauth=pubkey
    rightauth2=xauth
    rightsourceip=10.31.2.0/24
    rightcert=client.crt
    
conn android_xauth_psk  # 预共享密钥认证
    auth=add
    
    
    ## phase 1 ##
    keyexchange=ikev1
    
    ## left ##
    left=%defaultroute
    leftauth=psk
    leftsubnet=0.0.0.0/0
    
    ## right ##
    right=%any
    rightauth=psk
    rightauth2=xauth
    rightsourceip=10.31.2.0/24
    
    conn networkmanager-strongswan
    auto=add
    
    
    ##  phase 1 ##
    keyexchange=ikev2
    
    ## left ##
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert
    
    ## right ##
    right=%any
    rightauth=pubkey
    rightsourceip=10.31.2.0/24
    rightcert=client.crt
    
    
    
    
    
conn site-to-site # 定义连接名称 site-to-site
    auto=start # 启动strongswan时自动触发,可选add,route,start
    type=tunnel # 开启隧道模式
    compress=yes
    authby=secret # 协商认证方式,key
    leftauth=psk
    rightauth=psk
    
    ## phase 1 ##
    keyexchange=ikev1 # ike密钥交换方式
    ike=aes128-sha1-modp1536! # 按照对端配置定义ike阶段算法和group
    esp=aes128-sha1-modp1536! # 按照对端配置定义ipsec阶段算法和group
    ikelifetime=86400s # ike阶段生命周期
    lifetime=3600s # 二阶段生命周期
    
    ## left ##
    left=192.168.1.10 # 本端ip,nat场景选择真实的主机地址
    leftid=116.236.134.26 # 本端发起协商的公网IP,即local-id
    leftsubnet=192.168.0.0/16 # 本端内网地址段
    
    ## right ##
    right=47.101.219.24 # 远端VPN网关ip
    rightid=47.101.219.24 # 远端标识ID
    rightsubnet=172.16.0.0/12 # 远端子网

/etc/strongswan/ipsec.secrets

 : RSA server.key
 : PSK "YourPSK"UserName1 %any : XAUTH "Password1"UserName2 %any : XAUTH "Password2" UserName1 %any : EAP "Password1"UserName2 %any : EAP "Password2"47.101.219.25 116.236.134.26 : PSK 'perpetual'  # site-to-site

 : PSK "YourPSK" <=> %any %any : PSK "YourPSK"Host Peer : METHOD <server.key|PSK|Password> <password_of_server.key>

/etc/strongswan/strongswan.conf

charon {
    filelog {        /var/log/strongswanlog
        {
            append = no
            default = 1
            flush_line = yes
            ike_name = yes
            time_format = %b %e %T
        }
    }
    load_modular = yes
    compress=yes
    plugins {
        include strongswan.d/charon/*.conf
    }
    dns1=8.8.8.8
    dns2=8.8.4.4}
include strongswan.d/*.conf

推荐本站淘宝优惠价购买喜欢的宝贝: