##centos7安装搭建ikev2 vpn服务 ###安装 strongSwan
yum install strongswan
systemctl enable strongswan
systemctl start strongswan
###生成证书 ####生成 CA 根证书 1. 生成一个私钥: strongswan pki –gen –outform pem > ca.key.pem
2. 基于这个私钥自己签一个 CA 根证书:
strongswan pki --self --in ca.key.pem --dn "C=CN, O=ITnmg, CN=ITnmg StrongSwan CA" --ca --lifetime 3650 --outform pem > ca.cert.pem
####生成服务器端证书
strongswan pki --gen --outform pem > server.key.pem
#从私钥生成公钥
strongswan pki --pub --in server.key.pem --outform pem > server.pub.pem
#用刚生成的公钥生成服务器证书
strongswan pki --issue --lifetime 3600 --cacert ca.cert.pem --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=ITnmg, CN=vpn.itnmg.net" --san="vpn.itnmg.net" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
vpn.itnmg.net换成自己的ip或域名
####安装证书 cp -r ca.key.pem /etc/strongswan/ipsec.d/private/ cp -r ca.cert.pem /etc/strongswan/ipsec.d/cacerts/ cp -r server.cert.pem /etc/strongswan/ipsec.d/certs/ cp -r server.pub.pem /etc/strongswan/ipsec.d/certs/ cp -r server.key.pem /etc/strongswan/ipsec.d/private/
###配置 vpn vi /etc/strongswan/ipsec.conf
config setup
uniqueids=no
conn %default
compress = yes
esp = aes256-sha256,aes256-sha1,3des-sha1!
ike = aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp2048,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
keyexchange = ike
keyingtries = 1
leftdns = 8.8.8.8,8.8.4.4
rightdns = 8.8.8.8,8.8.4.4
conn ikev2-eap
leftca = "C=CN, O=ITnmg, CN=ITnmg StrongSwan CA"
leftcert = server.cert.pem
leftsendcert = always
rightsendcert = never
leftid = @vpn.itnmg.net
left = %any
right = %any
leftauth = pubkey
rightauth = eap-mschapv2
leftfirewall = yes
leftsubnet = 0.0.0.0/0
rightsourceip = 10.1.0.0/16
fragmentation = yes
rekey = no
eap_identity=%any
auto = add
###修改 dns 配置 vi /etc/strongswan/strongswan.d/charon.conf
charon {
duplicheck.enable = no #同时连接多个设备,把冗余检查关闭.
# windows 公用 dns
dns1 = 8.8.8.8
dns2 = 8.8.4.4
#以下是日志输出, 生产环境请关闭.
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 1
# flush each line to disk
flush_line = yes
}
}
}
###配置验证方式的用户名与密码 vi /etc/strongswan/ipsec.secrets
#使用证书验证时的服务器端私钥
#格式 : RSA <private key file> [ <passphrase> | %prompt ]
: RSA server.key.pem
#使用预设加密密钥, 越长越好
#格式 [ <id selectors> ] : PSK <secret>
%any : PSK "预设加密密钥"
#EAP 方式, 格式同 psk 相同
用户名 : EAP "密码"
#XAUTH 方式, 只适用于 IKEv1
#格式 [ <servername> ] <username> : XAUTH "<password>"
用户名 : XAUTH "密码"
###开启内核转发
vi /etc/sysctl.conf
# VPN
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1
保存退出, 执行下面命令.
sysctl -p
###配置防火墙
centos7下iptables问题
yum install iptables-services -y
http://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7
vi /etc/sysconfig/iptables
*nat
-A POSTROUTING -s 10.11.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.11.1.0/24 -j MASQUERADE
-A POSTROUTING -s 10.11.2.0/24 -j MASQUERADE
*filter
-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -j ACCEPT
-A FORWARD -s 10.11.1.0/24 -j ACCEPT
-A FORWARD -s 10.11.2.0/24 -j ACCEPT
systemctl restart iptables
###配置完防火墙后重启 strongswan 服务
strongswan stop #使用strongswan 自身的命令停止服务
systemctl start strongswan #使用 systemctl 命令启动服务
###客户端配置
IOS:
先导入 CA 证书
将之前创建的 ca.cert.pem 用 ftp 导出 , 写邮件以附件的方式发到邮箱, 在 ios 浏览器登录邮箱, 下载附件, 安装 ca 证书.