实验如何通过strongswan快速配置四通道vpn。
1.场景说明
图1
上图引自strongSwan官方网站,涉及三个网段子网,左边10.1.0.0/16,中间192.168.0.0/24,右边10.2.0.10/16。接下来的演示以图1作为场景。moon与sun之间以自签证书的方法相互认证身份。不考虑nat穿越,192.168.0.1与192.168.0.2都是静态网址。四通道vpn指的是:
- net-to-net: 10.1.0.0/16 <=> 10.2.0.0/16
- host-to-host: 192.168.0.1 <=> 192.168.0.2
- host-to-net: 192.168.0.1 <=> 10.2.0.0/16
- net-to-host: 10.1.0.0/16 <=> 192.168.0.2
2.实现步骤:
- 安装strongSwan。分别在主机"Gateway moon"与"Gateway sun"执行如下命令,完成软件安装:
apt-get install strongswan
- 创建自签发证书。在"Gateway moon"与"Gateway sun"任意一台主机上签发证书,最好是先创建一个单独的目录,用于存放生成的秘钥、证书等。执行如下命令:
以上命令总共生成了8个文件,分别是:caKey.der、caCert.der、moonKey.der、moonCert.der、sunKey.der、sunCert.der、mooncrl.der、suncrl.der。ipsec pki --gen > caKey.der ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der ipsec pki --gen > moonKey.der ipsec pki --pub --in moonKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=CH, O=strongSwan, CN=192.168.0.1" > moonCert.der ipsec pki --gen > sunKey.der ipsec pki --pub --in sunKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=CH, O=strongSwan, CN=192.168.0.2" > sunCert.der ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert moonCert.der > mooncrl.der ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert sunCert.der > suncrl.der - 安装证书。将刚才生成好的8个文件分别复制到"Gateway moon"与"Gateway sun"的指定目录下,既可完成证书的安装。安装完成后,主机"Gateway moon"的文件分布应该如下:
主机"Gateway sun"的文件分布应该如下:/etc/ipsec.d/private/moonKey.der /etc/ipsec.d/certs/moonCert.der /etc/ipsec.d/certs/sunCert.der /etc/ipsec.d/cacerts/caCert.der /etc/ipsec.d/crls/mooncrl.der
上述过程涉及到7个文件,复制完成以后请仔细核对。另外有一个没有用到的文件是caKey.der,这个是CA的私钥,用来签发证书,请仔细保管,以后还需要用它来签发新的证书。执行完成以上步骤后就完成了证书的安装,IPsec会根据设置自动加载以上文件。/etc/ipsec.d/private/sunKey.der /etc/ipsec.d/certs/moonCert.der /etc/ipsec.d/certs/sunCert.der /etc/ipsec.d/cacerts/caCert.der /etc/ipsec.d/crls/suncrl.der - 修改IPsec配置文件。分别在"Gateway moon"与"Gateway sun"主机中修改/etc/ipsec.conf与/etc/ipsec.secrets两个文件。"Gateway moon"主机中的文件内容如下。
/etc/ipsec.secrets
: RSA moonKey.der
/etc/ipsec.confconn host-host left=192.168.0.1 leftcert=moonCert.der right=192.168.0.2 rightcert=sunCert.der auto=route conn net-net leftsubnet=10.1.0.0/16 rightsubnet=10.2.0.0/16 also host-host conn net-host leftsubnet=10.1.0.0/16 also host-host conn host-net rightsubnet=10.2.0.0/16 also host-host
"Gateway sun"主机中的文件内容如下。
/etc/ipsec.secrets
: RSA sunKey.der
/etc/ipsec.conf
conn host-host left=192.168.0.2 leftcert=sunCert.der right=192.168.0.1 rightcert=moonCert.der auto=route conn net-net leftsubnet=10.2.0.0/16 rightsubnet=10.1.0.0/16 also host-host conn net-host leftsubnet=10.2.0.0/16 also host-host conn host-net rightsubnet=10.1.0.0/16 also host-host
- 分别在"Gateway moon"与"Gateway sun"主机上启动ipsec服务:
ipsec restart
至此,服务器"Gateway moon"与"Gateway sun"之间的四通道vpn搭建完成。
排查错误方法: tail -f /var/log/syslog | grep charon