如何打通家与办公室间的网络实现远程办公 Windows 10 + IPSEC IKEv2 VPN-秋月博客

以下节选自《Netkiller Linux 手札》 42.4.strongswan - IPSec utilities for strongSwan http://www.strongswan.org

以下节选自《Netkiller Linux 手札》

42.4. strongswan - IPSec utilities for strongSwan

http://www.strongswan.org/

User -> Windows 10 Desktop -> Home -> VPN -> Office

要实现远程办公就必须做到能够再家中访问办公室的资源，例如：

办公室的NAS存储，办公室的打印机（你可以远程打印），视频会议，网络电话（你可以再家中按照SIP/H323话机），办公室的视频监控...... 等等

首先在办公室部署一台服务器，将服务器配置成为VPN服务器，然后SOHO桌面用户通过该服务器访问办公室的资源，与办公室的同事协同办公......

这里我选择了IKEv2。

42.4.1. 安装 strongswan VPN 服务器

CentOS 7 环境

yum install -y strongswaneyum install -y havegedsystemctl enable havegedsystemctl start havegedcd /etc/strongswan

创建自签名CA根证书

# 私钥证书strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/CARootKey.derchmod 600 ipsec.d/private/CARootKey.der# 公钥证书strongswan pki --self --ca --lifetime 3650 --in ipsec.d/private/CARootKey.der --type rsa --dn "C=NL, O=Example Company, CN=StrongSwan Root CA" --outform der > ipsec.d/cacerts/CARootCert.derstrongswan  pki --print --in ipsec.d/cacerts/CARootCert.der

颁发服务器证书

# 私钥证书strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/ServerKey.derchmod 600 ipsec.d/private/ServerKey.der# 公钥证书strongswan pki --pub --in ipsec.d/private/ServerKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/CARootCert.der --cakey ipsec.d/private/CARootKey.der --dn "C=NL, O=Example Company, CN=vpn.example.org" --san vpn.example.com --san vpn.example.net --san 147.90.44.87  --san @147.90.44.87 --flag serverAuth --flag ikeIntermediate --outform der > ipsec.d/certs/ServerCert.derstrongswan pki --print --in ipsec.d/certs/ServerCert.der

颁发客户端用户证书

# 私钥证书cd /etc/strongswan/strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/ClientKey.derchmod 600 ipsec.d/private/ClientKey.der# 公钥证书strongswan pki --pub --in ipsec.d/private/ClientKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/CARootCert.der --cakey ipsec.d/private/CARootKey.der --dn "C=NL, O=Example Company, [email protected]" --san "[email protected]" --san "[email protected]" --outform der > ipsec.d/certs/ClientCert.der# 证书转换，转过过程是 der -> pem -> p12 openssl rsa -inform DER -in ipsec.d/private/ClientKey.der -out ipsec.d/private/ClientKey.pem -outform PEMopenssl x509 -inform DER -in ipsec.d/certs/ClientCert.der -out ipsec.d/certs/ClientCert.pem -outform PEMopenssl x509 -inform DER -in ipsec.d/cacerts/CARootCert.der -out ipsec.d/cacerts/CARootCert.pem -outform PEM# 请为证书设置一个密码openssl pkcs12 -export  -inkey ipsec.d/private/ClientKey.pem -in ipsec.d/certs/ClientCert.pem -name "Client's VPN Certificate"  -certfile ipsec.d/cacerts/CARootCert.pem -caname "strongSwan Root CA" -out Client.p12

p12中包含了CA证书，客户端私钥证书，客户端公钥证书。Client.p12 发送给最终用户即可

	提示
如果你安装过 OpenVPN 那么会很好理解，上述的几个步骤等同于： build-ca = CARootKey/CARootCertbuild-key-server server = ServerKey/ServerCertbuild-key client1 = Client.p12

提示

如果你安装过 OpenVPN 那么会很好理解，上述的几个步骤等同于：

build-ca 				= CARootKey/CARootCertbuild-key-server server = ServerKey/ServerCertbuild-key client1		= Client.p12

42.4.2. 防火墙配置

开启转发

cat > /etc/sysctl.d/vpn.conf <<EOF# VPNnet.ipv4.ip_forward = 1net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.all.send_redirects = 0EOFsysctl -p /etc/sysctl.d/vpn.conf

开放500，4500两个端口，注意是UDP协议，允许esp,ah协议通过，最后IP伪装

# for ISAKMP (handling of security associations)iptables -A INPUT -p udp --dport 500 --j ACCEPT# for NAT-T (handling of IPsec between natted devices)iptables -A INPUT -p udp --dport 4500 --j ACCEPT# for ESP payload (the encrypted data packets)iptables -A INPUT -p esp -j ACCEPTiptables -A INPUT -p ah -j ACCEPT# for the routing of packets on the serveriptables -I POSTROUTING -t nat -o eth1 -j MASQUERADEiptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx 改为你的出口IP，也就是 eth1的IP地址。

启动 strongswan 服务

如果你使用 CentOS 7 firewalld 请用下面命令

firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="esp" accept' # ESP (the encrypted data packets)firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="ah" accept' # AH (authenticated headers)firewall-cmd --zone=dmz --permanent --add-port=500/udp #IKE  (security associations)firewall-cmd --zone=dmz --permanent --add-port=4500/udp # IKE NAT Traversal (IPsec between natted devices)firewall-cmd --permanent --add-service="ipsec"firewall-cmd --zone=dmz --permanent --add-masqueradefirewall-cmd --permanent --set-default-zone=dmzfirewall-cmd --reloadfirewall-cmd --list-all

42.4.3. 配置 IPSEC

下面配置 IPSEC 复制粘贴即可

cp /etc/strongswan/ipsec.conf{,.original}cat > /etc/strongswan/ipsec.conf <<EOF# ipsec.conf - strongSwan IPsec configuration fileconfig setup    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"conn %default    keyexchange=ikev2    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!    dpdaction=clear    dpddelay=300s    rekey=no    left=%any    leftsubnet=0.0.0.0/0    leftcert=ServerCert.der    right=%any    rightdns=8.8.8.8,8.8.4.4    rightsourceip=10.10.0.0/24conn IPSec-IKEv2    keyexchange=ikev2    auto=addconn IPSec-IKEv2-EAP    also="IPSec-IKEv2"    rightauth=eap-mschapv2    rightauthby2=pubkey    rightsendcert=never    eap_identity=%anyconn CiscoIPSec    keyexchange=ikev1    forceencaps=yes    authby=xauthrsasig    xauth=server    auto=addEOF

配置 VPN 账号与密码

# VPN user accounts and secretscat > /etc/strongswan/ipsec.secrets <<EOF: RSA ServerKey.derneo : EAP "hWAS5IJWD8NxlQvVFaUVAKid6IFJ6uNO" jam : EAP "1cNEwkfsaN6GzcmWYLedUvJXSpb16UPH" EOF

启动 strongswan

systemctl enable strongswansystemctl start strongswan

42.4.4. Windows 10 VPN 客户端配置

导入客户端p12证书，直接双击Client.p12文件即可

选择“本地计算机”

下一步

输入证书密码，下一步

下一步

点击“完成”按钮

证书导入成功

接下来配置 Windows 10 VPN 链接

任务条最右测系统托盘区，点击网络图标，再点击“网络设置”

点击“VPN”，然后点击“添加 VPN 链接”

填写信息并保存

点击“更改适配器选项”

找到VPN网络适配器，鼠标右键点击，选择“属性”

切换到“网络”选项卡，选中“IPv4”后点击“属性按钮”

点击“高级”按钮

勾选“在远程网络上使用默认网关”，然后点击“确定”按钮

回到网络设置界面，点击VPN图标，再点击链接

现在查看你的IP地址，正确应该是经过VPN Server 访问互联网。

42.4.5. FAQ

42.4.5.1. 查看证书信息

strongswan  pki --print --in ipsec.d/cacerts/CARootCert.derstrongswan pki --print --in ipsec.d/certs/ServerCert.der

或使用openssl查看

openssl x509 -inform DER -in ipsec.d/certs/ServerCert.der -noout -text

文章出处： http://www.netkiller.cn/linux/network/vpn/strongswan.html

打赏地址：http://www.netkiller.cn/home/donations.html

目录CONTENT

如何打通家与办公室间的网络实现远程办公 Windows 10 + IPSEC IKEv2 VPN