本文共 3730 字,大约阅读时间需要 12 分钟。
使用StrongSwan 搭建IPSec ×××支持IOS 6.0 & 6.0+
1.背景:此次研究StrongSwan搭建IPsec主要是因为IPhone手机升级到10.0版本后,原来公司搭建的PPTP ×××已经不再支持,所以需要立即采取其他的×××接入方式,于是在网上就了解这个StrongSwan,并开始部署和使用了2.StrongSwan 安装
我的底层是centos6.6,安装方式有两种,yum 和源码包的安装,可从网上down些文档wget
tar xzf strongswan.tar.gzcd strongswan-*./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \ --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \ --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
make; make install
3).生成证书和密钥
strongswan pki --gen --outform pem > ca.pemyum install openssl
strongswan pki --gen --outform pem > ca.pem
strongswan pki --self --in ca.pem --dn "C=com, O=IPSec×××, CN=×××CA" --ca --outform pem>ca.cert.pem
strongswan pki --gen --outform pem > server.pem
strongswan pki --pub --in server.pem | strongswan pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com,O=IPSec×××,CN=123.58.230.60" --san="123.58.230.60" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
strongswan pki --gen --outform pem > client.pem
strongswan pki --pub --in client.pem | strongswan pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com,O=IPSec×××,CN=××× Client" --outform pem > client.cert.pemopenssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client " -certfile ca.cert.pem -caname "×××CA" -out client.cert.p12
mv -f ca.cert.pem /etc/strongswan/ipsec.d/cacerts/
mv -f server.cert.pem /etc/strongswan/ipsec.d/certs/mv -f server.pem /etc/strongswan/ipsec.d/private/conn iOS_cert
keyexchange=ikev2fragmentation=yesleft=�faultrouteleftauth=pubkeyleftsubnet=10.130.0.0/16leftcert=server.cert.pemright=%anyrightauth=pubkeyrightauth2=xauthrightsourceip=10.4.2.2/16rightcert=client.cert.pemauto=addconn android_xauth_psk #红色字体表示可以任意的定义,但是要确保唯一
keyexchange=ikev1 #ipsec ***目前使用的是ike1left=%any #letf相对于right,letf代表server端,rigth代表client端,%any代表server端地址是任意的!#type = tunnel 这个是隧道模式tunnel 可选的还有transparentleftauth=psk #这个是使用预共享密钥做认证leftsubnet=0.0.0.0/0 # client should be told to route through the tunnel right=%any # client IP is unkownrightauth=psk rightauth2=xauth rightsourceip=172.28.0.66/16 #client vip to access leftsubnetauto=addconn networkmanager-strongswan
keyexchange=ikev2left=�faultrouteleftauth=pubkeyleftsubnet=10.130.0.0/16leftcert=server.cert.pemright=%anyrightauth=pubkeyrightsourceip=10.4.2.2/16rightcert=client.cert.pemauto=addconn windows7
keyexchange=ikev2ike=aes256-sha1-modp1024!rekey=noleft=�faultrouteleftauth=pubkeyleftsubnet=10.130.0.0/16 leftcert=server.cert.pemright=%anyrightauth=eap-mschapv2rightsourceip=10.4.250.160/27rightsendcert=nevereap_identity=%anyauto=add#绿色部分代表是我当前在用的配置文件5.配置strongswan.conf 文件
cat /etc/strongswan/strongswan.confcharon {
load_modular = yesplugins { include strongswan.d/charon/*.conf}dns1 = 8.8.8.8dns2 = 8.8.4.4}include strongswan.d/*.conf
6.配置/etc/strongswan/ipsec.secrets
: RSA server.pem: PSK "xxxxx": XAUTH "xxxxx"zhanglong : EAP "xxxx2"7.IPhone手机连接
雪飘人间带你走进StrongSwan转载于:https://blog.51cto.com/2825930/2286864