strongswan Ubuntu 服务端修改 IKEv2 协议握手端口号
下载 strongswan 源码
Ubuntu 22.04 下执行:
sudo apt-get -y update
sudo apt-get -y install libpam0g-dev libssl-dev make gcc curl
wget --no-check-certificate https://download.strongswan.org/strongswan-5.9.14.tar.gz
tar xzf strongswan-5.9.14.tar.gz
若无法下载https://download.strongswan.org/strongswan-5.9.14.tar.gz
文件,则可能是这个版本变成老版本,被移动至https://download.strongswan.org/old/5.x/strongswan-5.9.14.tar.gz
路径,可以修改下载路径:
wget --no-check-certificate https://download.strongswan.org/old/5.x/strongswan-5.9.14.tar.gz
tar xzf strongswan-5.9.14.tar.gz
执行完上述命令,你将得到一个名为strongswan-5.9.14
的目录。
配置 strongswan
将 IKEv2 协议握手端口 4500 修改为 4496,其中 500 端口没必要修改(若有需求可自行修改):
cd strongswan-5.9.14
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp \
--with-charon-udp-port=500 --with-charon-natt-port=4496
编译和安装 strongswan
执行以下命令:
make
sudo make install
上述命令会编译 strongswan 并将 strongswan 安装到 /usr/local
目录下,其中,ipsec
程序安装在 /usr/local/sbin/ipsec
,配置文件放置在 /usr/local/etc/
目录下。
make
sudo make install
配置防火墙
执行以下命令设置开放的端口:
cat > 10-ipsec.conf<<-EOF
net.ipv4.ip_forward=1
EOF
sudo cp 10-ipsec.conf /etc/sysctl.d/10-ipsec.conf
sudo sysctl --system
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p esp -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 4496 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
sudo iptables-save > iptables.rules
sudo cp iptables.rules /etc/iptables.rules
sudo cat > iptables<<-EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
EOF
sudo cp iptables /etc/network/if-up.d/iptables
sudo chmod +x /etc/network/if-up.d/iptables
设置 strongswan 的配置文件
ipsec.conf
文件和strongswan.conf
文件是 strongswan 的配置,ipsec.secrets
文件是 IKEv2 登录时的用户名和密码的存储文件,其中,myUserName
是用户名,myUserPass
是对应的密码,可复制多行,设置不同的用户名和密码。
vps_ip
为必填项,需填写服务器的外网 IP 地址或者域名:
vps_ip=x.x.x.x # 填写你的服务器的 IP 地址或者域名
cat > ipsec.conf<<-EOF
config setup
strictcrlpolicy=yes
uniqueids=never
conn ikev2-vpn
keyexchange=ikev2
ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384!
esp=aes256gcm16-sha256,aes256gcm16-ecp384!
rekey=no
left=%defaultroute
leftid=${vps_ip}
leftsendcert=always
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%identity
dpdaction=clear
fragmentation=yes
auto=add
compress=no
type=tunnel
forceencaps=yes
dpddelay=180s
rightid=%any
rightdns=8.8.8.8,8.8.4.4
#conn iOS_cert
# keyexchange=ikev1
# fragmentation=yes
# left=%defaultroute
# leftauth=pubkey
# leftsubnet=0.0.0.0/0
# leftcert=server.cert.pem
# right=%any
# rightauth=pubkey
# rightauth2=xauth
# rightsourceip=10.31.2.0/24
# rightcert=client.cert.pem
# auto=add
#conn ios_ikev2
# keyexchange=ikev2
# ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
# esp=aes256-sha256,3des-sha1,aes256-sha1!
# rekey=no
# left=%defaultroute
# leftid=${vps_ip}
# leftsendcert=always
# leftsubnet=0.0.0.0/0
# leftcert=server.cert.pem
# right=%any
# rightauth=eap-mschapv2
# rightsourceip=10.31.2.0/24
# rightsendcert=never
# eap_identity=%any
# dpdaction=clear
# fragmentation=yes
# auto=add
EOF
sudo cp ipsec.conf /usr/local/etc/ipsec.conf
cat > strongswan.conf<<-EOF
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
EOF
sudo cp strongswan.conf /usr/local/etc/strongswan.conf
cat > ipsec.secrets<<-EOF
: RSA server.pem
: PSK "myPSKkey"
: XAUTH "myXAUTHPass"
myUserName %any : EAP "myUserPass"
EOF
sudo cp ipsec.secrets /usr/local/etc/ipsec.secrets
生成秘钥
可按需修改 my_cert_c
、my_cert_o
和my_cert_cn
的赋值,vps_ip
为必填项,需填写服务器的外网 IP 地址或者域名:
my_cert_c="com"
my_cert_o="myvpn"
my_cert_cn="VPN CA"
vps_ip=x.x.x.x # 填写你的服务器的 IP 地址或者域名,要与前面一致
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
--san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem
echo "请输入 pkcs12 证书的密码(可以为空):"
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}" -out client.cert.p12
sudo cp -f ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
sudo cp -f server.cert.pem /usr/local/etc/ipsec.d/certs/
sudo cp -f server.pem /usr/local/etc/ipsec.d/private/
sudo cp -f client.cert.pem /usr/local/etc/ipsec.d/certs/
sudo cp -f client.pem /usr/local/etc/ipsec.d/private/
启动 ipsec 服务
cat > ipsec.service<<-EOF
# /etc/systemd/system/ipsec.service
[Unit]
Description=IPSec Service
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/libexec/ipsec/starter --daemon charon
[Install]
WantedBy=multi-user.target
EOF
sudo cp ipsec.service /etc/systemd/system/ipsec.service
sudo systemctl daemon-reload
sudo systemctl enable ipsec
sudo systemctl start ipsec
完整 bash 脚本
其他配置可阅读以下完整 bash 脚本:
#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
#===============================================================================================
# System Required: CentOS6.x/7 (32bit/64bit) or Ubuntu
# Description: Install IKEV2 VPN for CentOS and Ubuntu
# Author: quericy
# Intro: https://quericy.me/blog/699
#===============================================================================================
clear
VER=1.2.0
echo "#############################################################"
echo "# Install IKEV2 VPN for CentOS6.x/7 (3