配置IPsec VPN(Strongswan)

生成证书

生成CA的密钥和证书:
strongswan pki --gen --outform pem > caKey.pem
strongswan pki --self --outform pem --in caKey.pem --dn "C=CN, O=TZ, CN=TZ CA" --ca > caCert.pem
生成服务端的密钥和证书:
strongswan pki --gen --outform pem > serverKey.pem
strongswan pki --pub --outform pem --in serverKey.pem > serverPub.pem
strongswan pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem \
--in serverPub.pem --dn "C=CN, O=TZ, CN=TZ Server" --san="52.34.162.76" \
--flag serverAuth --flag ikeIntermediate  > serverCert.pem
注意:san(SubjectAltName),是服务器地址或域名,直接影响到连接是否成功。
生成客户端的密钥和证书:
strongswan pki --gen --outform pem > clientKey.pem
strongswan pki --pub --outform pem --in clientKey.pem > clientPub.pem
strongswan pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem \
--in clientPub.pem --dn "C=CN, O=TZ, CN=TZ Client" > clientCert.pem
复制安装证书:
cp caCert.pem /etc/strongswan/ipsec.d/cacerts/
cp serverCert.pem /etc/strongswan/ipsec.d/certs/
cp serverKey.pem /etc/strongswan/ipsec.d/private/
cp clientCert.pem /etc/strongswan/ipsec.d/certs/
cp clientKey.pem /etc/strongswan/ipsec.d/private/

注意:默认生成的der格式,无法直接导入到手机中,所以,这里用pem格式。
参考:https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

修改配置

strongswan.conf:

# strongswan.conf - strongSwan configuration file
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    duplicheck.enable = no
    compress = yes
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
    plugins {
        include strongswan.d/charon/*.conf
    }

    #以下是日志输出, 生产环境请关闭.
    filelog {
        /etc/strongswan/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # prepend connection name, simplifies grepping
            ike_name = yes
            # overwrite existing files
            append = no
            # increase default loglevel for all daemon subsystems
            default = 1
            # flush each line to disk
            flush_line = yes
        }
    }
}

include strongswan.d/*.conf

ipsec.conf:

config setup
    uniqueids=never	#允许多个客户端使用同一个证书

conn IKEv2-EAP
    keyexchange=ikev2		#密钥交换算法
    left=%any		#服务器端标识,%any表示任意
    leftid=52.34.162.76		#服务器端ID标识
    leftsubnet=0.0.0.0/0		#服务器端虚拟ip, 0.0.0.0/0表示通配.
    leftcert=serverCert.pem		#服务器端证书
    leftauth=pubkey		#服务器校验方式,使用证书
    right=%any		#客户端标识,%any表示任意
    rightsourceip=192.168.0.0/24	#客户端IP地址分配范围
    rightauth=eap-mschapv2	#eap-md5#客户端校验方式#KEv2 EAP(Username/Password)
    #rightauth=rsa		#客户端校验方式,使用证书#IKEv2 Certificate
    #rightcert=clientCert.pem		#客户端端证书#IKEv2 Certificate
    #eap_identity=%any		#
    auto=add

ipsec.secrets:

# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA serverKey.pem
: PSK "12345678"
test : EAP "pass"
e : EAP "e"
d : EAP "d"
a : EAP "a"

配置修改后,使用如下命令重启:sudo strongswan restart
然后,使用如下命令查看状态:sudo strongswan statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 4.1.17-22.30.amzn1.x86_64, x86_64):
  uptime: 3 seconds, since Mar 08 08:49:19 2016
  malloc: sbrk 1351680, mmap 0, used 446256, free 905424
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Virtual IP pools (size/online/offline):
  192.168.0.0/24: 254/0/0
Listening IP addresses:
  10.0.192.215
Connections:
   IKEv2-EAP:  %any...%any  IKEv2
   IKEv2-EAP:   local:  [52.34.162.76] uses public key authentication
   IKEv2-EAP:    cert:  "C=CN, O=TZ, CN=TZ Server"
   IKEv2-EAP:   remote: uses EAP_MSCHAPV2 authentication
   IKEv2-EAP:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none

LOG日志

手机的LOG日志,位于/data/data/pkg.name/files/charon.log,可以查看或发送给自己。

03-08 16:56:55.032: I/CharonVpnService(6657): static, Build.VERSION.SDK_INT:19
03-08 16:56:55.072: I/CharonVpnService(6657): onCreate()
03-08 16:56:55.082: I/CharonVpnService(6657): onStartCommand()
03-08 16:56:55.082: I/CharonVpnService(6657): setNextProfile() profile:52.34.162.76
03-08 16:56:55.087: I/CharonVpnService(6657): onServiceConnected() name:ComponentInfo{org.strongswan.android/org.strongswan.android.logic.VpnStateService}
03-08 16:56:55.087: I/CharonVpnService(6657): run()
03-08 16:56:55.087: I/CharonVpnService(6657): stopCurrentConnection()
03-08 16:56:55.087: I/CharonVpnService(6657): startConnection() profile:52.34.162.76
03-08 16:56:55.087: I/CharonVpnService(6657): BuilderAdapter() splitTunneling:null
03-08 16:56:55.087: I/CharonVpnService(6657): createBuilder() name:52.34.162.76
03-08 16:56:55.102: I/CharonVpnService(6657): BuilderCache() splitTunneling:null
03-08 16:56:55.157: I/charon(6657): 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
03-08 16:56:55.157: I/charon(6657): 00[JOB] spawning 16 worker threads
03-08 16:56:55.157: I/CharonVpnService(6657): charon started
03-08 16:56:55.167: I/charon(6657): 07[IKE] initiating IKE_SA android[1] to 52.34.162.76
03-08 16:56:55.262: I/charon(6657): 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
03-08 16:56:55.262: I/charon(6657): 07[NET] sending packet: from 10.88.0.254[35952] to 52.34.162.76[500] (1012 bytes)
03-08 16:56:55.487: I/charon(6657): 09[NET] received packet: from 52.34.162.76[500] to 10.88.0.254[35952] (501 bytes)
03-08 16:56:55.487: I/charon(6657): 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
03-08 16:56:55.607: I/charon(6657): 09[IKE] local host is behind NAT, sending keep alives
03-08 16:56:55.607: I/charon(6657): 09[IKE] remote host is behind NAT
03-08 16:56:55.607: I/CharonVpnService(6657): getTrustedCertificates()
03-08 16:56:55.607: I/charon(6657): 09[IKE] received cert request for "C=CN, O=TZ, CN=TZ CA"
03-08 16:56:55.607: I/charon(6657): 09[IKE] received 1 cert requests for an unknown ca
03-08 16:56:55.607: I/charon(6657): 09[IKE] sending cert request for "C=CN, O=TZ, CN=TZ CA"
03-08 16:56:55.607: I/charon(6657): 09[IKE] establishing CHILD_SA android
03-08 16:56:55.607: I/charon(6657): 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
03-08 16:56:55.612: I/charon(6657): 09[NET] sending packet: from 10.88.0.254[58268] to 52.34.162.76[4500] (524 bytes)
03-08 16:56:55.902: I/charon(6657): 10[NET] received packet: from 52.34.162.76[4500] to 10.88.0.254[58268] (1228 bytes)
03-08 16:56:55.907: I/charon(6657): 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
03-08 16:56:55.917: I/charon(6657): 10[IKE] received end entity cert "C=CN, O=TZ, CN=TZ Server"
03-08 16:56:55.917: I/charon(6657): 10[CFG]   using certificate "C=CN, O=TZ, CN=TZ Server"
03-08 16:56:55.927: I/charon(6657): 10[CFG]   using trusted ca certificate "C=CN, O=TZ, CN=TZ CA"
03-08 16:56:55.927: I/charon(6657): 10[CFG]   reached self-signed root ca with a path length of 0
03-08 16:56:55.932: I/charon(6657): 10[IKE] authentication of '52.34.162.76' with RSA_EMSA_PKCS1_SHA256 successful
03-08 16:56:55.932: I/charon(6657): 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0xAF)
03-08 16:56:55.932: I/charon(6657): 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
03-08 16:56:55.937: I/charon(6657): 10[NET] sending packet: from 10.88.0.254[58268] to 52.34.162.76[4500] (140 bytes)
03-08 16:56:56.172: I/charon(6657): 11[NET] received packet: from 52.34.162.76[4500] to 10.88.0.254[58268] (140 bytes)
03-08 16:56:56.177: I/charon(6657): 11[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
03-08 16:56:56.177: I/charon(6657): 11[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
03-08 16:56:56.177: I/charon(6657): 11[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
03-08 16:56:56.177: I/charon(6657): 11[NET] sending packet: from 10.88.0.254[58268] to 52.34.162.76[4500] (76 bytes)
03-08 16:56:56.377: I/charon(6657): 12[NET] received packet: from 52.34.162.76[4500] to 10.88.0.254[58268] (76 bytes)
03-08 16:56:56.377: I/charon(6657): 12[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
03-08 16:56:56.377: I/charon(6657): 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
03-08 16:56:56.382: I/charon(6657): 12[IKE] authentication of 'test' (myself) with EAP
03-08 16:56:56.382: I/charon(6657): 12[ENC] generating IKE_AUTH request 4 [ AUTH ]
03-08 16:56:56.382: I/charon(6657): 12[NET] sending packet: from 10.88.0.254[58268] to 52.34.162.76[4500] (92 bytes)
03-08 16:56:56.587: I/charon(6657): 13[NET] received packet: from 52.34.162.76[4500] to 10.88.0.254[58268] (268 bytes)
03-08 16:56:56.587: I/charon(6657): 13[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS NBNS DNS NBNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
03-08 16:56:56.592: I/charon(6657): 13[IKE] authentication of '52.34.162.76' with EAP successful
03-08 16:56:56.592: I/charon(6657): 13[IKE] IKE_SA android[1] established between 10.88.0.254[test]...52.34.162.76[52.34.162.76]
03-08 16:56:56.592: I/charon(6657): 13[IKE] scheduling rekeying in 35714s
03-08 16:56:56.592: I/charon(6657): 13[IKE] maximum IKE_SA lifetime 36314s
03-08 16:56:56.592: I/CharonVpnService(6657): addDnsServer() address:8.8.8.8
03-08 16:56:56.597: I/charon(6657): 13[CFG] handling INTERNAL_IP4_NBNS attribute failed
03-08 16:56:56.597: I/CharonVpnService(6657): addDnsServer() address:8.8.4.4
03-08 16:56:56.597: I/charon(6657): 13[CFG] handling INTERNAL_IP4_NBNS attribute failed
03-08 16:56:56.602: I/charon(6657): 13[IKE] installing new virtual IP 192.168.0.1
03-08 16:56:56.602: I/charon(6657): 13[IKE] CHILD_SA android{1} established with SPIs 0b042337_i c3b0cfee_o and TS 192.168.0.1/32 === 0.0.0.0/0 
03-08 16:56:56.602: I/charon(6657): 13[DMN] setting up TUN device for CHILD_SA android{1}
03-08 16:56:56.607: I/CharonVpnService(6657): addAddress() address:192.168.0.1
03-08 16:56:56.607: I/CharonVpnService(6657): addRoute() address:0.0.0.0
03-08 16:56:56.612: I/CharonVpnService(6657): addRoute() address:128.0.0.0
03-08 16:56:56.612: I/CharonVpnService(6657): setMtu() mtu:1400
03-08 16:56:56.612: I/CharonVpnService(6657): establish()
03-08 16:56:56.822: I/CharonVpnService(6657): createBuilder() name:52.34.162.76
03-08 16:56:56.822: I/CharonVpnService(6657): BuilderCache() splitTunneling:null
03-08 16:56:56.822: I/charon(6657): 13[DMN] successfully created TUN device
03-08 16:56:56.822: I/CharonVpnService(6657): updateStatus() status:1
03-08 16:56:56.822: I/CharonVpnService(6657): setState() state:CONNECTED
03-08 16:56:56.827: I/charon(6657): 13[IKE] received AUTH_LIFETIME of 9802s, scheduling reauthentication in 9202s
03-08 16:56:56.827: I/charon(6657): 13[IKE] peer supports MOBIKE


没有更多推荐了,返回首页

私密
私密原因:
请选择设置私密原因
  • 广告
  • 抄袭
  • 版权
  • 政治
  • 色情
  • 无意义
  • 其他
其他原因:
120
出错啦
系统繁忙,请稍后再试