OpenSUSE 13.1上安装StrongSwan

转载

mb5ff9812a47cf3 2017-07-31 10:10:00

文章标签 ios apache ipad 内网 ip地址 文章分类 后端开发

结果：

1）iOS 7.1设备能够拨IPSec VPN到StrongSwan电脑上面来 - Connect to VPN

2）iOS 设备浏览器能够訪问StrongSwan VPN所在的内网地址服务器 - Connect to intranet behind VPN

=========================================================

环境：

OpenSUSE 13.1 64位

iPad 2 with OS 7.1

=========================================================

OpenSUSE准备：

下载OpenSUSE 13.1 64位 DVD iso文件，Vmware Workstation 9安装，选择手动安装

OpenSUSE启用sshd服务

systemctl enable sshd

service sshd start

測试：Windows电脑用putty.exe能够ssh到OpenSUSE上

OpenSUSE安装locate/updatedb程序

zypper in findutils-locate (这一步假设是第一次执行zypper，可能须要挺长时间）

updatedb

locate

OpenSUSE关闭防火墙。在GUI界面里面搜索firewall，关闭防火墙就可以

或者是命令行启动yast 字符菜单界面。选择Security and Users -> Firewall

OpenSUSE安装ftp服务

zypper in vsftpd

systemctl enable vsftpd.service

systemctl start vsftpd.service

測试：ftp。用OpenSUSE操作系统里面的普通用户帐号登录

OpenSUSE安装apache web服务

zypper install apache2

systemctl enable apache2.service

systemctl start apache2.service

測试：iPad上打开浏览器。訪问http://ip地址

=========================================================

開始安装SrongSwan

安装strongswan。当前最新版本号5.1.1

zypper install openssl strongswan iputils

systemctl enable strongswan.service

ipsec restart

vi /etc/ssl/openssl.cnf

#内容例如以下：

extendedKeyUsage = serverAuth

subjectAltName = DNS:swan.acmehq.springworks.info

#找到[ CA_default ]

dir = /etc/ipsec.d # Where everything is kept

certificate = $dir/cacerts/cacert.pem # The CA certificate

default_days = 3650 # This means the certificates will be valid 10 years. default 365 days

default_crl_days= 3000 # how long before next CRL, default 30 days

default_bits = 2048

countryName_default = CN

stateOrProvinceName_default = Shanghai

localityName_default = Shanghai

0.organizationName_default = ACMEHQ

cd /etc/ipsec.d/

touch index.txt

touch serial

echo 00 > serial

mkdir private

mkdir reqs

mkdir cacerts

mkdir certs

mkdir newcerts

openssl req -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacerts/cacert.pem -days 3655 (注意，缺省CA 证书过期时间30天。？，所以要加參数 -days 3655）

Common Name: strongswan CA

openssl req -newkey rsa:2048 -keyout private/maikaKey.pem -out reqs/maikaReq.pem （注意，缺省颁发的证书过期时间是依据/etc/ssl/openssl.cnf里面的default_days)

Common Name: swan.acmehq.springworks.info

mkdir newcerts （原因是openssl.cnf缺省配置）

openssl ca -in reqs/maikaReq.pem -out certs/maikaCert.pem -notext

vi /etc/ipsec.secrets

: RSA maikaKey.pem "password"

test : AUTH "password"

openssl req -newkey rsa:2048 -keyout private/clientKey.pem -out reqs/clientReq.pem

Common Name: client

openssl ca -in reqs/clientReq.pem -out certs/clientCert.pem -notext

openssl pkcs12 -export -inkey private/clientKey.pem -in certs/clientCert.pem -name "client" -certfile cacerts/cacert.pem -caname "strongswan CA" -out clientCert.p12

配置iOS设备：将生成的caCert.pem和clientCert.p12通过邮件的方式或者通过web方式下载到iOS设备上，并进行证书安装。

cd /etc/ipsec.d/

cp cacerts/cacert.pem /srv/www/htdocs

cp clientCert.p12 /srv/www/htdocs/

vi /srv/www/htdocs/index.html

<html>

<body>

Hello World

<br/>

<a href="cacert.pem">cacert.pem</a>

<br/>

<a href="clientCert.p12">clientCert.p12</a>

</body>

</html>

iPad打开浏览器，訪问OpenSUSE的ip地址。点击下载安装两次证书。

vi /etc/ipsec.conf

config setup

conn iOS

keyexchange=ikev1

authby=xauthrsasig

xauth=server

left=%defaultroute

leftsubnet=0.0.0.0/0

leftfirewall=yes

leftcert=maikaCert.pem

right=%any

rightsubnet=10.0.0.0/24

rightsourceip=10.0.0.2

rightcert=clientCert.pem

fragmentation=yes

auto=add

ipsec restart

=========================================================

内网測试：

=========================================================

排错：

參考 http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

ipsec stroke loglevel ike 2

tail -f /var/log/messages

=========================================================

外网測试：

注意：防火墙上面可能须要做地址映射 500 4500 两个UDP端口

=========================================================

外网訪问内网測试：

拨通VPN后。iPad仅仅能訪问StrongSwan的IP地址的apache。

參考配置 Iptables转发。注意我的SUSE网卡别名不是eth0，是ens33。（依照參考，编写了服务脚本 /etc/systemd/system/strongswan-iptables.service)

sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens33 -j MASQUERADE
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

# Author: Marguerite Su <i@marguerite.su>
# Use Case: You have a strongswan vpn. You don't want to input iptables commands
#           everytime upon server restart.
[Unit]
Description=Scripts to setup iptables rules for strongswan
Wants=network-online.target
# has to start before strongswan, or it doesn't know the routes.
# so you can connect, but no traffic.
Before=strongswan.service
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT ; \
          /usr/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT ; \
          /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens33 -j MASQUERADE ; \
          /usr/sbin/iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT ; \
          /bin/sh -c 'echo -n 1 > /proc/sys/net/ipv4/ip_forward'
ExecStop=/bin/sh -c 'echo -n 0 > /proc/sys/net/ipv4/ip_forward' ; \
         /usr/sbin/iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT ; \
         /usr/sbin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens33 -j MASQUERADE ; \
         /usr/sbin/iptables -D INPUT -p udp --dport 4500 -j ACCEPT ; \
         /usr/sbin/iptables -D INPUT -p udp --dport 500 -j ACCEPT

[Install]
WantedBy=multi-user.target