First, install Strongswan on Ubuntu.
首先,在Ubuntu上安装Strongswan。
sudo apt-get install strongswan strongswan-plugin-eap-mschapv2 strongswan-plugin-xauth-generic
[info]If you want to compile from source, you need to add this to your configure command:
如果你想从源码编译,请确保你的configure指令包含以下参数:
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-mschapv2 --enable-eap-identity --enable-eap-peap --enable-openssl --enable-md4
https://lists.strongswan.org/pipermail/users/2012-November/003975.html
You can use these command to install Strongswan from source:
你可以用这些命令来从源码安装Strongswan:
apt-get install build-essential libssl-dev libgmp-dev
[/info]
wget http://download.strongswan.org/strongswan-5.2.0.tar.bz2
tar xjvf strongswan-5.2.0.tar.bz2; cd strongswan-5.2.0
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-mschapv2 --enable-eap-identity --enable-eap-peap --enable-openssl --enable-md4
make & make install
apt-get also suggest some packages, some of them are useful if you want to connect your strongswan with Radius or something else.
apt-get会列出一些推荐的包,如果你需要扩展Strongswan的功能比如连接Radius、mysql之类的后端数据库,那你可能会需要安装这些插件。
Suggested packages:
strongswan-tnc-imcvs network-manager-strongswan strongswan-plugin-agent
strongswan-plugin-certexpire strongswan-plugin-coupling
strongswan-plugin-curl strongswan-plugin-dnscert strongswan-plugin-dnskey
strongswan-plugin-duplicheck strongswan-plugin-error-notify
strongswan-plugin-ipseckey strongswan-plugin-ldap strongswan-plugin-led
strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pkcs11
strongswan-plugin-radattr strongswan-plugin-sql strongswan-plugin-soup
strongswan-plugin-unity strongswan-plugin-whitelist strongswan-tnc-client
strongswan-tnc-server
Now, use
现在使用
ipsec version
to check if ipsec installd successful
命令来检查ipsec的安装是否成功
Then, open /etc/ipsec.secrets. If this file not exists, create a new one.
然后编辑/etc/ipsec.secrets文件。如果不存在就创建一个。
Sudo vim /etc/ipsec.secrets
Write this:
添加如下内容:
: RSA vpnHostKey.pem
: PSK yourpskhere
user1 : EAP "topsecretpassword"
user1 : XAUTH "topsecretpassword"
user2 : XAUTH "evenmoretopsecretpassword"
For security reasons, please change the password in the file, not just use the one I gave.
为了安全起见,请不要使用文中提供的账号密码,使用自定义的账号密码。
By the way, there is a command to reload this file without restart IPSec:
顺便一说,有一个命令可以热加载这个文件:
sudo ipsec rereadsecrets
You can use it to flush the secrets after you modify this file.
在修改了这个文件之后可以直接使用这个命令刷新新的用户密码。
Then modify system config to fit ip forward:
接下来修改系统配置以开启IP包转发:
sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Then set up iptables to enable forward. If you skip this step or make some mistakes, your VPN may can only connect to the server it self or you may lose SSH connection after you start the iptables.
接下来修改iptables的配置来启用转发。如果你跳过了这一步,你的VPN就只能访问服务器本身;如果你在这一步出错,可能会导致你的SSH链接丢失,然后连不上VPN。
[info]If you have any question, please contact me. wzxjohn#gmail
如果你在设置过程中遇到了困难,欢迎联系我。wzxjohn#gmail[/info]
[info]If you use Debian, you don’t need to use ufw. Just use iptables it self.DO NOT INSTALL ufw!
如果你使用Debian系统,你不需要使用ufw。用直接用iptables即可。不要安装ufw!
Just create iptables.up.rules and put “iptables-restore < /etc/iptables.up.rules" in /etc/rc.local.
创建iptables.up.rules文件并把"iptables-restore < /etc/iptables.up.rules" 写入 /etc/rc.local 文件即可。[/info]
sudo vim /etc/iptables.up.rules If the file is not exists, create a new one.
编辑/etc/iptables.up.rules文件。如果不存在就创建一个。
https://gist.github.com/wzxjohn/3d1f275b1a36b39475d8
Then put
然后将下面两行
iptables-restore < /etc/iptables.up.rules
ufw reload
in /etc/rc.local
写入/etc/rc.local
Now it’s better to restart your VPS now.
现在最好重启一下你的VPS来看看设置是否正确。
If you don’t want to restart, just type
如果你不想重启,可以使用如下命令:
ufw enable
ufw reload
to make sure the iptables rules are working
来确保iptables规则正确加载
Now about ipsec config
接下来是ipsec配置。
This is my config file:
这是我的ipsec配置文件:
I may add some comments later.
之后我可能会添加一些注视。
This config file has 4 part, defined 3 kinds of VPN: IKEv2, IKEv2 with EAP, CiscoIPSec(IKEv1).
这个配置文件包含了4个部分,定义了三种VPN:IKEv2, IKEv2 with EAP, CiscoIPSec(IKEv1)
Save the config file and type ipsec restart in console.
保存配置文件并执行ipsec restart
Then, about the server cert, in the ipsec.config, we defined the file name server.pem.
接下来是关于服务端证书。在ipsec.config文件里,我们定义了证书文件的名字server.pem。
[info]You can also use Wildcard SSL certs, but you should modify the leftid in the ipsec.conf to @*.your.domain
你也可以使用通配符SSL证书,但是你需要修改ipsec.conf中的leftid为@*.your.domain
And the server address must end in your.domain, which means it can be a.your.domain, b.your.domain, c.your.domain etc.
并且服务器域名必须以your.domain结尾,比如a.your.domain, b.your.domain, c.your.domain等等。
So you can use exactly same config file and cert on all of your servers. All you should do is give them different sub domain names.
所以你可以在你的所有服务器上使用完全相同的配置。你只需要给它们分配不同的子域名即可。
[/info]
[warning]The Common Name in the cert must match the leftid and the real server domain name.
证书中所写的Common Name必须与配置中的leftid和真实的服务器域名匹配。
Which means if you want to access your server by a.your.domain, the Common Name in the cert should exactly be a.your.domain or *.your.domain. Any other string is not accept.
也就是说,如果你想用a.your.domain来访问你的服务器,那证书中的Common Name就必须是a.your.domain或者*.your.domain。其余字符都不可以。
And the left id in ipsec.conf should be @a.your.domain or @*.your.domain.
并且ipsec.conf中的leftid必须是@a.your.domain 或者 @*.your.domain
If not, it will cause connection error because of cert don’t match.
如果有任何不满足,都会导致因证书不匹配的连接失败。
[/warning]
[info]I haven’t try about no domain server, according to the documents about config, you may use self-certificate cert and change the leftid in ipsec.conf, and need to install CA cert on your device.
目前没有尝试过纯使用IP的服务端,按照配置文件的写法应该是需要自签名证书和修改leftid,并且需要将自签名CA安装到手机上。
Update 10/10/2014:
Accroding to Justin’s test, if you want to use IP as the server address, you need to follow these three suggestions:
根据Justin的测试,如果你想使用纯IP的服务器,你需要遵守这三条建议:
1.When creating server cert, you need to use:
当创建服务端证书的时候,你需要使用:
--dn "C=CH, O=strongSwan, CN=Server-IP-Address" \
--san Server-IP-Address \
instead of Server Domain name.
而不是服务器的域名
2.About ipsec.conf,the leftid in it should be exactly the server’s ip address, like:
在ipsec.conf文件中,leftid必须是服务器的IP地址,比如:
leftid = 123.456.789.123
3.About the mobileconfig file, the RemoteIdentifier should be exactly the server’s ip address, like:
在配置文件中,远程标识符必须是服务器的IP地址,如:
RemoteIdentifier
123.456.789.123
[/info]
Just rename your domain cert to the name you set and put it in /etc/ipsec.d/certs/, it’s server.pem in this case.
把你给你的域名申请的证书重命名成配置文件中的名称然后放进/etc/ipsec.d/certs/文件夹,这里是server.pem。
For private key, the file name is defined in ipsec.secrets, as vpnHostKey.pem in this case.
关于证书对应的私钥,ipsec.secrets文件中定义了其文件名,这里是vpnHostKey.pem。
Just rename your own private key to this name and put it in /etc/ipsec.d/private/.
把你的域名证书对应的私钥重命名成配置文件中的名称然后放入/etc/ipsec.d/private/。
[info]Here server.pem is what we call ssl.crt(SSLCertificateFile) in setting up Apache SSL site.
这里的server.pem是我们在配置Apache的SSL时通常所说的ssl.crt(SSLCertificateFile)。
The vpnHostKey.pem is what we call ssl.key(SSLCertificateKeyFile) or private key for cert.
vpnHostKey.pe是我们通常所说的ssl.key(SSLCertificateKeyFile)或者叫证书私钥。
[/info]
Then execute ipsec restart than every thing you should do on server side is done.
接下来执行ipsec restart,然后服务端的所有配置就完成了。
Now for mobileconfig file for iOS 8.
然后是给iOS 8使用的配置文件。
This is my mobile config profile:
这是我在使用的配置文件:
Please modify the username, password, server address in this profile and than install it on your device. You can use import function in Apple Configurator or just modify it use any text editor.
在使用前请修改用户名,密码,服务器地址,然后把配置文件安装到设备上。你可以使用Apple Configurator的导入功能导入这个配置文件然后修改,也可以直接用任何文本编辑器修改。
[info]Additional information about signed mobile config file. You can use this command to sign your mobileconfig file:
关于mobileconfig文件的签名,你可以用这个命令来给你的配置文件签名:
[/info]
openssl smime \
-sign \
-signer ssl.crt \
-inkey ssl.key \
-certfile ca.pem \
-nodetach \
-outform der \
-in MyProfile.mobileconfig \
-out Myprofile_signed.mobileconfig
[info]ssl.crt can be your domain cert or E-mail cert. ssl.key is the private key of the cert. ca.pem may need to let the device trust your own cert. In file and out file MUST be different!
ssl.crt可以是你域名的证书或者是E-mail证书。ssl.key是对应的私钥。有些设备可能需要ca.pem来进行证书信任的验证。输入和输出文件必须不同名!
About self-signed cert, please read this article:
自签名证书参考文章:
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
[/info]
[info]If you want to see more things in IPSec’s log, you can add this in to your ipsec.conf:
如果你想在你的IPSec日志中看到更详细的信息,你可以在ipsec.conf文件中加入这句话:
charondebug="cfg 2, dmn 2, ike 2, net 2"
then the config file will look like this:
然后配置文件会变成这样:
config setup
charondebug = "cfg 2, dmn 2, ike 2, net 2"
uniqueids = no
Now restart ipsec and you will see more things in /var/log/syslog(or /var/log/daemon, /var/log/messages) about your ipsec vpn services.
现在重启ipsec服务,然后你就能在/var/log/syslog(或者 /var/log/daemon, /var/log/messages)中看到关于你的VPN服务的更多信息。
About charondebug, you can find official document hers:
关于charondebug参数,你可以在这里找到官方的文档:
https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Normally, we just need level 2 log. Level 3 and above write some RAW date in hex which we may not need.
一般情况下我们只需要Level 2的日志。Level 3以上的日志包含一些我们可能不太需要的原始包信息。
After debug your vpn server, you may delete the charondebug line, or your log file’s size will grow very fast.
在你调试完你的VPN服务器之后,你最好删除charondebug这一行,不然你的日志文件会迅速增大。
Levels and Subsystems/Groups
The IKE daemon knows different numerical levels of logging, ranging from -1 to 4:-1: Absolutely silent
0: Very basic auditing logs, (e.g. SA up/SA down)
1: Generic control flow with errors, a good default to see whats going on
2: More detailed debugging control flow
3: Including RAW data dumps in hex
4: Also include sensitive material in dumps, e.g. keys
Each logging message also has a source from which subsystem in the daemon the log came from:app: applications other than daemons
asn: Low-level encoding/decoding (ASN.1, X.509 etc.)
cfg: Configuration management and plugins
chd: CHILD_SA/IPsec SA
dmn: Main daemon setup/cleanup/signal handling
enc: Packet encoding/decoding encryption/decryption operations
esp: libipsec library messages
ike: IKE_SA/ISAKMP SA
imc: Integrity Measurement Collector
imv: Integrity Measurement Verifier
job: Jobs queuing/processing and thread pool management
knl: IPsec/Networking kernel interface
lib: libstrongwan library messages
mgr: IKE_SA manager, handling synchronization for IKE_SA access
net: IKE network communication
pts: Platform Trust Service
tls: libtls library messages
tnc: Trusted Network Connect
[/info]
Setup IKEv2 On Demand VPN on iOS 8 and IKEv2, IKEv1 Cisco IPSec VPN with Strongswan by 桔子小窝 is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
apt-get install build-essential libssl-dev libgmp-dev
这是编译前需要安装的编译环境
因为我不建议从源码安装,所以直接没有说相关的环境配置。不过为了方便大家,我还是把这句加上了~感谢提供~
@Orange : 部署了几次 每次都找不到,就过来说一下哈 。
还有像问一下如果 国内的 linux 链接国外的 linux 用strongswan 是不是配置文件一样的?
额。。。没太懂你的国内 Linux 连国外 Linux 用 strongswan 是啥意思。。。 site-to-site VPN 么?
@Orange :
我意思是 我国外VPS使用strongswan 部署了一个ikev2的VPN , 然后我想在国内的VPS 使用strongswan来连接我国外的ikev2 的VPN ,那么我应该怎么去配置 。
这个site-to-site 我也不懂是什么,在google搜的时候这个关键字排序挺高的
你这个情况我确实不了解,从没用过这种 site-to-site 的 VPN。为啥会有这种需求呢。。。
@Orange :
因为想用 一个国内的vps 做跳板啊. 现在iOS直接连上去ikev2 的vpn ,国内网站都走vpn的,想在国内的vps上面做分流
@Orange :
我就是这么搞的,3g连国外vps不稳定,在国内搞一个节点,site2site到国外。
手机只需要用ipsec连国内节点就行了。
你有相关教程么?我在文章后面附一个你的教程的链接方便大家?
strongswan-plugin-eap-mschapv2 strongswan-plugin-xauth-generic 这两个在debian下需要添加什么源呢..没搜到诶
我从没碰过 Debian ,所以不知道你想要的包怎么找。。。可能你要去问问用 Debian 搭建过的 V 友了。。。
“This is my config file:
这是我的ipsec配置文件:”
好像没有配置文件啊
配置文件托管在 github 上,看不到的话说明你需要科学上网。。。
iOS 9 据说增加了配置IKEv2 的界面?
是的!现在可以直接在设置里添加 IKEv2 的 VPN 了!
请问 Mac os x 10.11 下 remote id 和 local id 怎样填写?
没太懂你的意思?Remote ID 和 Local ID 跟系统有什么关系?
@Orange : 与系统本身没有关系, 只是10.11原生有ui添加ikev2. 里面的remote id不知该如何填写
这个我还没研究,只是知道了有这个功能。应该类似于在配置管理器里填写的一样吧。。。
如果需要L2TP/IPsec的话,是不是还需要装xl2tpd ?
这个似乎是的,但是因为 L2TP 目前被封的很厉害,所以早就不研究这个了。。。
博主您好 ,十分感谢您的分享。
我想请教下,使用ikev2协议,ip 自签证书的话,怎样才能做到 ios 客户端不安装证书呢?
如果使用域名签发证书的话 是可以做到ios客户端不安装证书,但那样的话 会在客户端暴露域名。
如果购买ca 证书的话 貌似也是需要域名的。。。
静候回复 再次感谢博主
自签名证书在客户端是无法不安装证书的。不论是通过 Profile 安装也好网页直接下载证书文件安装也好,服务端证书是必须安装的。