参考文档:
- https://www.strongswan.org/testing/testresults/ikev2-stroke/index.html
- https://docs.strongswan.org/docs/5.9/install/install.html
- https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
一、网络及服务器环境:
- 公网IP,可以是固定IP或DDNS
- OS: Debian 12 Kernel: 6.1.0-17-amd64
二、网络配置:
- 网关映射
udp:500、udp:4500这些端口和协议给内网Debian12 - 如果需要访问的内部资源IP与Debian12不在同一个网段,需要做静态路由把
rightsourceip指向Debian12
三、安装strongSwan
apt安装:sudo apt install strongswan-starter
或者编译安装,两种安装方式默认的etc配置路径有所不同,注意区分。
wget https://download.strongswan.org/strongswan-5.9.14.tar.bz2
tar xjf strongswan-5.9.14.tar.bz2
cd strongswan-5.9.14
./configure --enable-ikev2 --enable-openssl --enable-systemd --with-systemdsystemunitdir=/lib/systemd/system --enable-charon --enable-random --enable-nonce --enable-aes --enable-sha1 --enable-sha2 --enable-pem --enable-pkcs1 --enable-curve25519 --enable-gmp --enable-x509 --enable-curl --enable-revocation --enable-hmac --enable-kdf --enable-stroke --enable-kernel-netlink --enable-socket-default --enable-fips-prf --enable-eap-mschapv2 --enable-eap-identity --enable-updown --disable-defaults
make
sudo make install四、acme申请证书
acme.sh --issue -d lotro.cc -k 3072 --cert-file /usr/local/etc/ipsec.d/certs/lotro.cc.cer --key-file /usr/local/etc/ipsec.d/private/lotro.cc.key --ca-file /usr/local/etc/ipsec.d/cacerts/ca.cer --reloadcmd "sudo ipsec reload"五、配置 ipsec.conf
sudo nano /usr/local/etc/ipsec.conf
config setup
uniqueids = never
conn %default
keyexchange=ike
conn rw
leftsubnet=192.168.55.0/24 # 需要访问的内网资源
leftcert=lotro.cc.cer # acme申请的签名ssl证书
leftid=lotro.cc # 必须等于ssl证书的主机名
leftsendcert=yes
rightauth=eap-mschapv2 # 采用用户名密码验证
rightsourceip=192.168.100.128/25 # 分配给手机端的虚拟IP段
auto=add认证密钥key
sudo nano /usr/local/etc/ipsec.secrets
# /usr/local/etc/ipsec.secrets - strongSwan IPsec secrets file
admin : EAP "admin" # 用户名和密码重启 sudo ipsec reload
六、移动端配置
- 类型:
IKEv2 - 服务器地址:
lotro.cc - 远程ID「服务器ID」:
lotro.cc - 本地ID「IPSec标识符」:(可不填,服务端默认%any,服务端根据不同用户匹配资源)
- 用户名:
admin - 密码:
admin - 代理:
关闭
PS:以下是swanctl.conf方式配置strongSwan具体配置,效果同上
sudo apt install build-essential pkg-config libsystemd-dev libssl-dev
wget https://download.strongswan.org/strongswan-5.9.14.tar.bz2
tar xjf strongswan-5.9.14.tar.bz2
cd strongswan-5.9.14
./configure --prefix=/usr --sysconfdir=/etc --disable-defaults --disable-charon --disable-stroke --enable-systemd --with-systemdsystemunitdir=/lib/systemd/system --enable-ikev2 --enable-swanctl --enable-openssl --enable-nonce --enable-random --enable-pem --enable-x509 --enable-kernel-netlink --enable-socket-default --enable-eap-identity --enable-eap-mschapv2 --enable-updown
make
sudo make install
acme.sh --issue -d lotro.cc -k 2048 --cert-file /etc/swanctl/x509/lotro.cc.cer --key-file /etc/swanctl/private/lotro.cc.key --ca-file /etc/swanctl/x509ca/ca.cer --reloadcmd "sudo swanctl -q"
/etc/swanctl/x509ca/ca.cer
/etc/swanctl/x509/lotro.cc.cer
/etc/swanctl/private/lotro.cc.key
/etc/swanctl/conf.d/v.conf
connections {
conn-eap {
pools = ipv4
send_cert = always
local {
auth = pubkey
certs = lotro.cc.cer
id = lotro.cc
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
eap {
local_ts = 192.168.55.0/24
}
}
}
}
pools {
ipv4 {
addrs = 192.168.100.128/25
}
}
secrets {
eap-admin {
id = admin
secret = admin
}
}