手机IKEv2 VPN拨号访问内网资源

凡叔没有评论
参考文档: https://www.strongswan.org/testing/testresults/ikev2-stroke/index.html https://docs.strongswan.org/docs/5.9/install/install.html https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection 一、网络及服务器环境: 公网IP,可以是固定IP或DDNS OS: Debian 12 Kernel: 6.1.0-17-amd64  二、网络配置: 网关映射udp:500、udp:4500这些端口和协议给内网Debian12 如果需要访问的内部资源IP与Debian12不在同一个网段,需要做静态路由把rightsourceip指向Debian12 三、安装strongSwan apt安装:sudo apt install strongswan-starter 或者编译安装,两种安装方式默认的etc配置路径有所不同,注意区分。 wget https://download.strongswan.org/strongswan-5.9.14.tar.bz2 tar xjf strongswan-5.9.14.tar.bz2 cd strongswan-5.9.14 ./configure --enable-ikev2 --enable-openssl --enable-systemd --with-systemdsystemunitdir=/lib/systemd/system --enable-charon --enable-random --enable-nonce --enable-aes --enable-sha1 --enable-sha2 --enable-pem --enable-pkcs1 --enable-curve25519 --enable-gmp --enable-x509 --enable-curl --enable-revocation --enable-hmac --enable-kdf --enable-stroke --enable-kernel-netlink --enable-socket-default --enable-fips-prf --enable-eap-mschapv2 --enable-eap-identity --enable-updown --disable-defaults make sudo make install 四、acme申请证书 acme.sh --issue -d lotro.cc -k 3072 --cert-file /usr/local/etc/ipsec.d/certs/lotro.cc.cer --key-file /usr/local/etc/ipsec.d/private/lotro.cc.key --ca-file /usr/local/etc/ipsec.d/cacerts/ca.cer --reloadcmd "sudo ipsec reload" 五、配置 ipsec.conf sudo nano /usr/local/etc/ipsec.conf config setup uniqueids = never conn %default keyexchange=ike conn rw leftsubnet=192.168.55.0/24 # 需要访问的内网资源 leftcert=lotro.cc.cer # acme申请的签名ssl证书 leftid=lotro.cc # 必须等于ssl证书的主机名 leftsendcert=yes rightauth=eap-mschapv2 # 采用用户名密码验证 rightsourceip=192.168.100.128/25 # 分配给手机端的虚拟IP段 auto=add 认证密钥key sudo nano /usr/local/etc/ipsec.secrets # /usr/local/etc/ipsec.secrets - strongSwan IPsec secrets file admin : EAP "admin" # 用户名和密码 重启 sudo ipsec reload 六、移动端配置 类型:IKEv2 服务器地址:lotro.cc 远程ID「服务器ID」:lotro.cc 本地ID「IPSec标识符」:(可不填,服务端默认%any,服务端根据不同用户匹配资源) 用户名:admin 密码:admin 代理:关闭 PS:以下是swanctl.conf方式配置strongSwan具体配置,效果同上 sudo apt install build-essential pkg-config libsystemd-dev libssl-dev wget https://download.strongswan.org/strongswan-5.9.14.tar.bz2 tar xjf strongswan-5.9.14.tar.bz2 cd strongswan-5.9.14 ./configure --prefix=/usr --sysconfdir=/etc --disable-defaults --disable-charon --disable-stroke --enable-systemd --with-systemdsystemunitdir=/lib/systemd/system --enable-ikev2 --enable-swanctl --enable-openssl --enable-nonce --enable-random --enable-pem --enable-x509 --enable-kernel-netlink --enable-socket-default --enable-eap-identity...
阅读更多