期间也在网络上找了很多文章,看了很多人的Blog和FAQ,终于解决 了iOS的Cisco VPN(IPSec VPN)问题。经验一定要分享,下面我会把如何搭建和配置Cisco VPN的过程做个详细的介绍。
还是先说一下iOS设备的一些限制,也就是为啥非要选用Cisco VPN:
1. iOS设备如果不越狱,支持的VPN有PPTP, L2TP, Cisco VPN, Cisco AnyConnect和Juniper的Junos Pulse。如果越狱就可以使用openVPN。
2. PPTP已经被GFW给block了,很多人都在使用L2TP,L2TP支持标准的安全特性CHAP和PAP,可以进行用户身份认证。在安全性考虑上,L2TP仅定义了控制消息的加密传输方式,对传输中的数据并不加密。不安全,不考虑。
3. Cisco AnyConnect需要连接Cisco的Router,ASA或者PIX设备,Junos Pulse需要连接Juniper的SA系列VPN产品。这都需要花钱买,都很贵的,不考虑。
4. 有人会问了,openVPN也是一个选择啊。对,没错,但是iOS设备安装openVPN Client需要越狱。这点是我不能接受的。不考虑。
5. 剩下唯一的解决方案就是找到一个软件,能够支持Cisco VPN Client。
感谢google的强大,终于找到了一款opensource的软件strongSwan。strongSwan可以支持Cisco VPN Client,而且在其官方网页上居然给出了配置方法,很详细,详情请见这里。不得不说strongSwan为我们GFW内的人们做了一件大好事儿啊。
我这里给出的配置步骤是根据官方网站的文档和我自己配置过程中的一些体会结合而成,不多说了,开始配吧!
1. 首先要在无墙国家有一台主机(总要有个连接点吧,要不连到哪儿去呢?跟谁建VPN呢?)。我选择的是linode,一个评价相当高的VPS服务提供商。如果大家也选择这里作为您的VPN Server,请从这里注册,因为是我推荐的哦,如果您follow我的link注册成功,并且使用满90天,linode就能够赠送我$20,也就是一个月的使用期。嘻嘻。我的推荐码:2d244ab3d3fe4d033eb494266b87dc7fbb046407
2. 选用操作系统,我选的是Ubuntu。Centos我的一个同事也测试过,没问题。
3. 下载strongSwan:
还是先说一下iOS设备的一些限制,也就是为啥非要选用Cisco VPN:
1. iOS设备如果不越狱,支持的VPN有PPTP, L2TP, Cisco VPN, Cisco AnyConnect和Juniper的Junos Pulse。如果越狱就可以使用openVPN。
2. PPTP已经被GFW给block了,很多人都在使用L2TP,L2TP支持标准的安全特性CHAP和PAP,可以进行用户身份认证。在安全性考虑上,L2TP仅定义了控制消息的加密传输方式,对传输中的数据并不加密。不安全,不考虑。
3. Cisco AnyConnect需要连接Cisco的Router,ASA或者PIX设备,Junos Pulse需要连接Juniper的SA系列VPN产品。这都需要花钱买,都很贵的,不考虑。
4. 有人会问了,openVPN也是一个选择啊。对,没错,但是iOS设备安装openVPN Client需要越狱。这点是我不能接受的。不考虑。
5. 剩下唯一的解决方案就是找到一个软件,能够支持Cisco VPN Client。
感谢google的强大,终于找到了一款opensource的软件strongSwan。strongSwan可以支持Cisco VPN Client,而且在其官方网页上居然给出了配置方法,很详细,详情请见这里。不得不说strongSwan为我们GFW内的人们做了一件大好事儿啊。
我这里给出的配置步骤是根据官方网站的文档和我自己配置过程中的一些体会结合而成,不多说了,开始配吧!
1. 首先要在无墙国家有一台主机(总要有个连接点吧,要不连到哪儿去呢?跟谁建VPN呢?)。我选择的是linode,一个评价相当高的VPS服务提供商。如果大家也选择这里作为您的VPN Server,请从这里注册,因为是我推荐的哦,如果您follow我的link注册成功,并且使用满90天,linode就能够赠送我$20,也就是一个月的使用期。嘻嘻。我的推荐码:2d244ab3d3fe4d033eb494266b87dc7fbb046407
2. 选用操作系统,我选的是Ubuntu。Centos我的一个同事也测试过,没问题。
3. 下载strongSwan:
* wget http://download.strongswan.org/strongswan.tar.gz
*
* cd strongswan-*
*
tar xzvf strongswan.tar.gz* cd strongswan-*
4. 编译strongSwan:
* ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib --with-ipsecdir=/usr/lib/strongswan --enable-cisco-quirks --enable-openssl --enable-nat-transport --enable-shared
* 这里--enable-cisco-quirks和 --enable-nat-transport非常关键,必须的!
* make
* make install
* 这里--enable-cisco-quirks和 --enable-nat-transport非常关键,必须的!
* make
* make install
5. 生成CA证书:
* ipsec pki --gen --outform pem > caKey.pem
* ipsec pki --self --in caKey.pem --dn “C=CN, O=test, CN=Test CA” --ca --outform pem > caCert.pem
* ipsec pki --self --in caKey.pem --dn “C=CN, O=test, CN=Test CA” --ca --outform pem > caCert.pem
6. 生成Server端证书:
* ipsec pki --gen --outform pem > serverKey.pem
* ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn “C=CN, O=test, CN=vps_ip” --flag serverAuth --outform pem > serverCert.pem
* ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn “C=CN, O=test, CN=vps_ip” --flag serverAuth --outform pem > serverCert.pem
7. 生成Client端证书:
* ipsec pki --gen --outform pem > clientKey.pem
* ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn “C=CN, O=test, CN=client” --outform pem > clientCert.pem
* ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn “C=CN, O=test, CN=client” --outform pem > clientCert.pem
8. 将CA证书转换为.cer格式,将Client证书转换为.p12格式(解释一下原因,这里转换的这两个证书都是要安装在iOS设备上的,iOS设备也能 够支持pem格式的,但是有些朋友使用pem格式的导入iOS设备时出了一些问题,所以为了保险起见,还是cer的吧。Client的.p12格式是因为 p12格式的可以即包含key,也包含证书文件,为了方便,省得导入两个文件了)
* openssl x509 -inform PEM -outform DER -in caCert.pem -out caCert.cer (这段命令有问题!)
* openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name “client” -certfile caCert.pem -caname “Test CA” -out clientCert.p12 (这段命令有问题!)
* openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name “client” -certfile caCert.pem -caname “Test CA” -out clientCert.p12 (这段命令有问题!)
9. Copy生成的key和证书文件到相应的目录:
* cp caCert.pem /etc/ipsec.d/cacerts/
* cp serverCert.pem /etc/ipsec.d/certs/
* cp serverKey.pem /etc/ipsec.d/private/
* cp clientCert.pem /etc/ipsec.d/certs/
* cp clientKey.pem /etc/ipsec.d/private/
* cp serverCert.pem /etc/ipsec.d/certs/
* cp serverKey.pem /etc/ipsec.d/private/
* cp clientCert.pem /etc/ipsec.d/certs/
* cp clientKey.pem /etc/ipsec.d/private/
10. 配置/etc/ipsec.conf文件
11. 创建ipsec.secrets文件 /etc/ipsec.secrets,并编辑:
# /etc/ipsec.secrets – strongSwan IPsec secrets file
11. 创建ipsec.secrets文件 /etc/ipsec.secrets,并编辑:
# /etc/ipsec.secrets – strongSwan IPsec secrets file
: RSA serverKey.pem (Server的Key文件)
: PSK "
test : XAUTH “password” (test为用户名,password为密码,这里的密码一定要用“”引起来)
12. 配置/etc/strongswan.conf文件,需要分配一个没有任何污染的DSN给VPN连接成功的iOS设备.
: PSK "
myPSKkey" test : XAUTH “password” (test为用户名,password为密码,这里的密码一定要用“”引起来)
12. 配置/etc/strongswan.conf文件,需要分配一个没有任何污染的DSN给VPN连接成功的iOS设备.
13. 配置iOS设备:
将生成的caCert.cer和clientCert.p12通过邮件的方式或者通过web方式下载到iOS设备上,并进行证书安装。
选择 Settings 选择 General > Network > VPN > Add VPN Configuration
选中IPSec VPN
description用来标识你的vpn的,没有特别的限制
Server一定要填入签发Server端证书时,输入的“CN=vpn.test.com”的=后的部分,即vpn.test.com。如果不一致,iOS设备会报错,Server验证失败。
Account填入ipsec.secrets的用户名
Password填入ipsec.secrects的密码
切换Use Certificate到on,并选择导入和Clent的证书
14. VPN连接:
在Settings > VPN下,将 VPN 切换到 ON 开始进行IPSec VPN的协商和连接。
连接好后,会给出一个Notification“Welcome to strongSwan – the Linux VPN Soluution!”。看到该notificatio后,恭喜你,连接成功了!!
BTW:我顺便说一下iptables的配置:
1. strongSwan用到的端口就是UDP 500和4500,所以在iptables的filter表的INPUT 链要加入允许UDP 500和4500进入,即:
将生成的caCert.cer和clientCert.p12通过邮件的方式或者通过web方式下载到iOS设备上,并进行证书安装。
选择 Settings 选择 General > Network > VPN > Add VPN Configuration
选中IPSec VPN
description用来标识你的vpn的,没有特别的限制
Server一定要填入签发Server端证书时,输入的“CN=vpn.test.com”的=后的部分,即vpn.test.com。如果不一致,iOS设备会报错,Server验证失败。
Account填入ipsec.secrets的用户名
Password填入ipsec.secrects的密码
切换Use Certificate到on,并选择导入和Clent的证书
14. VPN连接:
在Settings > VPN下,将 VPN 切换到 ON 开始进行IPSec VPN的协商和连接。
连接好后,会给出一个Notification“Welcome to strongSwan – the Linux VPN Soluution!”。看到该notificatio后,恭喜你,连接成功了!!
BTW:我顺便说一下iptables的配置:
1. strongSwan用到的端口就是UDP 500和4500,所以在iptables的filter表的INPUT 链要加入允许UDP 500和4500进入,即:
-A INPUT -p udp –dport 500 -j ACCEPT
-A INPUT -p udp –dport 4500 -j ACCEPT
2. 大家使用VPN的主要目的是为了访问大量的信息,所以需要配置NAT,具体配置如下:
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
3. 需要配置filter表的Forward链:
-A FORWARD -s 10.0.0.0/24 -j ACCEPT
大功告成!
大家可以安全放心的使用VPN啦!经我的测试,WIFI通过NAT Router连接和GPRS连接都没问题。联通的网络我没有试过,如果有试过的请告知大家结果。谢谢!
如果大家在配置过程中有问题可以DM我@henrywangxf
FROM http://www.xxqww.com/?p=22
----------------------------------------
3) Extract the downloaded software and go inside it using following command.
-A INPUT -p udp –dport 4500 -j ACCEPT
2. 大家使用VPN的主要目的是为了访问大量的信息,所以需要配置NAT,具体配置如下:
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
3. 需要配置filter表的Forward链:
-A FORWARD -s 10.0.0.0/24 -j ACCEPT
大功告成!
大家可以安全放心的使用VPN啦!经我的测试,WIFI通过NAT Router连接和GPRS连接都没问题。联通的网络我没有试过,如果有试过的请告知大家结果。谢谢!
如果大家在配置过程中有问题可以DM我@henrywangxf
FROM http://www.xxqww.com/?p=22
----------------------------------------
Install Strongswan - A Tool to Setup IPsec Based VPN in Linux
IPsec is a standard which provides the security at network layer. It consist of authentication header (AH) and encapsulating security payload (ESP) components. AH provides the packet Integrity and confidentiality is provided by ESP component . IPsec ensures the following security features at network layer.
- Confidentiality
- Integrity of packet
- Source Non. Repudiation
- Replay attack protection
Strongswan is an open source implementation of IPsec protocol and Strongswan stands for Strong Secure WAN (StrongS/WAN). It supports the both version of automatic keying exchange in IPsec VPN (Internet keying Exchange (IKE) V1 & V2).
Strongswan basically provides the automatic keying sharing between two nodes/gateway of the VPN and after that it uses the Linux Kernel implementation of IPsec (AH & ESP). Key shared using IKE mechanism is further used in the ESP for the encryption of data. In IKE phase, strongswan uses the encryption algorithms (AES,SHA etc) of OpenSSL and other crypto libraries. However, ESP component of IPsec uses the security algorithm which are implemented in the Linux Kernel. The main features of Strongswan are given below.
- 509 certificates or pre-shared keys based Authentication
- Support of IKEv1 and IKEv2 key exchange protocols
- Optional built-in integrity and crypto tests for plugins and libraries
- Support of elliptic curve DH groups and ECDSA certificates
- Storage of RSA private keys and certificates on a smartcard.
It can be used in the client / server (road warrior) and gateway to gateway scenarios.
How to Install
Almost all Linux distro’s, supports the binary package of Strongswan. In this tutorial, we will install the strongswan from binary package and also the compilation of strongswan source code with desirable features.
Using binary package
Strongswan can be installed using following command on Ubuntu 14.04 LTS .
$sudo aptitude install strongswan
The global configuration (strongswan.conf) file and ipsec configuration (ipsec.conf/ipsec.secrets) files of strongswan are under /etc/ directory.
Pre-requisite for strongswan source compilation & installation
- GMP (Mathematical/Precision Library used by strongswan)
- OpenSSL (Crypto Algorithms from this library)
- PKCS (1,7,8,11,12) (Certificate encoding and smart card integration with Strongswan )
Procedure
1) Go to /usr/src/ directory using following command in the terminal.
$cd /usr/src
2) Download the source code from strongswan site suing following command
(strongswan-5.2.1.tar.gz is the latest version.)
3) Extract the downloaded software and go inside it using following command.$sudo tar –xvzf strongswan-5.2.1.tar.gz; cd strongswan-5.2.1
4) Configure the strongswan as per desired options using configure command.
./configure --prefix=/usr/local -–enable-pkcs11 -–enable-openssl
If GMP library is not installed, then configure script will generate following error.
Therefore, first of all, install the GMP library using following command and then run the configure script.
However, if GMP is already installed and still above error exists then create soft link of libgmp.so library at /usr/lib , /lib/, /usr/lib/x86_64-linux-gnu/ paths in Ubuntu using following command.
$ sudo ln -s /usr/lib/x86_64-linux-gnu/libgmp.so.10.1.3 /usr/lib/x86_64-linux-gnu/libgmp.so
After the creation of libgmp.so softlink, again run the ./configure script and it may find the gmp library. However, it may generate another error of gmp header file which is shown the following figure.
Install the libgmp-dev package using following command for the solution of above error.
$sudo aptitude install libgmp-dev
After installation of development package of gmp library, again run the configure script and if it does not produce any error, then the following output will be displayed.
Type the following commands for the compilation and installation of strongswan.
$ sudo make ; sudo make install
After the installation of strongswan , the Global configuration (strongswan.conf) and ipsec policy/secret configuration files (ipsec.conf/ipsec.secretes) are placed in /usr/local/etc directory.
Strongswan can be used as tunnel or transport mode depends on our security need. It provides well known site-2-site and road warrior VPNs. It can be use easily with Cisco,Juniper devices.
from http://linoxide.com/security/install-strongswan/
(中文版:http://www.linuxidc.com/Linux/2015-08/122437.htm)
----------
Intro to Configure IPsec VPN using Strongswan
Strongswan supports Gateway-to-Gateway (site-to-site) and Road warrior types of VPN. In first type, network traffic is encrypted/decrypted on the gateway (entrance/exit) of an organization. However in Road warrior case, traffic encrypted from the end client (machine) to remote end gateway. In this article, we will explain creation of tunnel between two sites of an organization to secure the communication. Strongswan based VPN server/gateway placement is shown in the following figure. We want to secure communication between 10.1.0.0/16 and 11.1.0.0/16 networks of organization.
As shown in the above figure, we are interested to secure the communication from A to B and vice versa. It is important to make sure the routing of Strongswan based VPN Gateways in the organization network. We assume that machine from office A can ping a machine in the network of B office . This will ensure the connectivity of devices in the network.
In our previous we have installed the strongswan on the VM. However, in production environment, strongswan is installed on the hardware for the better performance. In this article, we are using VM to show the tunnel creation between two sites.
By default, configuration of strongswan are under /usr/local/etc/ directory which is shown in the following figure.
Gateway-to-Gateway tunnel (Pre shared key)
In this tunnel, we are using shared secret between two machine. This shared secrets used by Diffie-Hellman algorithm for mutual authentication before sharing key for symmetric encryption algorithm.
Configuration of Stronswan on Local (left) machine (A side)
ipsec.conf is the main configuration file of strongswan. In this file, we define parameters of policy for tunnel such as encryption algorithms,hashing algorithm etc.
config setupcharondebug="all"uniqueids=yesstrictcrlpolicy=noconn %defaultconn tunnel #left=192.168.1.10leftsubnet=10.1.0.0/16right=192.168.1.11rightsubnet=11.1.0.0/16ike=aes256-sha2_256-modp1024!esp=aes256-sha2_256!keyingtries=0ikelifetime=1hlifetime=8hdpddelay=30dpdtimeout=120dpdaction=clearauthby=secretauto=startkeyexchange=ikev2type=tunnel
ipsec.secrets file contains the secret information such as shared key, smart cards pin and password of private key etc. In our case, pre shared key between A and B is sharedsecret
192.168.1.10 192.168.1.11 : PSK 'sharedsecret'
Configuration of Strongswan on Remote (Right) machine (B side)
config setupcharondebug="all"uniqueids=yesstrictcrlpolicy=noconn %defaultconn tunnel #left=192.168.1.11leftsubnet=11.1.0.0/16right=192.168.1.10rightsubnet=10.1.0.0/16ike=aes256-sha2_256-modp1024!esp=aes256-sha2_256!keyingtries=0ikelifetime=1hlifetime=8hdpddelay=30dpdtimeout=120dpdaction=clearauthby=secretauto=startkeyexchange=ikev2type=tunnel
and the contents of ipsec.secrets of remote site are
192.168.1.11 192.168.1.10 : PSK 'sharedsecret'
After changes at both sides, run following command for tunnel creation.
# ipsec restart
To check the status of tunnel on both machines, run following command in the terminal. Output of the command for local and remote machine is shown below.
#ipsec statusall
Output of ipsec statusall on VM A
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-24-generic, x86_64):uptime: 8 minutes, since Jan 03 13:44:32 2015malloc: sbrk 1351680, mmap 0, used 250048, free 1101632worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-genericListening IP addresses:192.168.1.10Connections:tunnel: 192.168.1.10...192.168.1.11 IKEv2, dpddelay=30stunnel: local: [192.168.1.10] uses pre-shared key authenticationtunnel: remote: [192.168.1.11] uses pre-shared key authenticationtunnel: child: 10.1.0.0/16 === 11.1.0.0/16 TUNNEL, dpdaction=clearSecurity Associations (1 up, 0 connecting):tunnel[1]: ESTABLISHED 8 minutes ago, 192.168.1.10[192.168.1.10]...192.168.1.11[192.168.1.11]tunnel[1]: IKEv2 SPIs: cafdf24210e8e503_i* 7ee6557a1d297e35_r, pre-shared key reauthentication in 25 minutestunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024tunnel{1}: INSTALLED, TUNNEL, ESP SPIs: cbd51ed8_i c7243b49_otunnel{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hourstunnel{1}: 10.1.0.0/16 === 11.1.0.0/16
Output of ipsec statusall on VM B
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-24-generic, x86_64):uptime: 6 minutes, since Jan 03 13:44:21 2015malloc: sbrk 1351680, mmap 0, used 250944, free 1100736worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-genericListening IP addresses:192.168.1.11Connections:tunnel: 192.168.1.11...192.168.1.10 IKEv2, dpddelay=30stunnel: local: [192.168.1.11] uses pre-shared key authenticationtunnel: remote: [192.168.1.10] uses pre-shared key authenticationtunnel: child: 11.1.0.0/16 === 10.1.0.0/16 TUNNEL, dpdaction=clearSecurity Associations (1 up, 0 connecting):tunnel[3]: ESTABLISHED 6 minutes ago, 192.168.1.11[192.168.1.11]...192.168.1.10[192.168.1.10]tunnel[3]: IKEv2 SPIs: cafdf24210e8e503_i 7ee6557a1d297e35_r*, pre-shared key reauthentication in 36 minutestunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024tunnel{3}: INSTALLED, TUNNEL, ESP SPIs: c7243b49_i cbd51ed8_otunnel{3}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hourstunnel{3}: 11.1.0.0/16 === 10.1.0.0/16
ip command with xfrm parameter can be used to see the policies and states of ipsec tunnel on linux box. Output of the command ip xfrm states on both devices is shown below.
Output of ip xfrm state command on VM A
src 192.168.1.10 dst 192.168.1.11proto esp spi 0xc7243b49 reqid 1 mode tunnelreplay-window 32 flag af-unspecauth-trunc hmac(sha256) 0x3077c888d622b899532a5f1b8e9399efe65684ffa694bf072ea4de8a44898b2f 128enc cbc(aes) 0x8fafb23d824c1e898dc42f6d59b14c52e6a33b2183c0c9c762de8cacfd355a6fsrc 192.168.1.11 dst 192.168.1.10proto esp spi 0xcbd51ed8 reqid 1 mode tunnelreplay-window 32 flag af-unspecauth-trunc hmac(sha256) 0x50b63121299e97339cf2a78bb86b958ae0c3e594b1c535a0a12ce0a165d4e0ef 128enc cbc(aes) 0x41447fea3021a3b13838f076dbe72139389be93960a641664bb7e1e6fc34b01a
Output of ip xfrm state command on VM B
src 192.168.1.11 dst 192.168.1.10proto esp spi 0xcbd51ed8 reqid 3 mode tunnelreplay-window 32 flag af-unspecauth-trunc hmac(sha256) 0x50b63121299e97339cf2a78bb86b958ae0c3e594b1c535a0a12ce0a165d4e0ef 128enc cbc(aes) 0x41447fea3021a3b13838f076dbe72139389be93960a641664bb7e1e6fc34b01asrc 192.168.1.10 dst 192.168.1.11proto esp spi 0xc7243b49 reqid 3 mode tunnelreplay-window 32 flag af-unspecauth-trunc hmac(sha256) 0x3077c888d622b899532a5f1b8e9399efe65684ffa694bf072ea4de8a44898b2f 128enc cbc(aes) 0x8fafb23d824c1e898dc42f6d59b14c52e6a33b2183c0c9c762de8cacfd355a6f
As shown in the figure, XFRM command is showing sensitive information (keys). So please avoid such commands on the production strongswan server.
from http://linoxide.com/how-tos/ipsec-vpn-gateway-gateway-using-strongswan/
-----------------------------------------------------------------------------------------------------
strongSwan5-based IPSec_VPN, Ubuntu 14.04 LTS and PSK/XAUTH
from https://trick77.com/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/
-------------------------
strongSwan5-based IPSec_VPN, Ubuntu 14.04 LTS and PSK/XAUTH
I prefer strongSwan over Openswan because it’s still in active development, easier to setup and doesn’t require a L2TP daemon. I prefer a simple IKEv1 setup using PSK and XAUTH over certificates. If you plan to share your VPN server with your friends it’s also a lot easier to setup for them without certificates. I haven’t tried the VPN configuration below with non-Apple clients but it works well with iOS and OS X clients. Make sure to use the Cisco IPSec VPN profile, not the L2TP over IPSec profile you need for Openswan. While strongSwan works well with KVM and Xen containers, it probably won’t work with non-virtualised containers like OpenVZ or LXC.
strongSwan 5 has been modularised in Ubuntu 14.04 so we need to install the required plugins using apt-get as well:
apt-get install strongswan strongswan-plugin-xauth-generic
/etc/ipsec.secrets (replace 123.123.123.123 with the server’s public IP address)
123.123.123.123 %any : PSK "replace but leave the quotes" jan : XAUTH "janspassword" someone : XAUTH "anotherpassword"
/etc/ipsec.conf
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
| config setup cachecrls=yes uniqueids=yesconn ios keyexchange=ikev1 authby=xauthpsk xauth=server left=%defaultroute leftsubnet=0.0.0.0/0 leftfirewall=yes right=%any rightsubnet=10.7.0.0/24 rightsourceip=10.7.0.2/24 rightdns=4.2.2.1 auto=add |
That’s already all we need for strongSwan. Restart it using
service strongswan restart
Make sure to allow IPv4 packet forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward=1
And reload the changes using:
sysctl -p
We also need a NAT rule:
# VPN NAT /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
I’m NATing the entire 10/8 for VPN usage and assign different /24’s to different VPN softwares. This way I just need one NAT rule for everything.
Here’s a sample inbound-only firewall script which also covers OpenVPN and Iodine ports:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| #!/bin/sh# Flush old rules, old custom tables/sbin/iptables --flush/sbin/iptables --flush -t nat/sbin/iptables --delete-chain# Set default policies for all three default chains/sbin/iptables -P INPUT DROP/sbin/iptables -P FORWARD DROP/sbin/iptables -P OUTPUT ACCEPT# Enable free use of loopback interfaces/sbin/iptables -A INPUT -i lo -j ACCEPT/sbin/iptables -A OUTPUT -o lo -j ACCEPT# Allow VPN forwarding/sbin/iptables -A FORWARD -i tun+ -j ACCEPT/sbin/iptables -A FORWARD -o tun+ -j ACCEPT/sbin/iptables -A FORWARD -i dns+ -j ACCEPT/sbin/iptables -A FORWARD -o dns+ -j ACCEPT# Accept limited inbound ICMP messages/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 5 --hitcount 10 -j DROP/sbin/iptables -A INPUT -p icmp -j ACCEPT# All TCP sessions should begin with SYN/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0/0 -j DROP# Accept inbound TCP packets/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT# Accept inbound UDP packets/sbin/iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT/sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT# Accept IPSEC packets/sbin/iptables -A INPUT -p esp -j ACCEPT/sbin/iptables -A INPUT -p 50 -j ACCEPT/sbin/iptables -A INPUT -p 51 -j ACCEPT/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT# VPN NAT/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE |
-------------------------
相关帖子:
http://briteming.blogspot.com/2013/08/strongswan-5ikev1-vpnradius.html
http://briteming.blogspot.com/2015/07/strongswanfreeradiusikev2-vpn.html
http://briteming.blogspot.com/2015/07/setup-ipsec-vpn-with-strongswan.html
----------------------
Easily deploy your own personal VPN server with DNS adblocking running on DigitalOcean.
----------------------
Easily deploy your own personal VPN server with DNS adblocking running on DigitalOcean.
Key Features
- Personal IPsec-based VPN (strongSwan).
- Ad blocking DNS setup by default (Pi-hole).
- Generates profiles for sharing VPN with OSX/iPhone and Android.
- No additional software required for OSX/iPhone - uses native VPN client.
- Simple Web or CLI installation methods.
- Automated OS and VPN software updates.
- Dual stack IPv4/IPv6 enabled.
Web Installer (OSX)
- Download the latest pre-built app from the GitHub Releases page. Note: only OSX 10.12+ is supported.
- Open the app and run through the web based installation wizard to setup a new VPN.
CLI Usage (OSX)
- Download the latest pre-built cli from the GitHub Releases page. Note: only OSX 10.12+ is supported.
- Make the binary executable
chmod +x dosxvpn
- Create an API token (https://cloud.digitalocean.com/settings/api/tokens) and export it
export DIGITALOCEAN_ACCESS_TOKEN=<token>
- See help for all options
./dosxvpn -h
CLI Examples
- Deploy a new VPN droplet and configure OSX VPN
./dosxvpn deploy --region sfo2 --auto-configure
- List dosxvpn VPN droplets
./dosxvpn ls
- Remove dosxvpn VPN droplet and OSX VPN profile
./dosxvpn rm --name <name> --remove-profile
FAQ
- Should I use dosxvpn? That's up to you. Use at your own risk.
- Why is this better than using public VPN provider XYZ? While most VPN providers will provide a secure connection to their endpoints, you may not be interested in putting blind faith in their claims that they will not log or track your activity online.
- How is this different than algo?
- Installation - is simple and has no additional system dependencies.
- Updates: dosxvpn handles updates of both the OS and VPN. This means any critical security updates or bug fixes will automatically be applied for you.
- How much does this cost? This launches a 512MB DigitalOcean droplet that costs $5/month currently.
- What is the bandwidth limit? The 512MB DigitalOcean droplet has a 1TB bandwidth limit. This does not appear to be strictly enforced.
- Where does dosxvpn store VPN configuration files? You can find all deployed VPN configuration files in your ~/.dosxvpn directory.
- How do I SSH into the deployed droplet? Assuming you had public SSH keys uploaded to your DigitalOcean account when the VPN was deployed, all of those keys should be authorized for access. You can SSH using any of those keys:
ssh -i. If you had no SSH keys uploaded to your DigitalOcean account, then a temporary key was autogenerated for you and you will need to redeploy if you want SSH access.core@ - What is the password to login to Pi-hole? The password is
dosxvpn. - Are you going to support other VPS providers? Not right now.
- Will this make me completely anonymous? No, absolutely not. All of your traffic is going through a VPS which could be traced back to your account. You can also be tracked still with browser fingerprinting, etc. Your IP address may still leak due to WebRTC, Flash, etc.
- How do I uninstall this thing on OSX? You can uninstall through the Web interface, which will also remove the running droplet in your DigitalOcean account. Alternatively go to System Preferences->Network, click on dosxvpn-* and click the '-' button in the bottom left to delete the VPN. Don't forget to also remove the droplet that is deployed in your DigitalOcean account.
Powered By
- strongSwan - IPsec-based VPN software
- CoreOS - used for running containers and automatic OS updates capabilities
- Pi-hole - used for DNS adblocking
- Platypus - used to build the native OSX app
- godo - DigitalOcean Go API client
Acknowledgements
- trailofbits/algo - strongSwan configuration is borrowed from this project
- jbowens/dochaincore - web deployment code is borrowed from this project
- vimagick/strongswan - using a forked version of this docker image for VPN server
Building Source
- Install dependency platypus cli
brew install platypus
- Fetch the project with
go get:
go get github.com/dan-v/dosxvpn
cd $GOPATH/src/github.com/dan-v/dosxvpn
- Run make to build
make
from https://github.com/dan-v/dosxvpn
