search

quericy / one-key-ikev2-vpn

A bash script base on Centos or Ubuntu help you to create IKEV2/L2TP vpn.
GNU General Public License v3.0
2.1k stars 708 forks source link

请问centos7客户端怎么连接?我看了半天没看懂 #148

Open chainofhonor opened 6 years ago

chainofhonor commented 6 years ago

首先通过命令yum install strongswan openssl 然后设置配置文件 但是配置文件我按照下面2个教程来写怎么都不对 https://blog.csdn.net/qw623577789/article/details/71054795 https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2ClientConfig

我把所有的证书都下载下来了

请问能写一下 要把服务端的哪些文件下载下来,客户端要怎么编辑配置文件简单的说一下吗?

目前如何使用centos7当作客户端连接ikev2我还是没有头绪,为了弄这个VPN通宵到现在- -先睡觉了,今晚继续

chainofhonor commented 6 years ago

.............刚刚把脚本从头到尾整理了一遍 去掉了没用的部分然后大概知道流程了

然后我发现最新版的strongswan是Linux strongSwan U5.6.1/K3.10.0-693.el7.x86_64

用centos7安装这个版本非常简单,yum install strongwan 而且装完以后不会有ipsec命令了,所有的命令全部用strongwan 包括生成证书的命令

然后我就按照下面的流程装了一遍

yum install strongswan openssl

mkdir install_ikev2 cd install_ikev2

vps_ip="192.168.11.21" #这个是服务器IP my_cert_c="com" #这3个变量是下面生成证书要用到的 可以自定义 my_cert_o="myvpn" my_cert_cn="VPN CA"

strongswan pki --gen --outform pem > ca.pem strongswan pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem strongswan pki --gen --outform pem > server.pem strongswan pki --pub --in server.pem | strongswan pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" --san="${vps_ip}" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem strongswan pki --gen --outform pem > client.pem strongswan pki --pub --in client.pem | strongswan pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem

openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}" -out client.cert.p12 #这里会提示你输入密码,直接回车就行

cp -f ca.cert.pem /etc/strongswan/ipsec.d/cacerts/ cp -f server.cert.pem /etc/strongswan/ipsec.d/certs/ cp -f server.pem /etc/strongswan/ipsec.d/private/ cp -f client.cert.pem /etc/strongswan/ipsec.d/certs/ cp -f client.pem /etc/strongswan/ipsec.d/private/ echo "Cert copy completed"

configure the ipsec.conf

cat > /etc/strongswan/ipsec.conf<<-EOF config setup uniqueids=never

conn iOS_cert keyexchange=ikev1 fragmentation=yes left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightauth2=xauth rightsourceip=10.31.2.0/24 rightcert=client.cert.pem auto=add

conn android_xauth_psk keyexchange=ikev1 left=%defaultroute leftauth=psk leftsubnet=0.0.0.0/0 right=%any rightauth=psk rightauth2=xauth rightsourceip=10.31.2.0/24 auto=add

conn networkmanager-strongswan keyexchange=ikev2 left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightsourceip=10.31.2.0/24 rightcert=client.cert.pem auto=add

conn ios_ikev2 keyexchange=ikev2 ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048! esp=aes256-sha256,3des-sha1,aes256-sha1! rekey=no left=%defaultroute leftid=${vps_ip} leftsendcert=always leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-mschapv2 rightsourceip=10.31.2.0/24 rightsendcert=never eap_identity=%any dpdaction=clear fragmentation=yes auto=add

conn windows7 keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-mschapv2 rightsourceip=10.31.2.0/24 rightsendcert=never eap_identity=%any auto=add

EOF

configure the strongswan.conf

cat > /etc/strongswan/strongswan.conf<<-EOF charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/.conf EOF

configure the ipsec.secrets

cat > ipsec.secrets<<-EOF : RSA server.pem : PSK "myPSKkey" : XAUTH "myXAUTHPass" myUserName %any : EAP "myUserPass" EOF

cat > /etc/sysctl.d/10-ipsec.conf<<-EOF net.ipv4.ip_forward=1 EOF sysctl --system

interface="eth0" #这个是网卡 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT iptables -A INPUT -i $interface -p esp -j ACCEPT iptables -A INPUT -i $interface -p udp --dport 500 -j ACCEPT iptables -A INPUT -i $interface -p tcp --dport 500 -j ACCEPT iptables -A INPUT -i $interface -p udp --dport 4500 -j ACCEPT iptables -A INPUT -i $interface -p udp --dport 1701 -j ACCEPT iptables -A INPUT -i $interface -p tcp --dport 1723 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o $interface -j MASQUERADE

service iptables save

strongswan restart

"./ca.cert.pem" "/etc/strongswan/ipsec.secrets"

但是用WIN10连接的时候提示策略匹配错误 请问你能看看具体是哪里出了问题了吗?

我感觉如果能解决这个问题的话还是这样安装简单

chainofhonor commented 6 years ago

成功了,上面的那个方法我在ios 11.3.1里面 成功连接了 但是不知道为什么WIN10提示策略匹配错误

chainofhonor commented 6 years ago

win10也成功了 但是有个缺点ipsec.conf里面必须把conn windows7设置为第一个,WIN10才能正确连接 但是这个时候ios 11.3.1就不能连接了

chainofhonor commented 6 years ago

WIN10也成功了 需要添加一个注册表键值 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 DWORD键值设置为1 立刻生效 0 禁用AES-256-CBC和MODP-2048 1 启用AES-256-CBC和MODP-2048 2 强制使用AES-256-CBC和MODP-2048

OK现在WIN10和ios 11.3.1都可以同时连接服务端了
开始研究linux怎么连接了

chainofhonor commented 6 years ago

conn ios_ikev2 keyexchange=ikev2 ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048! esp=aes256-sha256,3des-sha1,aes256-sha1! rekey=no left=%defaultroute leftid=192.168.11.21 leftsendcert=always leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-mschapv2 rightsourceip=10.31.4.0/24 rightsendcert=never eap_identity=%any dpdaction=clear fragmentation=yes auto=add

WIN10添加了注册表键值以后 连接的就是这个conn了 和ios在同一个网段