终极了,三条 bash/zsh shell 命令命了搞定 IPSEC/IKEv2 证书, EAP,PSK,Xauth 各种方式的认证,支持各种 iOS, Android,windows,黑莓设备

2014-10-29 00:19:38 +08:00
 cattyhouse
首先:安装Strongswan, cat strongswaninstall.zsh:


cd ~
wget http://download.strongswan.org/strongswan.tar.gz
tar xvf strongswan.tar.gz
cd strongswan-*
apt-get build-dep strongswan -y
apt-get install libgmp3-dev openssl libssl-dev -y
./configure --sysconfdir=/etc --disable-sql --disable-mysql --disable-ldap --enable-dhcp --enable-eap-identity --enable-eap-mschapv2 --enable-md4 --enable-xauth-eap --enable-eap-peap --enable-eap-md5 --enable-openssl --enable-shared --enable-unity --enable-eap-tls --enable-eap-ttls --enable-eap-tnc --enable-eap-dynamic --enable-addrblock --enable-eap-radius --enable-radattr --enable-kernel-netlink --enable-kernel-libipsec --enable-ipseckey --enable-pkcs11 --enable-whitelist --enable-socket-dynamic --enable-unity --enable-duplicheck --enable-error-notify --enable-ha --enable-libipsec
cd strongswan-*
make && make install


然后配置Strongswan, cat strongswanconfig.zsh:


cat << _EOF_ >/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup
uniqueids = no
# charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
keyexchange = ike
ike = aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp = aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction = clear
# keyingtries = 1
ikelifetime = 24h
closeaction = clear
dpdtimeout = 5s
dpddelay = 300s
forceencaps = yes
fragmentation = force
lifetime = 24h
# modeconfig = push
rekey = no
left = %any
leftsubnet = 0.0.0.0/0
leftcert = vpnServerCert.pem
leftsendcert = always
rightallowany = yes
right = %any
# rightdns = 8.8.4.4,8.8.8.8
rightsourceip = 172.16.16.0/24
conn IPSec-IKEv2
leftid = 11.22.33.44
rightid = *@11.22.33.44
# keyexchange = ikev2
# leftauth = pubkey
# rightauth = pubkey
mobike = yes
# leftauth = psk
# leftauth2 = pubkey
# rightauth = psk
auto = add

conn IPSec-IKEv2-EAP
also = "IPSec-IKEv2"
rightauth = eap-mschapv2
rightsendcert=never
eap_identity = %any

conn IKEv1-Certs
# keyexchange = ikev1
leftauth = pubkey
rightauth = pubkey
rightauth2 = xauth
rightcert = iPhone5sCert.pem
auto = add
conn IKEv1-PSK
# keyexchange = ikev1
leftauth = psk
rightauth = psk
rightauth2 = xauth
auto = add
_EOF_


cat << _EOF_ > /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

: RSA vpnServerKey.pem
#: RSA serverKey.pem
: PSK "fuckgfw748"
j : XAUTH "fuckgfw748"
jj : EAP "fuckgfw748"
_EOF_


cat << _EOF_ >/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}

charon {
duplicheck.enable = no
dns1 = 8.8.4.4
dns2 = 8.8.8.8
}
include strongswan.d/*.conf
_EOF_

# iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
# OpenVZ please use above command if the following command does not work
iptables -t nat -A POSTROUTING -j MASQUERADE
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
sysctl -p

然后搞定证书, cat ikev2ca.zsh:

mkdir ~/sswan/ca
cd ~/sswan/ca
###Root Certs
ipsec pki --gen --type rsa --size 4096 \
--outform pem \
> rootKey.pem
chmod 600 rootKey.pem
ipsec pki --self --ca --lifetime 3650 \
--in rootKey.pem --type rsa \
--dn "C=CH, O=justin, CN=justin Root CA" \
--outform pem \
> rootCert.pem

### VPN Server Certs
ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> vpnServerKey.pem
chmod 600 vpnServerKey.pem
ipsec pki --pub --in vpnServerKey.pem --type rsa | \
ipsec pki --issue --lifetime 3650 \
--cacert rootCert.pem \
--cakey rootKey.pem \
--dn "C=CH, O=justin, CN=11.22.33.44" \
--san 11.22.33.44 \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpnServerCert.pem
#### IKEv2 Client Certs

ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> iPhone5sKey.pem
chmod 600 iPhone5sKey.pem
ipsec pki --pub --in iPhone5sKey.pem --type rsa | \
ipsec pki --issue --lifetime 3650 \
--cacert rootCert.pem \
--cakey rootKey.pem \
--dn "C=CH, O=justin, CN=iPhone5s@11.22.33.44" \
--san iPhone5s@11.22.33.44 \
--outform pem > iPhone5sCert.pem
### P12 file for iPhone
openssl pkcs12 -export -inkey iPhone5sKey.pem \
-in iPhone5sCert.pem -name "iPhone5s's VPN Certificate" \
-certfile rootCert.pem \
-caname "justin Root CA" \
-out iPhone5s.p12
### ROOT Certs DER format
openssl x509 -outform der -in rootCert.pem -out rootCertforiPhone.crt

## Copy them to the right places
cp iPhone5sKey.pem vpnServerKey.pem /etc/ipsec.d/private/
cp iPhone5sCert.pem vpnServerCert.pem /etc/ipsec.d/certs/
cp rootCert.pem /etc/ipsec.d/cacerts/


最后运行:
ipsec start --nofork
然后连接客户端debug,没啥问题的话把 ipsec start 丢到 /etc/rc.local

注意把 11.22.33.44 换成你自己的IP或者域名,iPhone在用Apple Configurator配置IKEv2的时候主要是远程ID和本地ID一定要写对,远程ID写 11.22.33.44 本地ID写 whatever@11.22.33.44 ,这里whatever表示随便写,只要不要自找麻烦写太奇怪的字符。
11596 次点击
所在节点    iPhone
19 条回复
crystone
2014-10-29 00:27:15 +08:00
多谢分享,改天试试
cattyhouse
2014-10-29 00:28:07 +08:00
把这部分的用户名密码改成你自己的,呵呵我在诅咒GFW去死吧。 j 和 jj 都是用户名,fuckgfw748是密码。

: PSK "fuckgfw748"
j : XAUTH "fuckgfw748"
jj : EAP "fuckgfw748"
kurtrossel
2014-10-29 01:37:07 +08:00
多谢分享!!!

有时间试试
wangqj
2014-10-29 04:56:33 +08:00
多谢了!
hewigovens
2014-10-29 07:26:46 +08:00
lz 可以贴到 gist 上, 这样看着没代码高亮..
cattyhouse
2014-10-29 08:08:24 +08:00
@hewigovens 已经贴了gist
lovelinghan
2014-10-29 08:57:57 +08:00
Mark
heyf
2014-10-29 09:15:12 +08:00
赞!
a3587556
2014-10-29 16:43:48 +08:00
已成功搭建 多谢!
jhytxy
2014-10-29 21:23:59 +08:00
checking whether make sets $(MAKE)... no
checking whether make supports nested variables... no
checking whether UID '0' is supported by ustar format... yes
checking whether GID '0' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking whether make supports nested variables... (cached) no
checking for pkg-config... no
checking for a sed that does not truncate output... /bin/sed
checking configured UDP ports (500, 4500)... ok
checking for gcc... no
checking for cc... no
checking for cl.exe... no
configure: error: in `/root/strongswan-5.2.1':
configure: error: no acceptable C compiler found in $PATH
See `config.log' for more details
strongswaninstall.zsh:8: no matches found: strongswan-*
strongswaninstall.zsh:9: command not found: make


问下这是出错了么。xvmlabs的4ip小鸡
cattyhouse
2014-10-29 21:39:24 +08:00
@jhytxy apt-get build-essential 先
jhytxy
2014-10-29 22:59:15 +08:00
E: Invalid operation build-essential

@cattyhouse 这个4ip是个奇葩vps
cattyhouse
2014-10-29 23:48:45 +08:00
@jhytxy 不是他们奇葩,是你没有啥linux经验,我意思是装 build-essential, 从你的报告看来,你没有GCC和C Compliler,无法编译的。所以要:
apt-get install build-essential,虽然我上面写掉了一个install,但你应该知道我的原意吧?
jhytxy
2014-11-02 15:14:47 +08:00
@cattyhouse 谢谢,确实不怎么用linux,已经安装好了
jhytxy
2014-11-02 15:15:40 +08:00
为什么只有安装好以后试的一次可以用呐

之后重启用rc.local启动的可以连上但是无法访问网络呢
cattyhouse
2014-11-02 16:55:32 +08:00
@jhytxy rc.local里面写ipsec完整路径。先用

which ipsec
找到绝对路径,然后再放过去。
rwzsycwan
2014-12-05 03:43:17 +08:00
我这儿搭建的Strongswan没有速度 还不如ocserv
Caixiaopig
2015-01-08 00:21:15 +08:00
@jhytxy 检查一下你的iptables的设置,是不是重启以后就被默认的冲掉了。
xzm1006
2015-01-30 12:09:49 +08:00
感谢楼主~按照教程搭建成功了,但是有问题就是,我安卓浏览器能翻出去,打开PLAY商店APP却连不上?

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/142248

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX