概述
本文主要介紹如何在centos/ubuntu上搭建屬于自己的虛拟專用網絡,簡稱wpn。用于加密傳輸自己本地到企業内部之間走公網部分的流量,避免流量劫持,以及公司内部遠端通路的建設。
另外後續還會分享 site to site 的wpn,實作混合雲之間的通信。實作公司内部的虛拟專線。
目前為止該roles 支援以下主要功能:
- 自定義伺服器域名或IP
- 一鍵接入LDAP
- tunnel-split
- site to site
備注: strongswan 不支援直接通過LDAP認證,中間需要radius來作橋梁。
要求
- 一般工具軟體清單:
-
- centos7.x
- ansible 2.4
- aliasmee-strongswan-roles
- 進階設定軟體清單:
-
- freeradius
- openldap
安裝
- 建立主yml檔案,名字:install_strongswan,内容如下:
---
# 本劇本用于安裝strongswan
- hosts: my-vpn
vars_files:
- vars/main.yml
roles:
- role: aliasmee.strongswan
注意:my-vpn是我的目标主機!
2.根據自己的環境修改 vars/main.yml
---
# StrongsWan Version - https://strongswan.org/
strongswan_version: 5.7.2
# CA Cert info
vpn_liftid: "{{ ipify_public_ip }}" # Support FQDN or IP address,eg: 110.23.3.3 or v.example.com
dn_prefix: "C=cn, O=example"
ca_dn_info: "{{dn_prefix}}, CN=VPN CA"
server_dn_info: "{{dn_prefix}}"
client_dn_info: "{{dn_prefix}}, CN=VPN Client"
ca_lifetime: 3650 # ca cert validity period (Unit: Day)
server_lifetime: 1200 # server cert validity period (Unit: Day)
# Strongswan settings
client_dhcp_ip: 10.28.0.0/24 # Vip allocated after the client dials
client_dhcp_dns: 8.8.8.8 # Assigned to the client
client_auth: eap-mschapv2 # Support method: [eap-mschapv2, eap-radius], Default eap-mschapv2;
client_tunnel_range: 0.0.0.0/0 # Only these flows accors this tunnel-> tunnel-slpit
# Temp vpn test user (/etc/ipsec.secrets)
username: testUserOnePla4
password: testOnePassPla4
# Strongswan combine freeradius configure
enabled_radius: no # If you want to use ldap authentication, please set to yes.
radius_port: 1812
radius_secret: testing123
radius_ip: 127.0.0.1
# Other info
download_path: '/tmp'
download_dir: /tmp
install_dir: /opt
cert_path: "{{download_dir}}/certs"
extra_path: "{{install_dir}}/strongswan-{{strongswan_version}}/sbin"
# Strongswan config compile config list
config_list:
- "--prefix={{install_dir}}/strongswan-{{strongswan_version}}"
- "--enable-eap-identity"
- "--enable-eap-md5"
- "--enable-eap-mschapv2"
- "--enable-eap-tls"
- "--enable-eap-ttls"
- "--enable-eap-peap"
- "--enable-eap-tnc"
- "--enable-eap-dynamic"
- "--enable-eap-radius"
- "--enable-xauth-eap"
- "--enable-xauth-pam"
- "--enable-dhcp"
- "--enable-openssl"
- "--enable-addrblock"
- "--enable-unity"
- "--enable-certexpire"
- "--enable-radattr"
- "--enable-swanctl"
- "--enable-openssl"
- "--disable-gmp"
create_path:
- "{{install_dir}}"
- "{{download_dir}}/temp"
- "{{cert_path}}"
# Read ca cert content
view_certificate: False # If you want to test vpn, please install remote private ca to local pc.
3.導出私有CA憑證檔案到本地
修改vars/main.yml, 将view_certificate 設為True。最後用echo 将stdout的内容存入本地。如果 需要導入到用戶端, 請參考下方的連結。
vpn用戶端配置4.配置
- windows 使用者:支援Win7+,最後Win10.
- Mac & IOS使用者:推薦使用Apple Configurator 2配置導出以mobileconfig為字尾的檔案,直接導入裝置中即可
- Android: 下載下傳strongswan用戶端
5.如果strongSwan使用ldap認證的話,需要修改配置檔案/opt/strongswan-5.7.2/etc/ipsec.conf,單獨為win用戶端新增一個conn,
# Winodws client not support tunnel-split
conn windows10
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=/opt/strongswan-5.7.2/etc/ipsec.d/certs/server.cert.pem
right=%any
rightauth=eap-radius
rightsourceip=10.28.0.0/24
rightdns=8.8.8.8
rightsendcert=never
eap_identity=%any
auto=add
注意:ldap認證後,win用戶端設定那裡需要選擇認證方式為peap。另外由于win10不支援隧道分離,so上面的leftsubnet配置為0.0.0.0。還有一個就是eap-radius之後,ike不支援mob2048了,換了1024可以…
win用戶端連接配接報錯modp2048: received proposals unacceptable
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
11[IKE] 1.1.1.1 is initiating an IKE_SA
11[IKE] received MS-Negotiation Discovery Capable vendor ID
11[IKE] received Vid-Initial-Contact vendor ID
11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
11[IKE] local host is behind NAT, sending keep alives
11[IKE] remote host is behind NAT
11[IKE] received proposals unacceptable
總結
支援幂等部署哈。有問題可以及時提issue。