精华内容
下载资源
问答
  • strongSwan配置 概述 strongSwan是基于IPsec的开源VPN解决方案。 本文只是对StrongSwan swanctl命令的简短介绍,该命令使用了现代的 Versatile IKE配置界面。 描述使用旧笔画配置界面的不推荐使用的ipsec命令。 ...
  • strongswan5.6.3

    2018-07-03 16:46:54
    基于IPSec协议的源代码的实现,如果想好好学习了解IPsec的原理,strongswan是个很好的选择
  • strongswan源代码

    2019-02-02 16:52:05
    strongswan源代码
  • strongSwan-2.2.1.apk

    2020-02-15 21:21:49
    2020.2.15日以前Android 最新版本,大家可以去strongswan官网下载,strongswan.org。
  • strongswan-5.8.4.tar.bz2

    2020-09-24 11:33:58
    最新的strongswan-5.8.4源码,主要可以在各种linux上进行移植使用,目前看兼容效果非常好,已经和华三、锐捷设备进行过对接,
  • 由于系统设置默认必须用积分,这个大家可以去strongswan官网下载。官网地址:https://download.strongswan.org/Android/
  • StrongSwan 一键安装脚本
  • centos7下搭建ipsec l2tp服务器,使用strongswan来构建ipsec.
  • 这个模块已经被 strongSwan 项目采用。 请在那里指导任何拉取请求或问题。 一个简单的 Python 库,允许通过 5.2.0 版中引入的 vici 接口控制 strongSwan。 它旨在直接和易于使用。 示例用法 >> > import vici >> >...
  • java sm2源码关于 GmSSL GmSSL ...GM/T ... 作为 OpenSSL 项目的一个分支,GmSSL ...服务器,只需稍加修改和简单的重建,就可以轻松地移植到 ...0003-2012):椭圆曲线密码方案,包括数字签名方案、公钥加密、(认证)密钥交换...
  • strongswan_config
  • strongswan.sh

    2020-01-07 13:59:29
    strongswan 插件详情
  • strongMan是StrongSwan的管理界面。 StrongMan基于Django和Python,提供了一个用户友好的图形界面来配置和建立IPsec连接。 它支持 RSA / ECDSA非对称加密 带有用户名和密码的EAP EAP-TLS 服务器认证回合 StrongMan...
  • 针对StrongSwan VPN的简单,基于安全证书的身份验证管理器 概述 pistrong大大简化了pistrong VPN的安装和配置。 安装完成后,pistrong可以简化针对连接到VPN的远程用户设备的strongSwan证书颁发机构(CA)和证书的...
  • strongswan-master.zip

    2021-03-03 17:27:50
    ipsec strongswan源代码
  • StrongSwan测试环境概述

    千次阅读 2019-10-24 21:23:46
    有关StrongSwan测试环境的搭建可参见...由于已经搭建好了测试环境,将配置文件(strongswan-5.8.1/testing/testing.conf)中以下四项关闭,不用每次执行make-testing的时候,都进行创建,节省时间。 # Enable partic...

    有关StrongSwan测试环境的搭建可参见:https://blog.csdn.net/sinat_20184565/article/details/100900670

    由于已经搭建好了测试环境,将配置文件(strongswan-5.8.1/testing/testing.conf)中以下四项关闭,不用每次执行make-testing的时候,都进行创建,节省时间。

    # Enable particular steps in the make-testing
    #
    : ${ENABLE_BUILD_BASEIMAGE=no}
    : ${ENABLE_BUILD_ROOTIMAGE=no}
    : ${ENABLE_BUILD_GUESTKERNEL=no}
    : ${ENABLE_BUILD_GUESTIMAGES=no}
    

    启动测试的命名为start-testing,如下:

    root@localhost:~/strongswan-5.8.1/testing$ sudo ./start-testing 
    Starting test environment
    [ ok ] Deploying kernel linux-5.2.11 
    [ ok ] Deploying /srv/strongswan-testing/build/shared/stretch as hostfs 
    [ ok ] Deploying /srv/strongswan-testing/testresults as hostfs 
    [ ok ] Network vnet1 
    [ ok ] Network vnet2 
    [ ok ] Network vnet3 
    [ ok ] Guest alice 
    [ ok ] Guest bob 
    [ ok ] Guest carol 
    [ ok ] Guest dave 
    [ ok ] Guest moon 
    [ ok ] Guest sun 
    [ ok ] Guest venus 
    [ ok ] Guest winnetou 
    root@localhost:~/strongswan-5.8.1/testing$ 
    

    其中,创建了三个虚拟网络,start-testing文件中的创建命令如下:

    NETWORKS="vnet1 vnet2 vnet3"
    
    for net in $NETWORKS
    do
            log_action "Network $net"
            execute "virsh net-create $CONFDIR/$net.xml"
    done
    

    可使用以下的virsh net-list进行查看:

    $ virsh net-list
     Name                 State      Autostart     Persistent
    ----------------------------------------------------------
     default              active     yes           yes
     vnet1                active     no            no
     vnet2                active     no            no
     vnet3                active     no            no
    

    另外,启动了以下testing.conf中指定的测试使用的虚拟VPN网关和主机。

    ##############################################################
    # VPN gateways / clients
    # The hosts stated here will be created. Possible values
    # are sun, moon, dave, carol, alice, venus, bob, winnetou.
    #
    : ${STRONGSWANHOSTS="alice bob carol dave moon sun venus winnetou"}
    

    文件start-testing中的虚拟机创建命令(virsh)如下。start-testing文件位于目录:strongswan-5.8.1/testing/下。

    DIR=$(dirname `readlink -f $0`)
    CONFDIR=$DIR/config/kvm
    
    for host in $STRONGSWANHOSTS
    do
            ln -fs $IMGDIR/$host.$IMGEXT $VIRTIMGSTORE/$host.$IMGEXT
            log_action "Guest $host"
            execute "virsh create $CONFDIR/$host.xml"
    done
    

    CONFDIR目录存放着网络以及虚拟主机的配置文件。

    $ ls config/kvm
    alice.xml  bob.xml  carol.xml  dave.xml  moon.xml  sun.xml  venus.xml  vnet1.xml  vnet2.xml  vnet3.xml  winnetou.xml
    

    虚拟主机

    以alice为例,其配置文件为:strongswan-5.8.1/testing/config/kvm/alice.xml。

    <domain type='kvm'>
      <name>alice</name>
      <memory unit='KiB'>163840</memory>
      <currentMemory unit='KiB'>163840</currentMemory>
      <vcpu placement='static'>1</vcpu>
      <os>
        <type arch='x86_64' machine='pc'>hvm</type>
            <kernel>/var/run/kvm-swan-kernel</kernel>
        <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
        <boot dev='hd'/>
      </os>
    

    以上为其OS项的配置,内核使用的是:/var/run/kvm-swan-kernel,其为链接文件,实际指向bzImage文件(目录:/srv/strongswan-testing/build/linux-5.2.11/arch/x86/boot/bzImage)。由命令行选项参数(cmdline)可知,根文件系统设备为/dev/vda1。

    内核kernel文件链接在脚本start-testing中创建。

    KNLSRC=$BUILDDIR/$KERNEL/arch/x86/boot/bzImage
    KNLTARGET=/var/run/kvm-swan-kernel
    
    [ -f $KNLSRC ] || die "Kernel $KNLSRC not found"
    log_action "Deploying kernel $KERNEL"
    execute "ln -fs $KNLSRC $KNLTARGET"
    

    以下为主要的设备配置。硬盘文件使用/var/lib/libvirt/images/alice.qcow2,格式为qcow2。此文件为链接,实际文件为: /srv/strongswan-testing/build/images/alice.qcow2。

      <devices>
        <emulator>/usr/bin/kvm</emulator>
        <disk type='file' device='disk'>
          <driver name='qemu' type='qcow2' cache='writethrough'/>
          <source file='/var/lib/libvirt/images/alice.qcow2'/>
          <target dev='vda' bus='virtio'/>
          <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
        </disk>
    

    文件系统使用目录:/var/run/kvm-swan-hostfs/:

        <filesystem type='mount' accessmode='mapped'>
          <source dir='/var/run/kvm-swan-hostfs'/>
          <target dir='/hostshare'/>
          <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
        </filesystem>
    

    当所有虚拟主机启动之后可使用ssh登录,账号为root,密码为空(以alice主机为例)。登录之后,在root目录下都由一个shared目录,其下的子目录compile就是目录:/var/run/kvm-swan-hostfs目录下的compile子目录。

    $ ls /var/run/kvm-swan-hostfs/
    compile
    $ ls /var/run/kvm-swan-hostfs/compile/
    005_anet.mk      009_xfrm-proxy.mk  014_swid_generator.mk  strongTNC-deps        strongswan-5.8.1.tar.bz2  tkm-rpc
    006_tkm-rpc.mk   010_tkm.mk         015_strongTNC.mk       strongTNC-master      swidGenerator-master      x509-ada
    007_x509-ada.mk  011_botan.mk       anet                   strongTNC-master.zip  swidGenerator-master.zip  xfrm-ada
    008_xfrm-ada.mk  013_strongswan.mk  botan                  strongswan-5.8.1      tkm                       xfrm-proxy
    $
    $ ssh root@10.1.0.10     
    alice:~# ls /root/shared/
    compile
    alice:~# 
    

    关于网络,配置了两个接口alice-eth0和alice-eth1,这两个接口分别属于vnet2和vnet1网络,对应的网桥名称分别为:test-br1和test-br0。

        <interface type='network'>
          <mac address='52:54:00:9a:e2:de'/>
          <source network='vnet2'/>
          <target dev='alice-eth0'/>
          <model type='virtio'/>
          <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
        </interface>
        <interface type='network'>
          <mac address='52:54:00:3b:0c:d7'/>
          <source network='vnet1'/>
          <target dev='alice-eth1'/>
          <model type='virtio'/>
          <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
        </interface>
    

    虚拟网络

    以vnet1为例,其配置文件为:strongswan-5.8.1/testing/config/kvm/vnet1.xml。其中定义了对应了网桥设备test-br0,以及IP地址信息。

    <network>
      <name>vnet1</name>
      <uuid>1d6ac7c7-60d9-56c1-a7df-210d3d0cc6d1</uuid>
      <forward dev='lo' mode='route'>
        <interface dev='lo'/>
      </forward>
      <bridge name='test-br0' stp='on' delay='0' />
      <mac address='52:54:00:97:F9:FD'/>
      <ip address='192.168.0.254' netmask='255.255.255.0'>
      </ip>
    </network>
    

    测试启动脚本start-testing执行完成后,在系统内将看到三个网络对应的网桥设备。分别为test-br0、test-br1和test-br2分别对应三个虚拟网络vnet1、vnet2和vnet3。

    $ ip link show type bridge
    5: test-br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
        link/ether 52:54:00:97:f9:fd brd ff:ff:ff:ff:ff:ff
    7: test-br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
        link/ether 52:54:00:05:f3:34 brd ff:ff:ff:ff:ff:ff
    9: test-br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
        link/ether 52:54:00:62:4c:69 brd ff:ff:ff:ff:ff:ff
    

    参考以上alice主机的配置,其两个网卡分别连接在网络vnet1和vnet2上。 如下图所示:

                10.1.0.254            192.168.0.254           10.2.0.254
               |------------|        |------------|         |------------|
               |  test-br1  |        |  test-br0  |         |  test-br2  |
               |------------|        |------------|         |------------|
                    |                      |
                    |                      |
                    | alice-eth0           |
                    | 10.1.0.10            |
               |--------|                  |
               | alice  |------------------| 
               |--------| alice-eth1
                          192.168.0.50
    

    如下的alice配置文件,其路径为:strongswan-5.8.1/testing/hosts/alice/etc/network/interfaces,此配置文件指定了alice的eth0接口的IPv4地址为10.1.0.10,接口eth1的IPv4地址为192.168.0.50。

    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet static
            address 10.1.0.10
            netmask 255.255.0.0
            broadcast 10.1.255.255
            gateway 10.1.0.1
    iface eth0 inet6 static
            address fec1::10
            netmask 16
    
    iface eth1 inet static
            address 192.168.0.50
            netmask 255.255.255.0
            broadcast 192.168.0.255
    iface eth1 inet6 static
            address fec0::5
            netmask 16
    

    下面看一下和alice虚拟主机相关的两个网桥test-br0和test-br1的子接口情况。对于网桥test-br1,其子接口包括:alice-eth0、moon-eth1和venus-eth0。

    $ ip link show master test-br1
    11: alice-eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br1 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:9a:e2:de brd ff:ff:ff:ff:ff:ff
    16: moon-eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br1 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:43:e3:35 brd ff:ff:ff:ff:ff:ff
    20: venus-eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br1 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:69:d3:80 brd ff:ff:ff:ff:ff:ff
    

    对于核心网桥test-br0,其子接口包括:alice-eth1、carol-eth0、dave-eth0、moon-eth0、sun-eth0和innetou-eth0接口。

    $ ip link show master test-br0
    12: alice-eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br0 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:3b:0c:d7 brd ff:ff:ff:ff:ff:ff
    14: carol-eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br0 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:ae:f1:f8 brd ff:ff:ff:ff:ff:ff
    15: dave-eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br0 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:b9:15:a9 brd ff:ff:ff:ff:ff:ff
    17: moon-eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br0 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:c7:b8:b0 brd ff:ff:ff:ff:ff:ff
    18: sun-eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br0 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:77:43:ea brd ff:ff:ff:ff:ff:ff
    21: winnetou-eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master test-br0 state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether fe:54:00:4b:23:fa brd ff:ff:ff:ff:ff:ff
    

    如下图所示:

                        10.1.0.254       moon-eth1               192.168.0.254           10.2.0.254
                       |------------|    10.1.0.1               |------------|         |------------|
                       |            |         |--------|        |            |         |            |
          |------------|  test-br1  |---------|  moon  |--------|  test-br0  |         |  test-br2  |
          |            |            |         |--------|        |            |         |            |
          |            |------------|               moon-eth0   |------------|         |------------|
          |                 |                      192.168.0.1        |
          |                 |                                         |
          |                 |                                         |     arol-eth0       winnetou-eth0       dave-eth0
          |                 |                                         |    192.168.0.100    192.168.0.150      192.168.0.200
          | venus-eth0      | alice-eth0                              |--------|------------------|---------------|                         
          | 10.1.0.20       | 10.1.0.10                               |        |                  |               |
      |--------|       |--------|                                     |    |--------|       |-----------|     |--------|
      | venus  |       | alice  |-------------------------------------|    | carol  |       | winnetou  |     |  dave  |
      |--------|       |--------| alice-eth1                               |--------|       |-----------|     |--------|
                                  192.168.0.50
    

    虚拟机启动参数

    以虚拟机alice为例,以下获得alice虚拟机程序的进程号:22539。

    $ ps aux
    USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
    libvirt+  22539  0.0  2.7 2697732 221680 ?      Sl   Oct22   1:24 qemu-system-x86_64 -enable-kvm -name guest=alice,debug-threads=on
    root      22555  0.0  0.0      0     0 ?        S    Oct22   0:01 [vhost-22539]
    root      22556  0.0  0.0      0     0 ?        S    Oct22   0:00 [vhost-22539]
    root      22561  0.0  0.0      0     0 ?        S    Oct22   0:00 [kvm-pit/22539]
    

    完整的emu-system-x86_64命名行如下。关于内核选项-kernel,前面已经介绍过/var/run/kvm-swan-kernel。硬盘驱动器(-drive file)指定为文件:/var/lib/libvirt/images/alice.qcow2。

    $ cat /proc/22539/cmdline 
    qemu-system-x86_64 -enable-kvm -name guest=alice,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-1-alice/master-key.aes -machine pc-i440fx-2.11,accel=kvm,usb=off,dump-guest-core=off -m 160 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-1-alice/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -kernel /var/run/kvm-swan-kernel -append root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x9 -drive file=/var/lib/libvirt/images/alice.qcow2,format=qcow2,if=none,id=drive-virtio-disk0,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -fsdevlocal,security_model=mapped,id=fsdev-fs0,path=/var/run/kvm-swan-hostfs -device virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=/hostshare,bus=pci.0,addr=0x8 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=28 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:9a:e2:de,bus=pci.0,addr=0x3 -netdev tap,fd=29,id=hostnet1,vhost=on,vhostfd=30 -device virtio-net-pci,netdev=hostnet1,id=net1,mac=52:54:00:3b:0c:d7,bus=pci.0,addr=0x5 -chardev pty,id=charserial0 -device isa-serial,chardev=cha    rserial0,id=serial0 -chardev pty,id=charconsole1 -device virtconsole,chardev=charconsole1,id=console1 -device usb-tablet,id=input0,bus=usb.0,port=1 -vnc 127.0.0.1:0 -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on
    

    在配置文件testing.conf中指定宿主机与客户机的共享目录路径为:/srv/strongswan-testing/build/shared/stretch。以上qemu指定的path指定的路径:/var/run/kvm-swan-hostfs,实际为执行以上共享路径的一个链接。

    # Root directory of testing
    : ${TESTDIR=/srv/strongswan-testing}
    
    # Build directory where the guest kernel and images will be built
    : ${BUILDDIR=$TESTDIR/build}
    : ${BASEIMGSUITE=stretch}
    
    # Directory shared between host and guests
    : ${SHAREDDIR=$BUILDDIR/shared/$BASEIMGSUITE}
    

    另外,命令行指定的root根设备:/dev/vda1,在文件:strongswan-5.8.1/testing/hosts/default/etc/fstab中,挂载到/根目录下。

    /dev/vda1       /                       ext3    defaults,relatime,barrier=1     0       1
    /hostshare /root/shared 9p trans=virtio,version=9p2000.L 0 0
    

    END。

    展开全文
  • strongswan

    2018-03-31 11:56:00
    strongswan StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec sta...

    StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.

    Install strongSwan

    The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.

    yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
    yum install strongswan openssl
    

    Generate certificates

    Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d.

    cd /etc/strongswan/ipsec.d
    wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/server_key.sh
    chmod a+x server_key.sh
    wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/client_key.sh
    chmod a+x client_key.sh
    

    In these two .sh files, I have set the organization name as VULTR-VPS-CENTOS. If you want to change it, open the .sh files and replace O=VULTR-VPS-CENTOS with O=YOUR_ORGANIZATION_NAME.

    Next, use server_key.sh with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP with the IP address of your Vultr VPS.

    ./server_key.sh SERVER_IP
    

    Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user "john".

    ./client_key.sh john john@gmail.com
    

    Replace "john" and his email with yours before running the script.

    After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your local computer.

    Configure strongSwan

    Open the strongSwan IPSec configuration file.

    vi /etc/strongswan/ipsec.conf
    

    Replace its content with the following text.

    config setup
        uniqueids=never
        charondebug="cfg 2, dmn 2, ike 2, net 0"
    
    conn %default
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftcert=vpnHostCert.pem
        right=%any
        rightsourceip=172.16.1.100/16
    
    conn CiscoIPSec
        keyexchange=ikev1
        fragmentation=yes
        rightauth=pubkey
        rightauth2=xauth
        leftsendcert=always
        rekey=no
        auto=add
    
    conn XauthPsk
        keyexchange=ikev1
        leftauth=psk
        rightauth=psk
        rightauth2=xauth
        auto=add
    
    conn IpsecIKEv2
        keyexchange=ikev2
        leftauth=pubkey
        rightauth=pubkey
        leftsendcert=always
        auto=add
    
    conn IpsecIKEv2-EAP
        keyexchange=ikev2
        ike=aes256-sha1-modp1024!
        rekey=no
        leftauth=pubkey
        leftsendcert=always
        rightauth=eap-mschapv2
        eap_identity=%any
        auto=add
    

    Edit the strongSwan configuration file, strongswan.conf.

    vi /etc/strongswan/strongswan.conf
    

    Delete everything and replace it with the following.

    charon {
        load_modular = yes
        duplicheck.enable = no
        compress = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        dns1 = 8.8.8.8
        dns2 = 8.8.4.4
        nbns1 = 8.8.8.8
        nbns2 = 8.8.4.4
    }
    
    include strongswan.d/*.conf
    

    Edit the IPsec secret file to add a user and password.

    vi /etc/strongswan/ipsec.secrets
    

    Add a user account "john" into it.

    : RSA vpnHostKey.pem
    : PSK "PSK_KEY"
    john %any : EAP "John's Password"
    john %any : XAUTH "John's Password"
    

    Please note that both sides of the colon ':' need a white-space.

    Allow IPv4 forwarding

    Edit /etc/sysctl.conf to allow forwarding in the Linux kernel.

    vi /etc/sysctl.conf
    

    Add the following line into the file.

    net.ipv4.ip_forward=1
    

    Save the file, then apply the change.

    sysctl -p
    

    Configure the firewall

    Open the firewall for your VPN on the server.

    firewall-cmd --permanent --add-service="ipsec"
    firewall-cmd --permanent --add-port=4500/udp
    firewall-cmd --permanent --add-masquerade
    firewall-cmd --reload
    

    Start VPN

    systemctl start strongswan
    systemctl enable strongswan
    

    StrongSwan is now is running on your server. Install the strongswanCert.pem and .p12 certificate files into your client. You will now be able to join your private network.

    posted on 2018-03-31 11:56 秦瑞It行程实录 阅读( ...) 评论( ...) 编辑 收藏

    转载于:https://www.cnblogs.com/ruiy/p/8681612.html

    展开全文
  • Windows 下strongswan源码安装 网上没有一个完整版本的安装教程,只能看官方英文文档,折腾数周,成功编译。现附上安装历程供大家参考。有问题可以互相讨论。 windows支持strongswan5.2.0以上版本。本次用5.5.3版本...

    Windows 下strongswan源码安装

    网上没有一个完整版本的安装教程,只能看官方英文文档,折腾数周,成功编译。现附上安装历程供大家参考。有问题可以互相讨论。

    windows支持strongswan5.2.0以上版本。本次用5.5.3版本。该文档中英文部分摘抄自官方文档(作为解释):
    Windows下编译strongswan
    pki的用法

    准备工作

    1、下载strongswan源码5.2.0以上版本:strongswan5.5.3较好。
    strongswan-5.5.3下载地址
    2、安装MinGW64,能正确使用gcc4.8.1:x86-64-win32-seh稳定性较好。选择x64 Architecture win32 threading.(要连外网才能下载安装)下载Installer在线安装。
    mingw安装教程
    3:停止/禁用IKEEXT服务来禁用Windows本机IKE服务:(服务恢复选不操作否则就会自动启用该服务)
    禁用IKEEXT服务
    4、安装openssl-1.0.2u。最好1.0.x版本的(1.1.x找不到libeay32.dll)nasm安装,masm安装,特别复杂,masm还下载不了8.0以上的版本,其他版本又不兼容。很多报错(折腾一天)。建议用VS2010/2013等编译安装。
    openssl-1.0.2u下载
    openssl-1.1.x安装教程(不建议)
    VC6编译openssl教程(不建议)
    VS2010编译openssl:(一定配置好环境变量或者用.bat脚本自动配置环境变量)
    VS编译openssl教程1
    VS编译openssl教程2
    以下是编译64位openssl的步骤:
    安装路径D:\VC\bin\amd64\“中运行vcvars64.bat
    进入openssl-1.0.2u目录,我的目录是D:\openssl-1.0.2u

    perl Configure VC-WIN64
    ms\do_win64a
    nmake -f ms\nt.mak     (在out32生成静态链接库libeay32.lib和ssleay32.lib)
    nmake -f ms\nt.mak test来测试
    nmake -f ms\ntdll.mak   (在out32dll生成动态链接库libeay32.dll和ssleay32.dll)
    nmake -f ms\nt.mak install (默认生成路径是同磁盘驱动下的\usr\local\ssl\)
    nmake -f ms\ntdll.mak install
    拷贝D:\usr\local\ssl\bin下的两个dll到D:\usr\local\ssl\lib
    

    若存在转换到COFF期间失败的报错,以下方案可以解决:
    转换到COFF期间失败
    全部重命名,不使用这两个exe。
    在这里插入图片描述
    成功编译openssl:
    在这里插入图片描述
    5、下载MinGW-W64 MSYS builds.
    MinGW下载

    First install MinGW-W64, preferably using the installer. The 4.8.1 version is known to work fine using the x64 Architecture and native win32 threading. To run ./configure, you’ll need MSYS, for example by using the MinGW-W64 MSYS builds. After extracting the .zip file, invoke msys.bat and run:
    sh /postinstall/pi.sh to complete the installation. Use this shell to./configure and build strongSwan.

    msys控制台,单击属性快速编辑模式即可使用复制粘贴功能。
    在这里插入图片描述

    配置strongswan

    我的配置文件所在位置:

    D:\strongswan-5.5.3\src\swanctl\swanctl.conf
    D:\strongswan-5.5.3\src\swanctl\swanctl\swanctl.conf(编译后才有)
    D: \strongswan-5.5.3\conf\strongswan.conf
    

    Windows下ipsec.conf和secrets.conf不可用。必须使用swanctl.conf
    swanctl.conf(多次编译,最好两个swanctl.conf都一起改)

    connections {
        testvpn {
            version = 2                  #ikev2认证方式
            unique = never               #允许多个客户端连接
            fragmentation = yes
            local_addrs = 10.10.216.144 #服务器端ip地址
            proposals = default          #ike阶段使用的秘钥算法,默认
            local {
                    auth = pubkey          
                    certs = cymCert.pem #后面会生成证书,服务器认证客户端
                    id = 10.10.216.144
            }
            remote {         
                auth = eap-mschapv2     #客户端认证方式       
                eap_id = %any
                }
            pools = mypool        
            children {
                testChild {
                    esp_proposals = default #ipsec阶段使用的秘钥算法,默认
            }            
            }        
        }
    }
    
    pools {
      mypool {
        addrs = 10.1.0.0/16    #分配虚拟ip
      }
    }
    
    secrets {
        eap {
            id = cym             #客户端连接用户名与密码
            secret = 123456
        }
    }
    

    strongswan.conf(这里配置了两个日志,但是没有生效)charon-svc配置是必需的。

    swanctl {
      load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
    }
    
    charon-systemd {
      load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-win updown vici
    }
    
    charon-svc {
        filelog { 
            D:\strongswan-5.5.3\charon.log {
                flush_line = yes
            }
        }
        dns1=8.8.8.8
        dns2=10.10.50.1
        dns3=114.114.114.114
        load_modular = yes
        plugins {
            include strongswan.d/charon/*.conf
        }
        start-scripts {
        swanctl-creds = swanctl --load-creds --noprompt
        swanctl-conns = swanctl --load-conns
      }
    }
    
    charon {
         filelog { 
            D:\strongswan-5.5.3\charon.log {
                flush_line = yes
            }
        }
        load_modular = yes
            i_dont_care_about_security_and_use_aggressive_mode_psk = yes
            compress = yes
            dns1=8.8.8.8
            dns2=10.10.50.1
            dns3=114.114.114.114
            plugins {
                     duplicheck{
                                enable=no
                     }
                    include strongswan.d/charon/*.conf
            }
     
    }
    
    include strongswan.d/*.conf
    

    编译

    可查看官方文档:windows编译strongswan官方文档
    编译步骤:

    msys.bat
    sh /postinstall/pi.sh(一次之后就不用了,主要是为了选择mingw的安装路径,之后直接双击打开msys.bat即可)
    cd D:\strongswan-5.5.3 编译命令:
    ./configure --enable-monolithic–disable-defaults <options…>
    make
    make install

    msys.bat 
    cd d:\strongswan-5.5.3
    CC=x86_64-w64-mingw32-gcc CFLAGS="-g -O2 -Wall -Wno-pointer-sign -Wno-format-security -Wno-format -mno-ms-bitfields -I/D/usr/local/ssl/include/" LDFLAGS="-L/D/usr/local/ssl/lib/" ./configure --disable-defaults --enable-monolithic --enable-static --enable-svc --enable-ikev2 --enable-ikev1 --enable-openssl --enable-nonce --enable-pem --enable-pkcs1 --enable-x509  --enable-socket-win --enable-kernel-wfp --enable-kernel-iph --enable-pubkey --enable-eap-identity --enable-eap-mschapv2 --enable-pki --enable-swanctl --with-swanctldir=swanctl --with-strongswan-conf=strongswan.conf 
    make
    make install DESTDIR=D:/strongswan-5.5.3b (生成的文件放入这个文件夹方便找dll文件)
    

    ./configure时可查看日志文件:d:\strongswan-5.5.3\config.log
    在这里插入图片描述
    在这里插入图片描述

    编译时存在一些小错误,修改了mingw64的源码:
    重复定义FWPM_DISPLAY_DATA0_,注释掉该部分
    在这里插入图片描述

    #endif没有#if,注释掉#endif
    在这里插入图片描述

    创建证书

    需要复制D:\strongswan-5.5.3b\usr\local\lib\bin下的libcharon-0.dll, libtpmtss-0.dll,libstrongswan-0.dll,这3个dll文件D:\strongswan-5.5.3\src\pki\.libs

    D:\strongswan-5.5.3\src\pki\.libs下打开cmd生成证书:

    pki --gen > caKey.der
    
    pki --self --in caKey.der --dn "C=CN, O=one, CN=10.10.216.144" --ca --lifetime 3650 > caCert.der
    
    pki --gen > cymKey.der
    
    pki --pub --in cymKey.der > cymPub.der
    
    pki --pub --in cymKey.der | pki --issue --lifetime 3601 --cacert caCert.der --cakey caKey.der --dn "C=CN, O=one, CN=10.10.216.144" --san="10.10.216.144" --flag serverAuth --flag ikeIntermediate > cymCert.der
    

    在这里插入图片描述

    复制证书cymKey.der, cymCert.der, caCert.derD:\strongswan-5.5.3\src\swanctl\swanctl下的一些目录:

    /swanctl/(rsa|pkcs8)/cymKey.der
    /swanctl/x509/cymCert.der
    /swanctl/x509ca/caCert.der 
    

    • /etc/swanctl/(rsa|pkcs8)/cymKey.der holds the private key of the given peer (directory depends on the type of key), gets loaded automatically. Passwords may be configured in swanctl.conf.
    • /etc/swanctl/x509/cymCert.der holds the end-entity certificate of the given peer, gets loaded automatically. Reference it in swanctl.conf to explicitly use it.
    • /etc/swanctl/x509ca/caCert.der

    创建客户端证书(在该cmd下继续):
    To convert an X.509 certificate from DER to PEM

    openssl x509 -inform der -outform pem -in caCert.der -out caCert.pem
    openssl x509 -inform der -outform pem -in cymCert.der -out cymCert.pem
    

    To convert an RSA key from DER to PEM

    openssl rsa -inform der -outform pem -in cymKey.der -out cymKey.pem
    

    To package all of the files into a PKCS#12 container

    openssl pkcs12 -in cymCert.pem -inkey cymKey.pem -certfile caCert.pem -export -out cym.p12
    

    The cym.p12 file contains everything needed and is ready for the import on other systems.
    cymCert.pem 复制到:D:\strongswan-5.5.3\src\swanctl\swanctl\x509
    在这里插入图片描述

    cym.p12导入客户端计算机。(计算机开始,输入mmc,添加删除管理单元,证书,添加,计算机账户,受信任的根证书颁发机构,导入cym.p12,关闭,不用保存控制台)

    启动charon-svc.exe

    需要复制D:\strongswan-5.5.3b\usr\local\lib\bin下的libcharon-0.dll, libtpmtss-0.dll,libstrongswan-0.dll,这3个dll文件到charon-svc.exe目录下才能启动程序。每个版本不同,生成的dll文件可能不同。

    同时复制到:D:\strongswan-5.5.3\src\swanctl\.libs

    启动:服务方式启动或者直接右键(管理员启动)
    先启动charon-svc.exe,然后swanctl --load-all,客户端再连接。

    sc create “strongSwan IKE service” binPath= D:\strongswan-5.2.0b\usr\local\bin\charon-svc.exe
    sc start “strongSwan IKE service”
    

    D:\strongswan-5.5.3\src\swanctl中打开cmd:swanctl --load-all
    在这里插入图片描述

    windows客户端配置:
    打开网络与共享中心,设置新的网络连接,连接到工作区(VPN连接),创建新连接,目标ip(服务器ip)。使用之前配置文件中的用户名密码连接。其他属性如下:

    在这里插入图片描述

    客户端IP:
    在这里插入图片描述
    服务器端连接成功:
    在这里插入图片描述
    Note:

    Note the specified include path /D/usr/local/ssl/include/openssl/. In the code, the include is specified as #include <openssl/evp.h>. The C compiler resolves the include, due to the usage of <>, as dependent on the include paths. So it looks, at /D/usr/local/ssl/include/openssl/ + openssl/evp. That is then /D/usr/local/ssl/include/openssl/openssl/evp.h. Your openssl headers are at /D/usr/local/ssl/include/openssl/ exactly though. So you need to get rid of that extra openssl in the path. The straight forward solution to that is to just remove the openssl/ from /D/usr/local/ssl/include/openssl/. That is then /D/usr/local/ssl/include/. Together with openssl/evp.h, that then results in the correct path /D/usr/local/ssl/include/openssl/evp.h. So use -I/D/usr/local/ssl/include/ instead of -I/D/usr/local/ssl/include/openssl/

    Run charon-svc.exe with system privileges (not admin or user), and make sure the ikeext service is disabled.

    最后,编译strongswan源码花了将近3周时间,过程确实很繁杂,bug也特别多。一定要认真看官方文档!!!有问题在strongswan on windows的github页面发起提问,一天就可以找到解决方案!附上链接:github讨论

    展开全文
  • strongSwan编译

    2021-08-16 16:19:42
    Ubuntu 20.04编译strongSwan进行vpn链接测试 1、源码包下载、文档、及测试用例参见官方网站里面有详细介绍。 strongSwan 2、编译前需要安装编译环境、尽把基础需要安装的安装后面按编译提示进行逐个安装 sudo apt-...

    Ubuntu 20.04编译strongSwan进行vpn链接测试

    1、源码包下载、文档、及测试用例参见官方网站里面有详细介绍。
    strongSwan

    2、编译前需要安装编译环境、尽把基础需要安装的安装后面按编译提示进行逐个安装

    sudo apt-get install build-essential automake #安装集成开发环境
    

    3、由于源码包中含有测试用例,里面有关于满足测试用例测试需求的源码包构建配置,因此我们采用跟源码包测试用例一样的配置进行配置编译,实例中配置文件位置及内容如下。

    /root/strongswan-5.9.3/testing/scripts/recipes/013_strongswan.mk #此文件中有测试用例所使用的配置属性
    #我们可以进行如下构建
    cd ./strongswan-5.9.3/
    
    configure --enable-silent-rules \
    	--sysconfdir=/etc \
    	--with-strongswan-conf=/etc/strongswan.conf.testing \
    	--with-random-device=/dev/urandom \
    	--disable-load-warning \
    	--enable-curl \
    	--enable-soup \
    	--enable-ldap \
    	--enable-eap-aka \
    	--enable-eap-aka-3gpp2 \
    	--enable-eap-sim \
    	--enable-eap-sim-file \
    	--enable-eap-simaka-sql \
    	--enable-eap-md5 \
    	--enable-md4 \
    	--enable-eap-mschapv2 \
    	--enable-eap-identity \
    	--enable-eap-radius \
    	--enable-eap-dynamic \
    	--enable-eap-tls \
    	--enable-eap-ttls \
    	--enable-eap-peap \
    	--enable-eap-tnc \
    	--enable-tnc-ifmap \
    	--enable-tnc-pdp \
    	--enable-tnc-imc \
    	--enable-tnc-imv \
    	--enable-tnccs-11 \
    	--enable-tnccs-20 \
    	--enable-tnccs-dynamic \
    	--enable-imc-test \
    	--enable-imv-test \
    	--enable-imc-scanner \
    	--enable-imv-scanner \
    	--enable-imc-os \
    	--enable-imv-os \
    	--enable-imc-attestation \
    	--enable-imv-attestation \
    	--enable-imc-swima \
    	--enable-imv-swima \
    	--enable-imc-hcd \
    	--enable-imv-hcd \
    	--enable-sql \
    	--enable-sqlite \
    	--enable-attr-sql \
    	--enable-mediation \
    	--enable-botan \
    	--enable-openssl \
    	--enable-blowfish \
    	--enable-kernel-pfkey \
    	--enable-integrity-test \
    	--enable-leak-detective \
    	--enable-load-tester \
    	--enable-test-vectors \
    	--enable-gcrypt \
    	--enable-socket-default \
    	--enable-socket-dynamic \
    	--enable-dhcp \
    	--enable-farp \
    	--enable-connmark \
    	--enable-forecast \
    	--enable-addrblock \
    	--enable-ctr \
    	--enable-ccm \
    	--enable-gcm \
    	--enable-cmac \
    	--enable-chapoly \
    	--enable-ha \
    	--enable-af-alg \
    	--enable-whitelist \
    	--enable-xauth-generic \
    	--enable-xauth-eap \
    	--enable-pkcs8 \
    	--enable-unity \
    	--enable-unbound \
    	--enable-ipseckey \
    	--enable-dnscert \
    	--enable-acert \
    	--enable-cmd \
    	--enable-libipsec \
    	--enable-kernel-libipsec \
    	--enable-tkm \
    	--enable-ntru \
    	--enable-lookip \
    	--enable-bliss \
    	--enable-sha3 \
    	--enable-newhope \
    	--enable-systemd \
    	--enable-counters \
    	--enable-save-keys \
    	--enable-python-eggs \
    	--enable-wolfssl
    
    

    可能出现的错误及解决办法
    1、configure: error: GNU Multi Precision library gmp not found
    解决方法:安装GMP库和GMP的开发库

    sudo apt-get install libgmp10
    sudo apt-get install libgmp-dev
    

    2、configure: error: LDAP library ldap not found

    apt-get install libldap-dev
    

    3、configure: error: CURL library curl not found

    apt-get install libcurl4-openssl-dev
    

    4、configure: error: UNBOUND library ldns not found

    apt-get install libldns-dev
    

    configure: error: UNBOUND library libunbound not found

    apt-get install libunbound-dev
    

    5、报如下错误
    configure: error: Package requirements (libsoup-2.4) were not met:

    No package ‘libsoup-2.4’ found

    Consider adjusting the PKG_CONFIG_PATH environment variable if you
    installed software in a non-standard prefix.

    Alternatively, you may set the environment variables soup_CFLAGS
    and soup_LIBS to avoid the need to call pkg-config.
    See the pkg-config man page for more details.
    安装

    sudo apt-get install libsoup2.4-dev
    

    6、No package ‘libsystemd-daemon’ found

    apt-get install libsystemd-dev
    

    7、No package ‘json’ found

    apt-get install libjson-c-dev
    

    8、No package ‘wolfssl’ found

    sudo apt-get install libwolfssl-dev
    

    9、configure: error: gcrypt library not found

    sudo apt-get install libgcrypt-dev
    

    10、No package ‘botan-2’ found

    sudo apt-get install libbotan-2-dev
    

    11、No package ‘libip4tc’ found

    sudo apt-get install libip4tc-dev
    

    12、configure: error: gprbuild not found

    sudo apt-get install gprbuild
    

    13、Required command bindfs not found

    sudo apt-get install bindfs
    

    14、进行测试用例的时候需要安装虚拟机相关

    sudo apt-get install qemu-kvm
    sudo apt-get install qemu
    sudo apt-get install virt-manager
    sudo apt-get install virt-viewer 
    sudo apt-get install libvirt-bin 
    sudo apt-get install bridge-utils
    

    15、进行测试用例实验的时候需要安装内核编译相关

    sudo apt-get install libncurses5-dev libssl-dev -y
    sudo apt-get install build-essential openssl -y
    sudo apt-get install zlibc minizip -y
    sudo apt-get install libidn11-dev libidn11 -y
    sudo apt-get install bison -y
    sudo apt-get install flex -y
    sudo apt-get install libelf-dev -y
    sudo apt-get install libelf-devel -y
    sudo apt-get install elfutils-libelf-devel –y
    

    16、编译的时候报如下错误
    ModuleNotFoundError: No module named ‘setuptools’

    sudo apt-get install pip
    sudo apt-get install python-setuptools
    

    17、gprconfig: can’t find a native toolchain for language ‘ada’
    build_common.gpr:1:06: unknown project file: “tkmrpc_client”

    好像还没解决,做法是先屏蔽了配置中的一个配置项
    
    展开全文
  • linux下strongswan workflow

    2021-03-03 15:23:09
    Strongswan starter is the excutable program, located at /usr/libexec/ipsec/starter.(strongswan/src/starter/starter.c) Usage: starter [--nofork] [--auto-update <sec>] [--debug|--debug-more|--...
  • strongswan与vpp实现ipsec

    千次阅读 热门讨论 2020-04-09 18:31:40
    文章目录@[toc]1、strongswan+vpp简介strongswan与vpp如何结合已有的开源项目简介作者matfabia作者mestery作者rayshi-102、基于rayshi-10的代码和strongswan最新release5.8.3进行修改下载源码替换文件注意dnssec_...
  • 介绍如何配置Cisco的IPSec模块和StrongSwan连接。英文,但是很简单。主要是配置示例很清晰。
  • 索引环境安装链接Ubuntu 安装 Strongswan配置 Strongswang配置 Freeradius配置Strongswan VPN APPDebug应用 环境 @Linux uname -a Linux szqsm 4.15.0-73-generic #82-Ubuntu SMP Tue Dec 3 00:04:14 UTC 2019 x86_...
  • openwrt strongswan IPSec IKEV2

    千次阅读 2021-02-24 17:54:54
    前言:文章是作者基于一段时间的学习成果而写的,主要是为了记录下搭建VPN的过程以及遇到的一些麻烦错误,...1.安装strongswan 这一步网上随意搜索就可以看到许多保姆级别教程,写得很详细。如果你实在懒得搜,轻移贵
  • Strongswan — 常用配置说明

    千次阅读 2021-04-05 15:51:58
    leftca = "C=CN, O=123si, CN=123si StrongSwan CA" # 服务器证书,可以是 PEM 或 DER 格式。 leftcert = server.cert.pem # 不指定客户端证书路径。 # rightcert = # 指定服务器证书的公钥。 leftsigkey = server....
  • 使用两个CentOS7虚拟机,基于strongswan搭建IPSec VPN实验环境,通过是否配置加密算法,达到产生正常和非正常ESP数据包的目的。本篇为自己填坑记录。 目录 1、准备两个CentOS7虚拟机 2、安装strongswan 3、修改...
  • Centos 7.6 Strongswan的搭建及使用

    千次阅读 2020-04-17 16:14:10
    一、服务器准备 这个不用我说了吧,我在阿里云购买的香港的服务器。...yum -y install gpm-devel pam-devel openssl-devel make gcc epel-release strongswan 设置别名 alias ipsec='strongswan' 进入软件目录 cd...
  • CentOS搭建Strongswan

    千次阅读 2018-10-18 16:17:29
    假设你的服务器公网ip是99.99.99.99 , ...1、安装strongswan yum install strongswan 2、创建证书 strongswan pki --gen --outform pem &amp;gt; ca.key.pem strongswan pki --self --in ca.key.pem --d...
  • 因为需要在strongswan基础上做些二次开发的东西,需要将自己修改后的代码添加进strongswan后再编译运行。而ubuntu中 apt-get install 命令来安装的strongswan是已经用编译好的包来安装的,无法达到修改代码的目的。...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 1,034
精华内容 413
关键字:

strongswan