- 1云电脑是什么_什么是云电脑?云又是如何工作的?
- 2报错BrokenPipeError: [Errno 32] Broken pipe_brokenpipeerror: [errno 32] broken pipe 在向管道中写入参数的
- 3Could not find ‘cudart64_100.dll‘
- 4ioDraw在线图表工具 - 轻松制作专业图表,只需3步!_自动生成柱状图的ai
- 5数据结构与算法之计数排序_数据结构 计数排序
- 6微信支付-Native支付(网页二维码扫码微信支付)简单示例_网页扫码支付功能
- 7初次使用github
- 8旋转位置编码原理及代码_旋转位置代码
- 9关于AI记忆系统的研究_在ai智能如何实现记忆功能的方法
- 102024最新版JavaScript逆向爬虫教程-------基础篇之无限debugger的原理与绕过
OpenSUSE 13.1上安装StrongSwan_strongswan5.1.1
赞
踩
结果:
1)iOS 7.1设备可以拨IPSec VPN到StrongSwan电脑上面来 - Connect to VPN
2)iOS 设备浏览器可以访问StrongSwan VPN所在的内网地址服务器 - Connect to intranet behind VPN
=========================================================
环境:
OpenSUSE 13.1 64位
iPad 2 with OS 7.1=========================================================
OpenSUSE准备:
下载OpenSUSE 13.1 64位 DVD iso文件,Vmware Workstation 9安装,选择手动安装
systemctl enable sshd
service sshd start
测试:Windows电脑用putty.exe可以ssh到OpenSUSE上
OpenSUSE安装locate/updatedb程序
zypper in findutils-locate (这一步如果是第一次运行zypper,可能需要挺长时间)
updatedb
locate
OpenSUSE关闭防火墙,在GUI界面里面搜索firewall,关闭防火墙即可
或者是命令行启动yast 字符菜单界面,选择Security and Users -> Firewall
OpenSUSE安装ftp服务
zypper in vsftpd
systemctl enable vsftpd.service
systemctl start vsftpd.service
测试:ftp,用OpenSUSE操作系统里面的普通用户帐号登录
OpenSUSE安装apache web服务
zypper install apache2
systemctl enable apache2.service
systemctl start apache2.service
测试:iPad上打开浏览器,访问http://ip地址
=========================================================
开始安装SrongSwan
安装strongswan,当前最新版本5.1.1zypper install openssl strongswan iputils
systemctl enable strongswan.service
ipsec restart
vi /etc/ssl/openssl.cnf
#内容如下:
extendedKeyUsage = serverAuth
subjectAltName = DNS: swan.acmehq.springworks.info
#找到[ CA_default ]
dir = /etc/ipsec.d # Where everything is kept
certificate = $dir/cacerts/cacert.pem # The CA certificate
default_days = 3650 # This means the certificates will be valid 10 years. default 365 days
default_crl_days= 3000 # how long before next CRL, default 30 days
countryName_default = CN
stateOrProvinceName_default = Shanghai
localityName_default = Shanghai
0.organizationName_default = ACMEHQ
cd /etc/ipsec.d/
touch index.txt
touch serial
echo 00 > serial
mkdir private
mkdir reqs
mkdir cacerts
mkdir certs
mkdir newcerts
openssl req -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacerts/cacert.pem -days 3655 (注意,缺省CA 证书过期时间30天!?,所以要加参数 -days 3655)
Common Name: strongswan CA
openssl req -newkey rsa:2048 -keyout private/maikaKey.pem -out reqs/maikaReq.pem (注意,缺省颁发的证书过期时间是根据/etc/ssl/openssl.cnf里面的default_days)
Common Name: swan.acmehq.springworks.info
mkdir newcerts (原因是openssl.cnf缺省配置)
vi /etc/ipsec.secrets
: RSA maikaKey.pem "password"
test : AUTH "password"
openssl req -newkey rsa:2048 -keyout private/clientKey.pem -out reqs/clientReq.pem
Common Name: client
openssl ca -in reqs/clientReq.pem -out certs/clientCert.pem -notext
openssl pkcs12 -export -inkey private/clientKey.pem -in certs/clientCert.pem -name "client" -certfile cacerts/cacert.pem -caname "strongswan CA" -out clientCert.p12
配置iOS设备:将生成的caCert.pem和clientCert.p12通过邮件的方式或者通过web方式下载到iOS设备上,并进行证书安装。
cd /etc/ipsec.d/cp cacerts/cacert.pem /srv/www/htdocs
cp clientCert.p12 /srv/www/htdocs/
vi /srv/www/htdocs/index.html
<html>
<body>
Hello World
<br/>
<a href="cacert.pem">cacert.pem</a>
<br/>
<a href="clientCert.p12">clientCert.p12</a>
</body>
</html>
iPad打开浏览器,访问OpenSUSE的ip地址,点击下载安装两次证书。
vi /etc/ipsec.conf
config setup
conn iOS
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=maikaCert.pem
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
fragmentation=yes
auto=add
ipsec restart
=========================================================
=========================================================
排错:
参考 http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
ipsec stroke loglevel ike 2tail -f /var/log/messages
=========================================================
外网测试:
注意:防火墙上面可能需要做地址映射 500 4500 两个UDP端口
外网访问内网测试:
拨通VPN后,iPad只能访问StrongSwan的IP地址的apache。
参考配置 Iptables转发,注意我的SUSE网卡别名不是eth0,是ens33。(按照参考,编写了服务脚本 /etc/systemd/system/strongswan-iptables.service)
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens33 -j MASQUERADE sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT sudo echo 1 > /proc/sys/net/ipv4/ip_forward
# Author: Marguerite Su <i@marguerite.su>
# Use Case: You have a strongswan vpn. You don't want to input iptables commands
# everytime upon server restart.
[Unit]
Description=Scripts to setup iptables rules for strongswan
Wants=network-online.target
# has to start before strongswan, or it doesn't know the routes.
# so you can connect, but no traffic.
Before=strongswan.service
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT ; \
/usr/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT ; \
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens33 -j MASQUERADE ; \
/usr/sbin/iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT ; \
/bin/sh -c 'echo -n 1 > /proc/sys/net/ipv4/ip_forward'
ExecStop=/bin/sh -c 'echo -n 0 > /proc/sys/net/ipv4/ip_forward' ; \
/usr/sbin/iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT ; \
/usr/sbin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens33 -j MASQUERADE ; \
/usr/sbin/iptables -D INPUT -p udp --dport 4500 -j ACCEPT ; \
/usr/sbin/iptables -D INPUT -p udp --dport 500 -j ACCEPT
[Install]
WantedBy=multi-user.target
systemctl enable strongswan-iptables.service
systemctl start strongswan-iptables.service
=========================================================
查看SSL证书过期时间
openssl x509 -text -in cacerts/cacert.pem
Validity
Not Before: Aug 7 10:18:56 2014 GMT
Not After : Sep 6 10:18:56 2014 GMT
=========================================================
安装过程参考英文文档 http://forums.opensuse.org/showthread.php/435097-Strongswan-on-openSuSe-11-2-quick-setup
配置文件参考中文文档 http://maclue.tumblr.com/post/11947923571/strongswan-ipsec-vpn-for-ios
iPhone VPN配置参考 http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29
设置:default_crl_days= 300 /etc/ssl/openssl.cnf http://www.strongswan.org/docs/readme.htm
=========================================================
