Otu esi edobe VPN dabere na IPsec na Strongswan na Debian na Ubuntu
strongSwan bụ ihe mepere emepe, obe-ikpo okwu, nke zuru oke, yana IPsec dabeere na VPN (Virtual Private Network) mmejuputa iwu nke na-arụ na Linux, FreeBSD, OS X, Windows, Android na iOS. Ọ bụ isi daemon keying na-akwado ụkpụrụ mgbanwe igodo ịntanetị (IKEv1 na IKEv2) iji guzobe mkpakọrịta nchekwa (SA) n'etiti ndị ọgbọ abụọ.
Edemede a na-akọwa otu esi edobe ọnụ ụzọ IPSec VPN saịtị na saịtị site na iji Swan siri ike na sava Ubuntu na Debian. Site na saịtị na saịtị anyị pụtara na ọnụ ụzọ nchekwa ọ bụla nwere sub-net n'azụ ya. E wezụga nke ahụ, ndị ọgbọ ga-eji igodo ekekọrịtara (PSK) nyochaa ibe ha.
Cheta iji dochie IP ndị a n'ezie iji hazie gburugburu gị.
Ụzọ ámá 1 (tecmint-devgateway)
OS 1: Debian or Ubuntu Public IP: 10.20.20.1 Private IP: 192.168.0.101/24 Private Subnet: 192.168.0.0/24
Ebe 2 Gateway (tecmint-prodgateway)
OS 2: Debian or Ubuntu Public IP: 10.20.20.3 Private IP: 10.0.2.15/24 Private Subnet: 10.0.2.0/24
Kwụpụ 1: Na-eme ka mbugharị ngwugwu kernel
1. Nke mbụ, ịkwesịrị ịhazi kernel iji mee ka mbugharị ngwugwu site n'ịgbakwunye mgbanwe usoro kwesịrị ekwesị na /etc/sysctl.conf nhazi faịlụ na abụọ nche ọnụ ụzọ.
$ sudo vim /etc/sysctl.conf
Chọọ maka ahịrị ndị a wee kwupụta ha ma tọọ ụkpụrụ ha dị ka egosiri (gụọ nkọwa na faịlụ maka ozi ndị ọzọ).
net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
2. Na-esote, buo ntọala ọhụrụ site na ịme iwu na-esonụ.
$ sudo sysctl -p
3. Ọ bụrụ na ị nwere ọrụ ọkụ ọkụ UFW nyere, ịkwesịrị ịgbakwunye iwu ndị a na faịlụ nhazi /etc/ufw/before.rules tupu iwu nzacha na ụzọ nchebe ọ bụla.
Ụzọ ámá 1 (tecmint-devgateway)
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.2.0/24 -d 192.168.0.0/24 -j MASQUERADE COMMIT
Ebe 2 Gateway (tecmint-prodgateway)
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.0.0/24 -d 10.0.2.0/24 -j MASQUERADE COMMIT
4. Ozugbo agbakwunyere iwu firewall, tinyezie mgbanwe ọhụrụ site na ịmalitegharị UFW dị ka egosiri.
$ sudo ufw disable $ sudo ufw enable
Kwụpụ 2: Wụnye strongSwan na Debian na Ubuntu
5. Melite cache ngwugwu gị na ụzọ nchekwa abụọ ma wụnye ngwugwu strongswan site na iji njikwa ngwugwu APT.
$ sudo apt update $ sudo apt install strongswan
6. Ozugbo echichi zuru ezu, edemede installer ga-amalite ọrụ strongswan ma mee ka ọ malite na-akpaghị aka na usoro buut. Ị nwere ike ịlele ọkwa ya yana ma agbanyere ya site na iji iwu a.
$ sudo systemctl status strongswan.service $ sudo systemctl is-enabled strongswan.service
Nzọụkwụ 3: Ịhazi ọnụ ụzọ ámá nchekwa
7. Ọzọ, ịkwesịrị ịhazi ọnụ ụzọ nche site na iji faịlụ nhazi /etc/ipsec.conf.
Ụzọ ámá 1 (tecmint-devgateway)
$ sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig $ sudo nano /etc/ipsec.conf
Detuo na mado nhazi ndị a na faịlụ ahụ.
config setup
charondebug="all"
uniqueids=yes
conn devgateway-to-prodgateway
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=10.20.20.1
leftsubnet=192.168.0.101/24
right=10.20.20.3
rightsubnet=10.0.2.15/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
Ebe 2 Gateway (tecmint-prodgateway)
$ sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig $ sudo nano /etc/ipsec.conf
Detuo na mado nhazi ndị a n'ime faịlụ ahụ.
config setup
charondebug="all"
uniqueids=yes
conn prodgateway-to-devgateway
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=10.20.20.3
leftsubnet=10.0.2.15/24
right=10.20.20.1
rightsubnet=192.168.0.101/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
Nke a bụ ihe nhazi nhazi ọ bụla pụtara:
- nhazi nhazi – ezipụta ozi nhazi izugbe maka IPSec nke metụtara njikọ niile.
- charondebug – na-akọwa etu esi abanye nbibi Charon.
- pụrụ iche – na-akọwapụta ma ekwesịrị idowe ID onye so na ya pụrụ iche.
- conn prodgateway-to-devgateway – na-akọwa aha njikọ.
- ụdị – na-akọwa ụdị njikọ.
- akpaaka – ka esi ejikwa njikọ mgbe IPSec malitere ma ọ bụ malitegharịa.
- keyexchange – na-akọwapụta ụdị protocol IKE iji.
- authby - na-akọwapụta ka ndị ọgbọ kwesịrị isi na-enyocha ibe ha.
- aka ekpe - na-akọwa adreesị IP nke interface netwọk ọha na eze nke onye aka ekpe.
- leftsubnet – na-ekwu subnet nkeonwe n'azụ onye so aka ekpe.
- nri – ezipụta adreesị IP nke ihu netwọk ọha na eze nke onye so na ya ziri ezi.
- rightsubnet – na-ekwu subnet nkeonwe n'azụ onye so aka ekpe.
- ike - na-akọwapụta ndepụta IKE/ISAKMP SA izo ya ezo/athentication algọridim ga-eji. Ị nwere ike itinye ndepụta nkewapụrụ rikoma.
- esp – na-akọwapụta ndepụta ESP izo ya ezo/athentication algọridim nke a ga-eji maka njikọ ahụ. Ị nwere ike itinye ndepụta nkewapụrụ rikoma.
- aggressive – na-ekwu ma ọ ga-eji ike ike ma ọ bụ Isi Ọnọdụ.
- keyingtries – na-ekwu ọnụọgụ nke mbọ a ga-eme iji kparịta njikọ.
- ikelifetime - na-ekwu ogologo oge ọwa igodo njikọ ga-adịru tupu emegharịa ya.
- oge ndụ - na-akọwa ogologo oge otu ihe atụ nke njikọ ga-adịru, site na mkparita uka na-aga nke ọma ruo na njedebe.
- dpddelay - na-akọwapụta oge etiti oge nke ezigara ndị ọgbọ R_U_THERE ozi/ngbanwe ozi.
- dpdtimeout – na-akọwapụta oge nkwụsịtụ, mgbe nke ahụ gasịrị, a ga-ehichapụ njikọ niile na ndị ọgbọ ma ọ bụrụ na anaghị arụ ọrụ.
- dpdaction – na-akọwa otu esi eji protocol Dead Peer Detection(DPD) jikwaa njikọ ahụ.
Maka ozi ndị ọzọ gbasara paramita nhazi dị n'elu, gụọ ipsec.conf man page site na iji iwu ahụ.
$ man ipsec.conf
Kwụpụ 4: Na-ahazi PSK maka nyocha ndị ọgbọ na ndị ọgbọ
8. Mgbe configuring ma nche ọnụ ụzọ ámá, n'ịwa a echedoro PSK na-eji ndị ọgbọ na-eji na-esonụ iwu.
$ head -c 24 /dev/urandom | base64
9. Ọzọ, tinye PSK na faịlụ /etc/ipsec.secrets na ọnụ ụzọ abụọ ahụ.
$ sudo vim /etc/ipsec.secrets
Detuo na mado ahịrị na-esonụ.
------- Site 1 Gateway (tecmint-devgateway) ------- 10.20.20.1 10.20.20.3 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac=" ------- Site 2 Gateway (tecmint-prodgateway) ------- 10.20.20.3 10.20.20.1 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac="
10. Malitegharịa ekwentị IPSec ma lelee ọnọdụ ya ka ịlele njikọ.
$ sudo ipsec restart $ sudo ipsec status
11. N'ikpeazụ, chọpụta na ị nwere ike ịnweta sub-nets nkeonwe site na ọnụ ụzọ nche site na ịme iwu ping.
$ ping 192.168.0.101 $ ping 10.0.2.15
12. E wezụga, ị nwere ike kwụsị na-amalite IPSec dị ka e gosiri.
$ sudo ipsec stop $ sudo ipsec start
13. Ka ịmatakwu banyere iwu IPSec iji aka welite njikọ na ihe ndị ọzọ, hụ ibe enyemaka IPSec.
$ ipsec --help
Ọ gwụla! N'isiokwu a, anyị akọwala otu esi eguzobe saịtị IPSec VPN site na iji Swan siri ike na sava Ubuntu na Debian, ebe ahaziri ọnụ ụzọ nchekwa abụọ iji chọpụta ibe ha site na iji PSK. Ọ bụrụ na ị nwere ajụjụ ọ bụla ma ọ bụ echiche ị ga-ekekọrịta, kpọtụrụ anyị site na mpempe nzaghachi n'okpuru.