Otu esi edobe VPN dabere na IPsec na Strongswan na CentOS/RHEL 8
strongSwan bụ ihe mepere emepe, multi-platform, ọgbara ọhụrụ na zuru ezu IPsec dabeere na VPN ngwọta maka Linux nke na-enye nkwado zuru oke maka Internet Key Exchange (ma IKEv1 na IKEv2) iji guzobe mkpakọrịta nchekwa (SA) n'etiti ndị ọgbọ abụọ. Ọ na-egosipụta n'uju, modular site na imewe ma na-enye ọtụtụ plugins na-eme ka ọrụ ya dịkwuo elu.
Edemede metụtara: Otu esi edobe VPN dabere na IPsec na Strongswan na Debian na Ubuntu
N'edemede a, ị ga-amụta ka esi edobe saịtị-na saịtị IPsec VPN ọnụ ụzọ site na iji strongSwan na sava CentOS/RHEL 8. Nke a na-enyere ndị ọgbọ aka ịnwapụta onwe ha site na iji igodo ikekọrịtara mbụ (PSK). Ntọlite saịtị-na saịtị pụtara ụzọ nchekwa ọ bụla nwere sub-net n'azụ ya.
Echefula iji adreesị IP gị n'ezie n'oge nhazi mgbe ị na-eso ntuziaka.
Public IP: 192.168.56.7 Private IP: 10.10.1.1/24 Private Subnet: 10.10.1.0/24
Public IP: 192.168.56.6 Private IP: 10.20.1.1/24 Private Subnet: 10.20.1.0/24
Kwụpụ 1: Na-enyere kernel IP ebugharị na CentOS 8
1. Malite site na-enyere kernel IP ebugharị ọrụ na /etc/sysctl.conf nhazi faịlụ na ma VPN ọnụ ụzọ ámá.
# vi /etc/sysctl.conf
Tinye ahịrị ndị a na faịlụ.
net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
2. Mgbe ịchekwaa mgbanwe na faịlụ ahụ, gbasoo iwu na-esonụ iji buo paramita kernel ọhụrụ na oge ojiri gaa.
# sysctl -p
3. Na-esote, mepụta ụzọ static na-adịgide adịgide na faịlụ /etc/sysconfig/network-scripts/route-eth0 na ụzọ nchebe abụọ.
# vi /etc/sysconfig/network-scripts/route-eth0
Tinye ahịrị na-esonụ na faịlụ.
#Site 1 Gateway 10.20.1.0/24 via 192.168.56.7 #Site 2 Gateway 10.10.1.0/24 via 192.168.56.6
4. Mgbe ahụ malitegharịa onye njikwa netwọk ka itinye mgbanwe ọhụrụ ahụ.
# systemctl restart NetworkManager
Kwụpụ 2: Wụnye strongSwan na CentOS 8
5. A na-enye ngwugwu strongswan na ebe nchekwa EPEL. Iji wụnye ya, ịkwesịrị ịme ka ebe nchekwa EPEL rụọ ọrụ, wee wụnye strongwan na ọnụ ụzọ nchekwa abụọ ahụ.
# dnf install epel-release # dnf install strongswan
6. Iji lelee ụdị nke strongswan arụnyere na ọnụ ụzọ abụọ ahụ, gbasoro iwu a.
# strongswan version
7. Ọzọ, malite ọrụ strongswan ma mee ka ọ malite na-akpaghị aka na usoro buut. Wee chọpụta ọkwa dị na ọnụ ụzọ nchekwa abụọ ahụ.
# systemctl start strongswan # systemctl enable strongswan # systemctl status strongswan
Mara: Thedị ọhụrụ nke strongswan dị na CentOS/REHL 8 na-abịa na nkwado maka swanctl abụọ (ihe ọhụrụ, obere ngwa ngwa-ahịrị iwu ewepụtara na Swan 5.2.0 siri ike, ejiri hazie, jikwaa na nyochaa IKE daemon Charon site na iji ngwa mgbakwunye vici) na ihe mmalite (ma ọ bụ ipsec) site na iji ngwa mgbakwunye strok mebiri emebi.
8. Akwụkwọ ndekọ aha isi bụ /etc/strongswan/ nke nwere faịlụ nhazi maka plugins abụọ:
# ls /etc/strongswan/
Maka ntuziaka a, anyị ga-eji ngwa IPsec nke a na-akpọ site na iji iwu strongswan na interface ọrịa strok. Ya mere, anyị ga-eji faịlụ nhazi ndị a:
- /etc/strongswan/ipsec.conf – faịlụ nhazi maka sistemu Swan IPsec siri ike.
- /etc/strongswan/ipsec.secrets – faịlụ nzuzo.
Nzọụkwụ 3: Ịhazi ọnụ ụzọ ámá nchekwa
9. N'ime usoro a, ịkwesịrị ịhazi profaịlụ njikọ na ọnụ ụzọ nchekwa ọ bụla maka saịtị ọ bụla site na iji faịlụ nhazi /etc/strongswan/ipsec.conf strongswan.
# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig # vi /etc/strongswan/ipsec.conf
Detuo na mado nhazi ndị a na faịlụ ahụ.
config setup
charondebug="all"
uniqueids=yes
conn ateway1-to-gateway2
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=192.168.56.7
leftsubnet=10.10.1.1/24
right=192.168.56.6
rightsubnet=10.20.1.1/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig # vi /etc/strongswan/ipsec.conf
Detuo na mado nhazi a na faịlụ a:
config setup
charondebug="all"
uniqueids=yes
conn 2gateway-to-gateway1
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=192.168.56.6
leftsubnet=10.20.1.1/24
right=192.168.56.7
rightsubnet=10.10.1.1/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
Ka anyị kọwaa nkenke nke ọ bụla n'ime paramita nhazi n'elu:
- nhazi nhazi – na-akọwapụta ozi nhazi izugbe maka IPSec nke metụtara njikọ niile.
- charondebug – na-akọwapụta ego nbibi Charon kwesịrị ịbanye.
- pụrụ iche – na-akọwa ma ekwesịrị idowe ID onye so na ya pụrụ iche.
- conn gateway1-to-gateway2 - ejiri iji tọọ aha njikọ.
- ụdị – na-akọwa ụdị njikọ.
- Akpaaka – eji ekwupụta otu esi ejikwa njikọ mgbe IPSec malitere ma ọ bụ malitegharịa.
- keyexchange – na-ekwupụta ụdị nke protocol IKE iji.
- authby – na-akọwapụta ka ndị ọgbọ ga-esi enyocha ibe ha.
- aka ekpe - na-ekwupụta adreesị IP nke interface netwọk ọha na eze nke onye aka ekpe.
- leftsubnet – na-ekwupụta subnet nkeonwe n'azụ onye so aka ekpe.
- nri - na-ekwupụta adreesị IP nke interface netwọk ọha na eze nke onye so na ya ziri ezi.
- rightsubnet – na-ekwupụta subnet nkeonwe n'azụ onye so aka ekpe.
- ike - eji ekwupụta ndepụta IKE/ISAKMP SA izo ya ezo/athentication algọridim ga-eji. Rịba ama na nke a nwere ike ịbụ ndepụta nke nwere rikoma.
- esp – ezipụta ndepụta nke ESP izo ya ezo/athentication algọridim ga-eji maka njikọ.
- ike ike - na-ekwupụta ma a ga-eji ọnọdụ ike ike ma ọ bụ isi.
- keyingtries – na-ekwupụta ọnụọgụ nke mbọ a ga-eme iji kparịta njikọ.
- ikelifetime - na-akọwapụta ogologo oge ọwa igodo njikọ ga-adịru tupu emegharia ya.
- oge ndụ - na-akọwapụta ogologo oge otu ihe atụ nke njikọ ga-adịru, site na mkparita uka na-aga nke ọma ruo na njedebe.
- dpddelay – na-ekwupụta oge nke ezigara ndị ọgbọ R_U_THERE ozi/ngbanwe ozi.
- dpdtimeout – nke a na-eji ekwupụta oge ngwụcha, emesịa ehichapụ njikọ niile na ndị ọgbọ ma ọ bụrụ na anaghị arụ ọrụ.
- dpdaction – ezipụta ka esi eji protocol Dead Peer Detection(DPD) jikwaa njikọ ahụ.
Ị nwere ike ịchọta nkọwa nke usoro nhazi niile maka sistemụ Swan IPsec siri ike site n'ịgụ ibe mmadụ ipsec.conf.
# man ipsec.conf
Kwụpụ 4: Na-ahazi PSK maka nyocha ndị ọgbọ na ndị ọgbọ
10. Ọzọ, ịkwesịrị ịmepụta PSK siri ike nke ndị ọgbọ na-eji maka nyocha dị ka ndị a.
# head -c 24 /dev/urandom | base64
11. Tinye PSK na faịlụ /etc/strongswan/ipsec.conf na ụzọ nchekwa abụọ.
# vi /etc/strongswan/ipsec.secrets
Tinye ahịrị na-esonụ na faịlụ.
#Site 1 Gateway 192.168.56.7 192.168.56.6 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL" #Site 1 Gateway 192.168.56.6 192.168.56.7 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL"
12. Mgbe ahụ malite ọrụ strongsan ma lelee ọnọdụ njikọ.
# systemctl restart strongswan # strongswan status
13. Nwalee ma ọ bụrụ na ị nwere ike ịnweta sub-nets nkeonwe site na ọnụ ụzọ nche ọ bụla site na iji iwu ping.
# ping 10.20.1.1 # ping 10.10.1.1
14. N'ikpeazụ ma ọ dịghị ihe ọzọ, ịmụtakwu strongswan iwu iji aka weta elu/ala njikọ na ndị ọzọ, ịhụ strongswan enyemaka ibe.
# strongswan --help
Nke ahụ bụ ihe niile ugbu a! Iji kesaa echiche gị ma ọ bụ jụọ ajụjụ, kpọtụrụ anyị site na mpempe nzaghachi n'okpuru. Na ịmụtakwu banyere uru swanctl ọhụrụ yana nhazi nhazi ọhụrụ na-agbanwe agbanwe, hụ akwụkwọ ikike onye ọrụ Swan siri ike.