V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
cattyhouse
V2EX  ›  iPhone

终极了,三条 bash/zsh shell 命令命了搞定 IPSEC/IKEv2 证书, EAP,PSK,Xauth 各种方式的认证,支持各种 iOS, Android,windows,黑莓设备

  •  
  •   cattyhouse · 2014-10-29 00:19:38 +08:00 · 11163 次点击
    这是一个创建于 3680 天前的主题,其中的信息可能已经有所发展或是发生改变。
    首先:安装Strongswan, cat strongswaninstall.zsh:


    cd ~
    wget http://download.strongswan.org/strongswan.tar.gz
    tar xvf strongswan.tar.gz
    cd strongswan-*
    apt-get build-dep strongswan -y
    apt-get install libgmp3-dev openssl libssl-dev -y
    ./configure --sysconfdir=/etc --disable-sql --disable-mysql --disable-ldap --enable-dhcp --enable-eap-identity --enable-eap-mschapv2 --enable-md4 --enable-xauth-eap --enable-eap-peap --enable-eap-md5 --enable-openssl --enable-shared --enable-unity --enable-eap-tls --enable-eap-ttls --enable-eap-tnc --enable-eap-dynamic --enable-addrblock --enable-eap-radius --enable-radattr --enable-kernel-netlink --enable-kernel-libipsec --enable-ipseckey --enable-pkcs11 --enable-whitelist --enable-socket-dynamic --enable-unity --enable-duplicheck --enable-error-notify --enable-ha --enable-libipsec
    cd strongswan-*
    make && make install


    然后配置Strongswan, cat strongswanconfig.zsh:


    cat << _EOF_ >/etc/ipsec.conf
    # ipsec.conf - strongSwan IPsec configuration file

    config setup
    uniqueids = no
    # charondebug="cfg 2, dmn 2, ike 2, net 2"

    conn %default
    keyexchange = ike
    ike = aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp = aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
    dpdaction = clear
    # keyingtries = 1
    ikelifetime = 24h
    closeaction = clear
    dpdtimeout = 5s
    dpddelay = 300s
    forceencaps = yes
    fragmentation = force
    lifetime = 24h
    # modeconfig = push
    rekey = no
    left = %any
    leftsubnet = 0.0.0.0/0
    leftcert = vpnServerCert.pem
    leftsendcert = always
    rightallowany = yes
    right = %any
    # rightdns = 8.8.4.4,8.8.8.8
    rightsourceip = 172.16.16.0/24
    conn IPSec-IKEv2
    leftid = 11.22.33.44
    rightid = *@11.22.33.44
    # keyexchange = ikev2
    # leftauth = pubkey
    # rightauth = pubkey
    mobike = yes
    # leftauth = psk
    # leftauth2 = pubkey
    # rightauth = psk
    auto = add

    conn IPSec-IKEv2-EAP
    also = "IPSec-IKEv2"
    rightauth = eap-mschapv2
    rightsendcert=never
    eap_identity = %any

    conn IKEv1-Certs
    # keyexchange = ikev1
    leftauth = pubkey
    rightauth = pubkey
    rightauth2 = xauth
    rightcert = iPhone5sCert.pem
    auto = add
    conn IKEv1-PSK
    # keyexchange = ikev1
    leftauth = psk
    rightauth = psk
    rightauth2 = xauth
    auto = add
    _EOF_


    cat << _EOF_ > /etc/ipsec.secrets
    # This file holds shared secrets or RSA private keys for authentication.

    # RSA private key for this host, authenticating it to any other host
    # which knows the public part.

    # this file is managed with debconf and will contain the automatically created private key
    include /var/lib/strongswan/ipsec.secrets.inc

    : RSA vpnServerKey.pem
    #: RSA serverKey.pem
    : PSK "fuckgfw748"
    j : XAUTH "fuckgfw748"
    jj : EAP "fuckgfw748"
    _EOF_


    cat << _EOF_ >/etc/strongswan.conf
    # strongswan.conf - strongSwan configuration file
    #
    # Refer to the strongswan.conf(5) manpage for details
    #
    # Configuration changes should be made in the included files

    charon {
    load_modular = yes
    plugins {
    include strongswan.d/charon/*.conf
    }
    }

    charon {
    duplicheck.enable = no
    dns1 = 8.8.4.4
    dns2 = 8.8.8.8
    }
    include strongswan.d/*.conf
    _EOF_

    # iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
    # OpenVZ please use above command if the following command does not work
    iptables -t nat -A POSTROUTING -j MASQUERADE
    echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
    sysctl -p

    然后搞定证书, cat ikev2ca.zsh:

    mkdir ~/sswan/ca
    cd ~/sswan/ca
    ###Root Certs
    ipsec pki --gen --type rsa --size 4096 \
    --outform pem \
    > rootKey.pem
    chmod 600 rootKey.pem
    ipsec pki --self --ca --lifetime 3650 \
    --in rootKey.pem --type rsa \
    --dn "C=CH, O=justin, CN=justin Root CA" \
    --outform pem \
    > rootCert.pem

    ### VPN Server Certs
    ipsec pki --gen --type rsa --size 2048 \
    --outform pem \
    > vpnServerKey.pem
    chmod 600 vpnServerKey.pem
    ipsec pki --pub --in vpnServerKey.pem --type rsa | \
    ipsec pki --issue --lifetime 3650 \
    --cacert rootCert.pem \
    --cakey rootKey.pem \
    --dn "C=CH, O=justin, CN=11.22.33.44" \
    --san 11.22.33.44 \
    --flag serverAuth --flag ikeIntermediate \
    --outform pem > vpnServerCert.pem
    #### IKEv2 Client Certs

    ipsec pki --gen --type rsa --size 2048 \
    --outform pem \
    > iPhone5sKey.pem
    chmod 600 iPhone5sKey.pem
    ipsec pki --pub --in iPhone5sKey.pem --type rsa | \
    ipsec pki --issue --lifetime 3650 \
    --cacert rootCert.pem \
    --cakey rootKey.pem \
    --dn "C=CH, O=justin, [email protected]" \
    --san [email protected] \
    --outform pem > iPhone5sCert.pem
    ### P12 file for iPhone
    openssl pkcs12 -export -inkey iPhone5sKey.pem \
    -in iPhone5sCert.pem -name "iPhone5s's VPN Certificate" \
    -certfile rootCert.pem \
    -caname "justin Root CA" \
    -out iPhone5s.p12
    ### ROOT Certs DER format
    openssl x509 -outform der -in rootCert.pem -out rootCertforiPhone.crt

    ## Copy them to the right places
    cp iPhone5sKey.pem vpnServerKey.pem /etc/ipsec.d/private/
    cp iPhone5sCert.pem vpnServerCert.pem /etc/ipsec.d/certs/
    cp rootCert.pem /etc/ipsec.d/cacerts/


    最后运行:
    ipsec start --nofork
    然后连接客户端debug,没啥问题的话把 ipsec start 丢到 /etc/rc.local

    注意把 11.22.33.44 换成你自己的IP或者域名,iPhone在用Apple Configurator配置IKEv2的时候主要是远程ID和本地ID一定要写对,远程ID写 11.22.33.44 本地ID写 [email protected] ,这里whatever表示随便写,只要不要自找麻烦写太奇怪的字符。
    第 1 条附言  ·  2014-10-29 06:37:34 +08:00
    把这部分的用户名密码改成你自己的,呵呵我在诅咒GFW去死吧。 j 和 jj 都是用户名,fuckgfw748是密码。

    : PSK "fuckgfw748"
    j : XAUTH "fuckgfw748"
    jj : EAP "fuckgfw748"
    第 2 条附言  ·  2014-10-29 08:06:51 +08:00
    好吧,gist来了

    19 条回复    2015-01-30 12:09:49 +08:00
    crystone
        1
    crystone  
       2014-10-29 00:27:15 +08:00
    多谢分享,改天试试
    cattyhouse
        2
    cattyhouse  
    OP
       2014-10-29 00:28:07 +08:00
    把这部分的用户名密码改成你自己的,呵呵我在诅咒GFW去死吧。 j 和 jj 都是用户名,fuckgfw748是密码。

    : PSK "fuckgfw748"
    j : XAUTH "fuckgfw748"
    jj : EAP "fuckgfw748"
    kurtrossel
        3
    kurtrossel  
       2014-10-29 01:37:07 +08:00
    多谢分享!!!

    有时间试试
    wangqj
        4
    wangqj  
       2014-10-29 04:56:33 +08:00
    多谢了!
    hewigovens
        5
    hewigovens  
       2014-10-29 07:26:46 +08:00   ❤️ 1
    lz 可以贴到 gist 上, 这样看着没代码高亮..
    cattyhouse
        6
    cattyhouse  
    OP
       2014-10-29 08:08:24 +08:00
    @hewigovens 已经贴了gist
    lovelinghan
        7
    lovelinghan  
       2014-10-29 08:57:57 +08:00 via Android
    Mark
    heyf
        8
    heyf  
       2014-10-29 09:15:12 +08:00 via Android
    赞!
    a3587556
        9
    a3587556  
       2014-10-29 16:43:48 +08:00
    已成功搭建 多谢!
    jhytxy
        10
    jhytxy  
       2014-10-29 21:23:59 +08:00
    checking whether make sets $(MAKE)... no
    checking whether make supports nested variables... no
    checking whether UID '0' is supported by ustar format... yes
    checking whether GID '0' is supported by ustar format... yes
    checking how to create a ustar tar archive... gnutar
    checking whether make supports nested variables... (cached) no
    checking for pkg-config... no
    checking for a sed that does not truncate output... /bin/sed
    checking configured UDP ports (500, 4500)... ok
    checking for gcc... no
    checking for cc... no
    checking for cl.exe... no
    configure: error: in `/root/strongswan-5.2.1':
    configure: error: no acceptable C compiler found in $PATH
    See `config.log' for more details
    strongswaninstall.zsh:8: no matches found: strongswan-*
    strongswaninstall.zsh:9: command not found: make


    问下这是出错了么。xvmlabs的4ip小鸡
    cattyhouse
        11
    cattyhouse  
    OP
       2014-10-29 21:39:24 +08:00 via iPhone   ❤️ 1
    @jhytxy apt-get build-essential 先
    jhytxy
        12
    jhytxy  
       2014-10-29 22:59:15 +08:00
    E: Invalid operation build-essential

    @cattyhouse 这个4ip是个奇葩vps
    cattyhouse
        13
    cattyhouse  
    OP
       2014-10-29 23:48:45 +08:00
    @jhytxy 不是他们奇葩,是你没有啥linux经验,我意思是装 build-essential, 从你的报告看来,你没有GCC和C Compliler,无法编译的。所以要:
    apt-get install build-essential,虽然我上面写掉了一个install,但你应该知道我的原意吧?
    jhytxy
        14
    jhytxy  
       2014-11-02 15:14:47 +08:00
    @cattyhouse 谢谢,确实不怎么用linux,已经安装好了
    jhytxy
        15
    jhytxy  
       2014-11-02 15:15:40 +08:00
    为什么只有安装好以后试的一次可以用呐

    之后重启用rc.local启动的可以连上但是无法访问网络呢
    cattyhouse
        16
    cattyhouse  
    OP
       2014-11-02 16:55:32 +08:00 via iPhone
    @jhytxy rc.local里面写ipsec完整路径。先用

    which ipsec
    找到绝对路径,然后再放过去。
    rwzsycwan
        17
    rwzsycwan  
       2014-12-05 03:43:17 +08:00
    我这儿搭建的Strongswan没有速度 还不如ocserv
    Caixiaopig
        18
    Caixiaopig  
       2015-01-08 00:21:15 +08:00
    @jhytxy 检查一下你的iptables的设置,是不是重启以后就被默认的冲掉了。
    xzm1006
        19
    xzm1006  
       2015-01-30 12:09:49 +08:00
    感谢楼主~按照教程搭建成功了,但是有问题就是,我安卓浏览器能翻出去,打开PLAY商店APP却连不上?
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5995 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 30ms · UTC 03:09 · PVG 11:09 · LAX 19:09 · JFK 22:09
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.