Segui il link sottostante per sapere come installare e configurare il server VPN strongSwan su Debian 10 Buster.
Configura la VPN IPSEC usando StrongSwan su Debian 10
Dopo aver configurato il server VPN strongSwan, ora puoi procedere con il test dell'assegnazione IP e della connessione locale tramite il server VPN.
In questa demo, utilizziamo Ubuntu 18.04 e CentOS 8 come client VPN strongSwan di prova.
Configura client VPN strongSwan su Ubuntu 18.04/CentOS 8
Installa strongSwan su Ubuntu 18.04
strongSwan e plugin extra possono essere installati su Ubuntu 18.04 eseguendo il comando seguente;
apt update
apt install strongswan libcharon-extra-plugins
Installa strongSwan su CentOS 8
I pacchetti strongSwan sono forniti dai repository EPEL su CentOS 8 e derivati simili. Quindi, inizia installando i repository EPEL;
dnf install epel-release
dnf update
dnf install strongswan strongswan-charon-nm
Installa il certificato CA del server VPN strongSwan sul client
Copia il certificato CA strongSwan generato sopra , /etc/ipsec.d/cacerts/vpn_ca_cert.pem ai server client e;
- posizionalo su
/etc/ipsec.d/cacerts/directory su Ubuntu 18.04 - posizionalo su
/etc/strongswan/ipsec.d/cacertsdirectory su CentOS 8.
Configura il client VPN strongSwan su Ubuntu 18.04/CentOS 8
Su Ubuntu 18.04;
Aggiorna il /etc/ipsec.conf file di configurazione per definire come connettersi al server VPN strongSwan. Vedere il file di configurazione di seguito;
vim /etc/ipsec.conf
conn ipsec-ikev2-vpn-client
auto=start
right=vpnsvr.kifarunix-demo.com
rightid=vpnsvr.kifarunix-demo.com
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftid=vpnsecure
leftauth=eap-mschapv2
eap_identity=%identity Imposta i segreti di autenticazione
vim /etc/ipsec.secrets
... # user id : EAP secret vpnsecure : EAP "[email protected]" # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc
Salva il file di configurazione e riavvia lo strongswan.
systemctl restart strongswan
Disabilita strongSwan dall'esecuzione all'avvio del sistema;
systemctl disable strongswan
Controlla lo stato;
ipsec statusall
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 1 minutes ago, 10.0.2.15[vpnsecure]...192.168.56.174[vpnsvr.kifarunix-demo.com]
ipsec-ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cc36db97_i cb5ceb5b_o
ipsec-ikev2-vpn-client{1}: 172.16.7.1/32 === 0.0.0.0/0Su CentOS 8;
Aggiorna il /etc/strongswan/ipsec.conf file di configurazione per definire come connettersi al server VPN strongSwan.
vim /etc/strongswan/ipsec.conf
conn ipsec-ikev2-vpn-client
auto=start
right=vpnsvr.kifarunix-demo.com
rightid=vpnsvr.kifarunix-demo.com
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftid=koromicha
leftauth=eap-mschapv2
eap_identity=%identity
Quindi, apri /etc/strongswan/ipsec.secrets file di configurazione e imposta i dettagli di autenticazione EAP così come sono definiti sul server.
vim /etc/strongswan/ipsec.secrets
# user id : EAP secret koromicha : EAP "mypassword"
Riavvia lo strongswan.
systemctl restart strongswan
Disabilita strongSwan dall'esecuzione all'avvio del sistema;
systemctl disable strongswan
Controlla lo stato della connessione VPN
strongswan statusall
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 2 minutes ago, 10.0.2.15[vpnsecure]...192.168.56.174[vpnsvr.kifarunix-demo.com]
ipsec-ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c573b6a1_i cd8306eb_o
ipsec-ikev2-vpn-client{1}: 172.16.7.2/32 === 0.0.0.0/0Sul server VPN strongSwan , controlla lo stato;
In questa demo, il nostro server VPN strongSwan è in esecuzione su Debian 10 Buster. Quindi, puoi controllare lo stato come mostrato di seguito;
ipsec status
Security Associations (2 up, 0 connecting):
ipsec-ikev2-vpn[4]: ESTABLISHED 18 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]…192.168.56.1[koromicha]
ipsec-ikev2-vpn{4}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c4e5f1c2_i c8e1a02f_o
ipsec-ikev2-vpn{4}: 0.0.0.0/0 === 172.16.7.2/32
ipsec-ikev2-vpn[3]: ESTABLISHED 21 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]…192.168.56.1[vpnsecure]
ipsec-ikev2-vpn{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7a4ee1d_i c558073b_o
ipsec-ikev2-vpn{3}: 0.0.0.0/0 === 172.16.7.1/32 Test della connessione dei client VPN
Ora che abbiamo due client assegnati ai loro indirizzi individuali;
- Ubuntu 18.04:172.16.7.1
- CentOS 8:172.16.7.2
Per testare la connessione, puoi semplicemente eseguire il test ping.
Da Ubuntu 18.04, eseguire il ping di CentOS 8;
ping 172.16.7.2
PING 172.16.7.2 (172.16.7.2) 56(84) bytes of data.
64 bytes from 172.16.7.2: icmp_seq=1 ttl=64 time=3.18 ms
64 bytes from 172.16.7.2: icmp_seq=2 ttl=64 time=4.15 ms
64 bytes from 172.16.7.2: icmp_seq=3 ttl=64 time=3.47 ms
64 bytes from 172.16.7.2: icmp_seq=4 ttl=64 time=3.61 ms
--- 172.16.7.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 10ms
rtt min/avg/max/mdev = 3.176/3.602/4.154/0.360 msDa CentOS 8, esegui il ping di Ubuntu 18.04.
ping 172.16.7.1
PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.
64 bytes from 172.16.7.1: icmp_seq=1 ttl=64 time=3.24 ms
64 bytes from 172.16.7.1: icmp_seq=2 ttl=64 time=4.37 ms
64 bytes from 172.16.7.1: icmp_seq=3 ttl=64 time=4.08 ms
64 bytes from 172.16.7.1: icmp_seq=4 ttl=64 time=3.43 ms
--- 172.16.7.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 9ms
rtt min/avg/max/mdev = 3.237/3.780/4.371/0.462 msProva a eseguire l'SSH su entrambi i lati;
ssh [email protected]
The authenticity of host '172.16.7.2 (172.16.7.2)' can't be established.
ECDSA key fingerprint is SHA256:wKoh/MWvCicV6cEe6jY19AkcBgk1lyjZorQt3aqflJM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.7.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
[[email protected] ~]$ssh [email protected]
The authenticity of host '172.16.7.1 (172.16.7.1)' can't be established.
ECDSA key fingerprint is SHA256:v20whQz4a4zpTJQfny/CGG56fRnP3Dpx8g5CkeCtFpo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.7.1' (ECDSA) to the list of known hosts.
[email protected]'s password:
Linux debian 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 26 00:54:04 2020 from 172.16.7.2
[email protected]:~$Questo segna la fine della nostra guida su come configurare il client VPN strongSwan su Ubuntu 18.04/CentOS 8.
Esercitazioni correlate
Connettiti a Cisco VPN utilizzando il file PCF su Ubuntu
Configura IPSEC VPN utilizzando StrongSwan su Ubuntu 18.04
Installa e configura OpenVPN Server su Fedora 29/CentOS 7
Installa Cisco AnyConnect Client su CentOS 8