Set up IPSec VPN in CentOS 6.3

Source: Internet
Author: User
Tags gmp pkcs12 vps freeradius ikev2

Set up IPSec VPN in CentOS 6.3
1. install required Libraries

CentOS:

1yum update2yum install pam-devel openssl-devel make gcc

2. Download strongswan and decompress it (* indicates the current Strongswan version number)

1 wget http://download.strongswan.org/strongswan.tar.gz2tar xzf strongswan.tar.gz3cd strongswan -*

3. Compile Strongswan:
Xen and KVM use the following parameters:

1./configure -- enable-eap-identity -- enable-eap-md5 \2 -- enable-eap-mschapv2 -- enable-eap-tls -- enable-eap-ttls -- enable-eap-peap \3 -- enable-eap-tnc -- enable-eap-dynamic -- enable-eap-radius -- enable-xauth-eap \4 -- enable-xauth-pam -- enable-dhcp -- enable-openssl -- enable-addrblock -- enable-unity \5 -- enable-certexpire -- enable-radattr -- enable-tools -- enable-openssl -- disable-gmp

OpenVZ requires an additional enable-kernel-libipsec:

1./configure -- enable-eap-identity -- enable-eap-md5 \2 -- enable-eap-mschapv2 -- enable-eap-tls -- enable-eap-ttls -- enable-eap-peap \3 -- enable-eap-tnc -- enable-eap-dynamic -- enable-eap-radius -- enable-xauth-eap \4 -- enable-xauth-pam -- enable-dhcp -- enable-openssl -- enable-addrblock -- enable-unity \5 -- enable-certexpire -- enable-radattr -- enable-tools -- enable-openssl -- disable-gmp -- enable-kernel-libipsec

4. Compile and install:

1 make; make install

If no error is reported after compilation and version information is displayed using the ipsec version command, the installation is successful.

Configure Certificate
1. Generate the private key of the CA certificate

1 ipsec pki -- gen -- outform pem> ca. pem

2. Use the private key to sign the CA certificate

1 ipsec pki -- self -- in ca. pem -- dn "C = com, O = myvpn, CN = vpn ca" -- ca -- outform pem> ca. cert. pemTip: use the same CA root certificate for multiple vps:
If you need multiple vps to use the same CA root certificate, perform the preceding two steps only once, and then all vps will use the two CAS generated above. pem and ca. cert. pem file for subsequent operations.
Resolve multiple vps to different second-level domain names of the same domain name.
In this way, the client only needs to install the root certificate ca. cert. pem once to connect to each server.

3. Generate the Private Key Required for the server certificate:

1 ipsec pki -- gen -- outform pem> server. pem

4. Use a CA certificate to issue a server certificate

Please confirm the IP address or domain name of your server first. Later, when connecting to the client, you can only use the address in the certificate to connect (multiple servers use the same root certificate CA, please first do the server domain name resolution ),
Then replace 123.123.123.123 in the following command with the IP address or domain name of your server. There are two replications:

1 ipsec pki -- pub -- in server. pem | ipsec pki -- issue -- cacert ca. cert. pem \2 -- cakey ca. pem -- dn "C = com, O = myvpn, CN = 123.123.123.123 "\3 -- san = "123.123.123.123" -- flag serverAuth -- flag ikeIntermediate \4 -- outform pem> server. cert. pem

Note that the values of "C =" and "O =" in the preceding commands must be consistent with the values of C and O in step 2 CA.

5. Generate the Private Key Required for the client certificate:

1 ipsec pki -- gen -- outform pem> client. pem

6. Use CA to sign the client certificate (the C and O values must be consistent with the CA values in step 1 above, and the CN values are random ):

1 ipsec pki -- pub -- in client. pem | ipsec pki -- issue -- cacert ca. cert. pem -- cakey ca. pem -- dn "C = com, O = myvpn, CN = VPN Client" -- outform pem> client. cert. pem

7. Generate the pkcs12 certificate:

1 openssl pkcs12-export-inkey client. pem-in client. cert. pem-name "client"-certfile ca. cert. pem-caname "vpn ca"-out client. cert. p12

Note that the value in the quotation marks after "-caname" in the preceding command must be consistent with the value of "CN =" in step 2 CA.

8. Install the certificate:

1cp-r ca. cert. pem/usr/local/etc/ipsec. d/cacerts/2cp-r server. cert. pem/usr/local/etc/ipsec. d/certs/3cp-r server. pem/usr/local/etc/ipsec. d/private/4cp-r client. cert. pem/usr/local/etc/ipsec. d/certs/5cp-r client. pem/usr/local/etc/ipsec. d/private/Configure Strongswan
1. Edit the/usr/local/etc/ipsec. conf file:

1vim/usr/local/etc/ipsec. conf

Change to the following content (click to expand ):

Show source

An ipsec. conf file can be downloaded and uploaded to vps through sftp:

Ipsec. conf: Baidu Disk

2. Use vim to edit the/usr/local/etc/strongswan. conf file:

1 charon {2load_modular = yes3duplicheck. enable = no4 compress = yes5 plugins {6 include strongswan. d/charon/*. conf7}8dns1 = 8.8.8.89dns2 = 8.8.4.410nbns1 = 8.8.8.811nbns2. = 8.8.4.412}13 include strongswan. d/*. conf

3. Use vim to edit the/usr/local/etc/ipsec. secrets file:

1: RSA server. pem2: PSK "myPSKkey"3: XAUTH "myXAUTHPass"4 [user name] % any: EAP "[Password]"

Change the above myPSKkey word to your key for the PSK authentication method;
Change the above myXAUTHPass word to the password required for the XAUTH authentication method. The user name for this authentication method is random;
Change the [user name] To the login name you want and the [Password] to the password you want (remove the [] symbol). You can add multiple lines to obtain multiple users, this is the credential used for user name and password authentication of IKEv2.

Prompt: questions about the username of the wp8.1 Client Connection
Because the domain with the same name as the mobile phone is added by default when wp8.1 connects to the IKEv2 vpn, the user name or password is displayed during the connection. There are two solutions:
Method 1: Set/usr/local/etc/ipsec above. the last line of the secrets file is changed to % any: EAP "[Password]", so that you can use any user name to log on without any errors.
Method 2: Use FreeRADIUS to filter out the domain of the login name. Refer to connection: Remove FreeRADIUS from the login username's Windows Firewall Domain to configure the firewall.

1. edit/etc/sysctl. conf, set net. ipv4.ip _ forward = remove the # sign in front of a line 1 (otherwise, the Ikev2 vpn connection will not be able to access the Internet), save and run sysctl-p (if an error is reported after execution, re-open sysctl. conf: comment out the error part # And save it until sysctl-p is executed ).
In addition, if you need to further optimize the TCP connection and speed, for more information, see the TCP section in my article titled vps quick building shadowsocks and optimization summary for each platform (Be sure not to overwrite the ip_forward of the existing vpn configuration ).

2. Configure iptables:
OpenVZ execution:

1 iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT2 iptables-a forward-s 10.31.0.0/24-j ACCEPT3 iptables-a forward-s 10.31.1.0/24-j ACCEPT4 iptables-a forward-s 10.31.2.0/24-j ACCEPT5 iptables-a input-I venet0-p esp-j ACCEPT6 iptables-a input-I venet0-p udp -- dport 500-j ACCEPT7 iptables-a input-I venet0-p tcp -- dport 500-j ACCEPT8 iptables-a input-I venet0-p udp -- dport 4500-j ACCEPT9 iptables-a input-I venet0-p udp -- dport 1701-j ACCEPT10 iptables-a input-I venet0-p tcp -- dport 1723-j ACCEPT11 iptables-a forward-j REJECT12 iptables-t nat-a postrouting-s 10.31.0.0/24-o venet0-j MASQUERADE13 iptables-t nat-a postrouting-s 10.31.1.0/24-o venet0-j MASQUERADE14 iptables-t nat-a postrouting-s 10.31.2.0/24-o venet0-j MASQUERADE

Run Xen and KVM:

1 iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT2 iptables-a forward-s 10.31.0.0/24-j ACCEPT3 iptables-a forward-s 10.31.1.0/24-j ACCEPT4 iptables-a forward-s 10.31.2.0/24-j ACCEPT5 iptables-a input-I eth0-p esp-j ACCEPT6 iptables-a input-I eth0-p udp -- dport 500-j ACCEPT7 iptables-a input-I eth0-p tcp -- dport 500-j ACCEPT8 iptables-a input-I eth0-p udp -- dport 4500-j ACCEPT9 iptables-a input-I eth0-p udp -- dport 1701-j ACCEPT10 iptables-a input-I eth0-p tcp -- dport 1723-j ACCEPT11 iptables-a forward-j REJECT12 iptables-t nat-a postrouting-s 10.31.0.0/24-o eth0-j MASQUERADE13 iptables-t nat-a postrouting-s 10.31.1.0/24-o eth0-j MASQUERADE14 iptables-t nat-a postrouting-s 10.31.2.0/24-o eth0-j MASQUERADE

3. automatically load iptables at startup:
Ubuntu:

1iptables-save>/etc/iptables. rules2cat>/etc/network/if-up.d/iptables <EOF3 #! /Bin/sh4iptables-restore </etc/iptables. rules5EOF6 chmod + x/etc/network/if-up.d/iptables

CentOS:

1 service iptables save

Now, IPSec/IKEv2VPN has been set up! Now you can use the service:

1 ipsec start

Reference link:
Use Strongswan to build an IPSec/IKEv2 VPN

Use Strongswan to build an IPSec VPN Server that supports IKEv1/IKEv2

Remove FreeRADIUS from the Windows login domain in the login Username

Use Strongswan to set up an Ipsec VPN

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.