概要 †
VPNサーバー(IKEv2)としてStrongSwanをインストールします。
手順(インストール) †
- インストール
- Debianの場合
1
2
3
|
-
!
| apt-get install strongswan
apt-get install libcharon-extra-plugins
|
- Ubuntuの場合
1
2
| -
!
| apt-get install strongswan strongswan-plugin-af-alg strongswan-plugin-agent strongswan-plugin-certexpire strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp strongswan-plugin-duplicheck strongswan-plugin-eap-aka strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-farp strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr strongswan-plugin-sshkey strongswan-plugin-systime-fix strongswan-plugin-whitelist strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth strongswan-plugin-xauth-pam
|
- sysctl設定
1
2
3
4
5
6
7
8
9
|
| echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
sysctl -p
|
- iptables設定
1
2
3
4
5
6
| -
!
-
!
|
iptables -A INPUT -p udp --dport 500 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp --dport 4500 -m state --state NEW -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
- ルーターなどのNAT設定
UDP500(IKEv2), UDP4500(IPsec NAT traversal)を通して完了です。
証明書作成 †
OpenSSLで作成したほうが良いですが、簡単のためipsecコマンドで作成します。
例としてPrivateCAの証明書(ECDSA), サーバー証明書(ECDSA), クライアント証明書(ECDSA1通, RSA1通)を作成します。
- PrivateCAの証明書(ECDSA)とサーバー証明書(ECDSA)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
-
!
-
!
-
|
-
!
|
-
|
|
|
-
!
|
|
|
|
-
!
|
-
|
|
|
|
|
|
|
|
|
|
|
|
|
| ca_cn=2310CA
ca_o=2310
ca_file=ca
srv_cn=strongswan2310.cloudapp.net
srv_ip=13.78.119.238
srv_file=server
cd /etc/ipsec.d
ipsec pki \
--gen \
--type ecdsa \
--size 256 > private/${ca_file}.key
chmod 600 private/*
ipsec pki \
--self \
--ca \
--lifetime 3650 \
--in private/${ca_file}.key \
--type ecdsa --dn "C=JP, O=${ca_o}, CN=${ca_cn}" > cacerts/${ca_file}.crt
openssl x509 \
-inform DER \
-in cacerts/${ca_file}.crt \
-out cacerts/${ca_file}_pem.crt \
-outform PEM
ipsec pki \
--gen \
--type ecdsa \
--size 256 > private/${srv_file}.key
chmod 600 private/*
ipsec pki \
--pub \
--in private/${srv_file}.key \
--type ecdsa \
| ipsec pki \
--issue \
--lifetime 730 \
--digest sha256 \
--cacert cacerts/${ca_file}.crt \
--cakey private/${ca_file}.key \
--dn "C=JP, O=${ca_o}, CN=${srv_cn}" \
--san ${srv_cn} \
--san ${srv_ip} \
--san @${srv_ip} \
--flag serverAuth \
--flag ikeIntermediate > certs/${srv_file}.crt
|
- クライアント証明書(ECDSA)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
-
!
-
!
-
|
|
|
|
|
|
|
|
|
|
|
-
!
|
|
|
-
|
|
|
| ca_cn=2310CA
ca_o=2310
ca_file=ca
srv_cn=strongswan2310.cloudapp.net
srv_ip=13.78.119.238
srv_file=server
cl_cn=bob
cd /etc/ipsec.d
ipsec pki \
--gen \
--type ecdsa \
--size 256 \
--outform pem > private/${cl_cn}_pem.key
chmod 600 private/*
ipsec pki \
--pub \
--in private/${cl_cn}_pem.key \
--type ecdsa \
| ipsec pki \
--issue \
--lifetime 730 \
--digest sha256 \
--outform pem \
--cacert cacerts/${ca_file}.crt \
--cakey private/${ca_file}.key \
--dn "C=JP, O=${ca_o}, CN=${cl_cn}@${srv_cn}" \
--san "${cl_cn}@${srv_cn}" \
--san "${cl_cn}@${srv_ip}" > certs/${cl_cn}_pem.crt
mkdir p12 &> /dev/null
openssl pkcs12 \
-export \
-inkey private/${cl_cn}_pem.key \
-in certs/${cl_cn}_pem.crt \
-name "${cl_cn}" \
-caname "${ca_cn}" \
-out p12/${cl_cn}.p12
|
- クライアント証明書(RSA)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
-
!
-
!
-
|
|
|
|
|
|
|
|
|
|
|
-
!
|
|
|
-
|
|
|
| ca_cn=2310CA
ca_o=2310
ca_file=ca
srv_cn=strongswan2310.cloudapp.net
srv_ip=13.78.119.238
srv_file=server
cl_cn=alice
rsa_size=2048
cd /etc/ipsec.d
ipsec pki \
--gen \
--type rsa \
--size ${rsa_size} \
--outform pem > private/${cl_cn}_pem.key
chmod 600 private/*
ipsec pki \
--pub \
--in private/${cl_cn}_pem.key \
--type rsa \
| ipsec pki \
--issue \
--lifetime 730 \
--digest sha256 \
--outform pem \
--cacert cacerts/${ca_file}.crt \
--cakey private/${ca_file}.key \
--dn "C=JP, O=${ca_o}, CN=${cl_cn}@${srv_cn}" \
--san "${cl_cn}@${srv_cn}" \
--san "${cl_cn}@${srv_ip}" > certs/${cl_cn}_pem.crt
mkdir p12 &> /dev/null
openssl pkcs12 \
-export \
-inkey private/${cl_cn}_pem.key \
-in certs/${cl_cn}_pem.crt \
-name "${cl_cn}" \
-caname "${ca_cn}" \
-out p12/${cl_cn}.p12
|
EAP-MSCHAPv2認証 †
Windows, OSX, iOS, Androidで接続可能な設定です。
- /etc/ipsec.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
|
!
-
!
-
!
-
!
-
!
-
!
-
!
-
|
!
-
!
-
!
| config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha256-modp1024,aes256-sha256-modp2048
esp=aes256-sha256-modp1024,aes256-sha256-modp2048
dpdaction=clear
dpddelay=300s
eap_identity=%any
fragmentation=yes
left=%defaultroute
leftid=strongswan2310.cloudapp.net
leftauth=pubkey
leftsendcert=always
leftsubnet=10.0.0.0/24
leftcert=server.crt
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8
conn mobile
rightid=%any
rightsourceip=10.6.0.0/24
auto=add
|
- /etc/ipsec.secret
1
2
3
4
|
-
|
!
| : ECDSA server.key
bar : EAP "foo"
|
- 再起動
EAP-TLS認証 †
Windows, OSX, iOS, Androidで接続可能な設定です。
- /etc/ipsec.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
!
-
|
!
-
!
-
!
-
!
-
!
-
!
-
!
-
|
!
-
!
-
!
| config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha256-modp1024,aes256-sha256-modp2048
esp=aes256-sha256-modp1024,aes256-sha256-modp2048
dpdaction=clear
dpddelay=300s
eap_identity=%any
fragmentation=yes
left=%defaultroute
leftid=strongswan2310.cloudapp.net
leftauth=pubkey
leftsendcert=always
leftsubnet=10.0.0.0/24
leftcert=server.crt
leftfirewall=yes
right=%any
rightauth=eap-tls
rightdns=8.8.8.8
conn mobile
rightid=%any
rightsourceip=10.6.0.0/24
auto=add
|
- /etc/ipsec.secret
- 設定再読み込み
クライアント証明書の失効 †
- 初回(空のCRL作成)
1
2
3
4
5
6
7
8
9
10
|
| ca_file=ca
crl_file=crl
cd /etc/ipsec.d/
ipsec pki \
--signcrl \
--reason key-compromise \
--cacert cacerts/${ca_file}.crt \
--cakey private/${ca_file}.key \
--outform der > crls/${crl_file}.crt
|
- 追加
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
| ca_file=ca
crl_file=crl
reject_file=bob
cd /etc/ipsec.d/
cp crls/${crl_file}.crt ${crl_file}.crt.tmp
ipsec pki \
--signcrl \
--reason key-compromise \
--cacert cacerts/${ca_file}.crt \
--cakey private/${ca_file}.key \
--cakey private/${ca_file}.key \
--lastcrl ${crl_file}.crt.tmp \
--outform der > crls/${crl_file}.crt
rm ${crl_file}.crt.tmp
|
検証時の環境 †
- サーバー
- Debian jessie x64
- Ubuntu 16.04.1 LTS x64
- Raspbian jessie
- 接続クライアント
- Windows Server 2012 R2 x64
- Windows 10 Pro x64
- OS X El Captan x64
- iOS 9.3.4
- Android 4.2.2
参考 †