Bii o ṣe le Ṣeto VPN ti ipilẹ IPsec pẹlu Strongswan lori Debian ati Ubuntu

StrongSwan jẹ orisun ṣiṣi, pẹpẹ agbelebu, ẹya ti o ni kikun ati lilo IPsec ti o ni ipilẹ IPsec (Virtual Private Network) ti n ṣiṣẹ lori Linux, FreeBSD, OS X, Windows, Android, ati iOS. O jẹ akọkọ daemon keying ti o ṣe atilẹyin awọn ilana Ilana Iyipada Intanẹẹti (IKEv1 ati IKEv2) lati ṣeto awọn ẹgbẹ aabo (SA) laarin awọn ẹlẹgbẹ meji.

Nkan yii ṣe apejuwe bii o ṣe le ṣeto awọn ẹnu-ọna IPSec VPN aaye-si-aaye kan nipa liloShowSwan lori awọn olupin Ubuntu ati Debian. Nipa aaye-si-aaye a tumọ si ẹnu-ọna aabo kọọkan ni o ni iha-kekere kan lẹhin rẹ. Yato si, awọn ẹlẹgbẹ yoo jẹri ara wọn ni lilo bọtini ti a ti pin tẹlẹ (PSK).

Ranti lati rọpo awọn IP wọnyi pẹlu awọn IP gidi-aye rẹ lati tunto ayika rẹ.

Aye 1 Gateway (tecmint-devgateway)

OS 1: Debian or Ubuntu
Public IP: 10.20.20.1
Private IP: 192.168.0.101/24
Private Subnet: 192.168.0.0/24

Aye 2 Ẹnubode (tecmint-prodgateway)

OS 2: Debian or Ubuntu
Public IP:  10.20.20.3
Private IP: 10.0.2.15/24
Private Subnet: 10.0.2.0/24

Igbesẹ 1: Ṣiṣe Fifiranṣẹ Ekuro Ekuro

1. Ni akọkọ, o nilo lati tunto ekuro lati jẹ ki ifiranšẹ siwaju apo nipa fifi awọn oniyipada eto ti o yẹ sii ni faili atunto /etc/sysctl.conf lori awọn ẹnubode aabo mejeeji.

$ sudo vim /etc/sysctl.conf

Wa fun awọn ila wọnyi ki o ṣaiye wọn ki o ṣeto awọn iye wọn bi o ti han (ka awọn asọye ninu faili fun alaye diẹ sii).

net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0

2. Itele, fifuye awọn eto tuntun nipa ṣiṣe pipaṣẹ atẹle.

$ sudo sysctl -p

3. Ti o ba ni iṣẹ ogiriina UFW ṣiṣẹ, o nilo lati ṣafikun awọn ofin wọnyi si faili iṣeto /etc/ufw/before.rules ṣaaju ṣaaju awọn ofin àlẹmọ ni boya awọn ẹnu-ọna aabo.

Aye 1 Gateway (tecmint-devgateway)

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.2.0/24  -d 192.168.0.0/24 -j MASQUERADE
COMMIT

Aye 2 Ẹnubode (tecmint-prodgateway)

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING  -s 192.168.0.0/24 -d 10.0.2.0/24 -j MASQUERADE
COMMIT

4. Lọgan ti a ti fi awọn ofin ogiriina kun, lẹhinna lo awọn ayipada tuntun nipa tun bẹrẹ UFW bi o ti han.

$ sudo ufw disable 
$ sudo ufw enable

Igbesẹ 2: Fifi Swan lagbara ni Debian ati Ubuntu

5. Ṣe imudojuiwọn kaṣe package rẹ lori awọn ẹnubode aabo mejeeji ki o fi sori ẹrọ package lagbara nipasẹ lilo oluṣakoso package APT.

$ sudo apt update
$ sudo apt install strongswan

6. Lọgan ti fifi sori ẹrọ ba ti pari, iwe afọwọkọ ẹrọ ti nfi sori ẹrọ yoo bẹrẹ iṣẹ ti o lagbara ki o jẹ ki o bẹrẹ laifọwọyi ni bata eto. O le ṣayẹwo ipo rẹ ati boya o muu ṣiṣẹ nipa lilo pipaṣẹ atẹle.

$ sudo systemctl status strongswan.service
$ sudo systemctl is-enabled strongswan.service

Igbesẹ 3: Tito leto Awọn ẹnu-ọna Aabo

7. Nigbamii ti, o nilo lati tunto awọn ẹnu-ọna aabo nipa lilo faili iṣeto /etc/ipsec.conf.

Aye 1 Gateway (tecmint-devgateway)

$ sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig
$ sudo nano /etc/ipsec.conf

Daakọ ati lẹẹ iṣeto ni atẹle ni faili naa.

config setup
        charondebug="all"
        uniqueids=yes
conn devgateway-to-prodgateway
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=10.20.20.1
        leftsubnet=192.168.0.101/24
        right=10.20.20.3
        rightsubnet=10.0.2.15/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Aye 2 Ẹnubode (tecmint-prodgateway)

$ sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig
$ sudo cp /etc/ipsec.conf

Daakọ ati lẹẹ iṣeto ni atẹle ni faili naa.

config setup
        charondebug="all"
        uniqueids=yes
conn prodgateway-to-devgateway
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=10.20.20.3
        leftsubnet=10.0.2.15/24
        right=10.20.20.1
        rightsubnet=192.168.0.101/24 
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Eyi ni itumọ ti paramita iṣeto kọọkan:

  • iṣeto iṣeto - ṣalaye alaye iṣeto gbogbogbo fun IPSec eyiti o kan si gbogbo awọn isopọ.
  • charondebug - ṣalaye iye ifilọjade n ṣatunṣe aṣiṣe Charon yẹ ki o wọle.
  • awọn alailẹgbẹ - ṣalaye boya ID alabaṣe kan pato yẹ ki o wa ni alailẹgbẹ.
  • conn prodgateway-to-devgateway - ṣalaye orukọ asopọ.
    • iru - ṣalaye iru asopọ.
  • auto - bii o ṣe le mu asopọ nigbati IPSec ti bẹrẹ tabi tun bẹrẹ.
  • keyexchange - ṣalaye ẹya ti ilana IKE lati lo.
  • authby - ṣalaye bi awọn ẹlẹgbẹ ṣe yẹ ki o jẹri ara wọn.
  • osi - ṣalaye adiresi IP ti iwoye nẹtiwọọki-gbangba ti olukopa apa osi.
  • leftsubnet - ṣe ipinfunni ikọkọ ti o wa lẹhin alabaṣe apa osi.
  • sọtun - ṣe apejuwe adiresi IP ti iwoye nẹtiwọọki-gbangba ti olukopa ti o tọ.
  • rightsubnet - ṣe ipinfunni aladani lẹhin alabaṣe apa osi.
  • ike - ṣalaye atokọ ti awọn aligoridimu IKE/ISAKMP SA/awọn algorithmu idaniloju lati ṣee lo. O le ṣafikun atokọ ti o pin koma
  • esp - ṣalaye atokọ ti awọn ilana fifi ẹnọ kọ nkan/ifitonileti idanimọ ESP lati lo fun asopọ naa. O le ṣafikun atokọ ti o pin koma
  • ibinu - sọ boya lati lo Ibinu tabi Ipo Akọkọ.
  • awọn bọtini itẹwe - sọ nọmba awọn igbiyanju ti o yẹ ki o ṣe lati ṣe adehun iṣowo asopọ kan.
  • ikelifetime - ṣalaye bi o ṣe pẹ to ikanni keying ti asopọ kan yẹ ki o pẹ ṣaaju ki o to ṣe ijiroro.
  • igbesi aye - ṣalaye bawo ni apeere kan pato ti asopọ yẹ ki o pẹ, lati idunadura aṣeyọri si ipari.
  • dpddelay - ṣalaye aarin akoko pẹlu eyiti a firanṣẹ awọn ifiranṣẹ R_U_THERE/awọn paṣipaarọ INFORMATIONAL si ẹlẹgbẹ.
  • dpdtimeout - n ṣalaye aarin akoko asiko, lẹhin eyi gbogbo awọn isopọ si ẹgbẹ kan ni a parẹ ni ọran aiṣiṣẹ.
  • dpdaction - n ṣalaye bi o ṣe le lo ilana Iwari Ẹlẹgbẹ Deadkú (DPD) lati ṣakoso asopọ naa.

Fun alaye diẹ sii nipa awọn ipilẹ iṣeto loke, ka oju-iwe eniyan ipsec.conf nipa ṣiṣe pipaṣẹ.

$ man ipsec.conf

Igbese 4: Tito leto PSK fun Ijeri Ẹlẹgbẹ-si-Ẹlẹgbẹ

8. Lẹhin atunto awọn ẹnu-ọna aabo mejeeji, ṣe ipilẹ PSK ti o ni aabo lati lo nipasẹ awọn ẹlẹgbẹ nipa lilo pipaṣẹ atẹle.

$ head -c 24 /dev/urandom | base64

9. Nigbamii, ṣafikun PSK ninu faili /etc/ipsec.secrets lori awọn ẹnu-ọna mejeji.

$ sudo vim /etc/ipsec.secrets

Daakọ ati lẹẹ mọ ila atẹle.

------- Site 1 Gateway (tecmint-devgateway) ------- 

10.20.20.1 10.20.20.3 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac="

------- Site 2 Gateway (tecmint-prodgateway) -------

10.20.20.3  10.20.20.1 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac="

10. Tun bẹrẹ eto IPSec ati ṣayẹwo ipo rẹ lati wo awọn isopọ.

$ sudo ipsec restart
$ sudo ipsec status

11. Lakotan, ṣayẹwo pe o le wọle si awọn netiwọki aladani lati boya awọn ẹnu-ọna aabo nipasẹ ṣiṣe pipaṣẹ ping kan.

$ ping 192.168.0.101
$ ping 10.0.2.15

12. Yato si, o le da duro ki o bẹrẹ IPSec bi o ṣe han.

$ sudo ipsec stop
$ sudo ipsec start

13. Lati mọ diẹ sii nipa awọn aṣẹ IPSec lati mu ọwọ mu awọn isopọ pẹlu diẹ sii, wo oju-iwe iranlọwọ IPSec.

$ ipsec --help

Gbogbo ẹ niyẹn! Ninu àpilẹkọ yii, a ti ṣe apejuwe bi a ṣe le ṣeto IPSec VPN aaye-si-aaye nipa lilo SwanSan ti o lagbara lori awọn olupin Ubuntu ati Debian, nibiti a ti tunto awọn ẹnu-ọna aabo mejeeji lati jẹrisi ara wọn ni lilo PSK. Ti o ba ni awọn ibeere tabi awọn ero lati pin, de ọdọ wa nipasẹ fọọmu esi ni isalẹ.