Bii o ṣe le Ṣeto VPN ipilẹ IPsec pẹlu Strongswan lori CentOS/RHEL 8
StrongSwan jẹ orisun-ṣiṣi, ọpọlọpọ pẹpẹ, igbalode ati pipe ojutu VPN ti o da lori IPsec fun Lainos ti o pese atilẹyin ni kikun fun Intanẹẹti Intanẹẹti Intanẹẹti (mejeeji IKEv1 ati IKEv2) lati ṣeto awọn ẹgbẹ aabo (SA) laarin awọn ẹlẹgbẹ meji. O jẹ ẹya-ara ni kikun, apọjuwọn nipasẹ apẹrẹ ati nfunni ọpọlọpọ awọn afikun ti o mu iṣẹ-ṣiṣe akọkọ wa.
Abala ti o ni ibatan: Bii o ṣe le Ṣeto VPN ipilẹ IPsec pẹlu Strongswan lori Debian ati Ubuntu
Ninu àpilẹkọ yii, iwọ yoo kọ bi o ṣe le ṣeto awọn ẹnu-ọna IPsec VPN aaye-si-aaye nipa lilo liloSwanwa lori awọn olupin CentOS/RHEL 8. Eyi n jẹ ki awọn ẹgbẹ lati jẹrisi ara wọn ni lilo bọtini ti a pin tẹlẹ ti o lagbara (PSK). Ṣiṣeto aaye-si-aaye tumọ si ẹnu-ọna aabo kọọkan ni net-net kan lẹhin rẹ.
Maṣe gbagbe lati lo awọn adirẹsi IP gidi-aye rẹ lakoko awọn atunto lakoko atẹle itọsọna naa.
Public IP: 192.168.56.7 Private IP: 10.10.1.1/24 Private Subnet: 10.10.1.0/24
Public IP: 192.168.56.6 Private IP: 10.20.1.1/24 Private Subnet: 10.20.1.0/24
Igbesẹ 1: Ṣiṣe Ṣiṣe Kernel IP Ndari ni CentOS 8
1. Bẹrẹ nipa muu iṣẹ ṣiṣe siwaju ekuro IP ṣiṣẹ ni /etc/sysctl.conf faili iṣeto ni awọn ẹnu-ọna VPN mejeeji.
# vi /etc/sysctl.conf
Ṣafikun awọn ila wọnyi ninu faili naa.
net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
2. Lẹhin fifipamọ awọn ayipada ninu faili naa, ṣiṣe aṣẹ atẹle lati gbe awọn ipele ekuro tuntun ni asiko asiko.
# sysctl -p
3. Itele, ṣẹda ipa ọna aimi ti o wa titi ninu faili/ati be be lo/sysconfig/awọn iwe afọwọkọ nẹtiwọọki/ipa-eth0 lori awọn ẹnubode aabo mejeeji.
# vi /etc/sysconfig/network-scripts/route-eth0
Ṣafikun laini atẹle ninu faili naa.
#Site 1 Gateway 10.20.1.0/24 via 192.168.56.7 #Site 2 Gateway 10.10.1.0/24 via 192.168.56.6
4. Lẹhinna tun bẹrẹ oluṣakoso nẹtiwọọki lati lo awọn ayipada tuntun.
# systemctl restart NetworkManager
Igbesẹ 2: Fifi Swan lagbara ni CentOS 8
5. A pese package ti lagbara ni ibi ipamọ EPEL. Lati fi sii, o nilo lati jẹki ibi ipamọ EPEL, lẹhinna fi agbara sori ẹrọ lori awọn ẹnubode aabo mejeeji.
# dnf install epel-release # dnf install strongswan
6. Lati ṣayẹwo ẹya ti agbara alagbara ti a fi sii lori awọn ẹnu-ọna mejeji, ṣiṣe aṣẹ atẹle.
# strongswan version
7. Itele, bẹrẹ iṣẹ agbara alagbara ki o jẹ ki o bẹrẹ laifọwọyi ni bata eto. Lẹhinna ṣayẹwo ipo naa lori awọn ẹnubode aabo mejeeji.
# systemctl start strongswan # systemctl enable strongswan # systemctl status strongswan
Akiyesi: Ẹya tuntun ti alagbara ni CentOS/REHL 8 wa pẹlu atilẹyin fun swanctl mejeeji (ohun elo tuntun kan, iwulo laini aṣẹ gbigbe pẹlu ti a ṣe pẹlu SSAN 5.2.0 lagbara, ti a lo lati tunto, ṣakoso ati atẹle IKE daemon Charon ni lilo ohun itanna vici) ati ibere (tabi ipsec) IwUlO nipa lilo ohun itanna ikọlu ti o dinku.
8. Ilana itọsọna akọkọ jẹ/ati be be/strongswan/eyiti o ni awọn faili iṣeto fun awọn afikun mejeeji:
# ls /etc/strongswan/
Fun itọsọna yii, a yoo lo iwulo IPsec eyiti o pe pẹlu lilo aṣẹ alagbara ati wiwo ọpọlọ. Nitorinaa a yoo lo awọn faili iṣeto ni atẹle:
- /etc/strongswan/ipsec.conf - faili iṣeto fun eto Sisini IPsec ti o lagbara.
- /etc/strongswan/ipsec.secrets - faili asiri.
Igbesẹ 3: Tito leto Awọn ẹnu-ọna Aabo
9. Ni igbesẹ yii, o nilo lati tunto awọn profaili asopọ lori awọn ẹnu-ọna aabo kọọkan fun aaye kọọkan nipa lilo faili iṣeto /etc/strongswan/ipsec.conf strongswan.
# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig # vi /etc/strongswan/ipsec.conf
Daakọ ati lẹẹ iṣeto ni atẹle ni faili naa.
config setup
charondebug="all"
uniqueids=yes
conn ateway1-to-gateway2
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=192.168.56.7
leftsubnet=10.10.1.1/24
right=192.168.56.6
rightsubnet=10.20.1.1/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig # vi /etc/strongswan/ipsec.conf
Daakọ ati lẹẹ iṣeto ni atẹle ni faili naa:
config setup
charondebug="all"
uniqueids=yes
conn 2gateway-to-gateway1
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=192.168.56.6
leftsubnet=10.20.1.1/24
right=192.168.56.7
rightsubnet=10.10.1.1/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
Jẹ ki a ṣe apejuwe ni ṣoki kọọkan ti awọn ipilẹ iṣeto loke:
- iṣeto iṣeto - ṣalaye alaye iṣeto gbogbogbo fun IPSec eyiti o kan si gbogbo awọn isopọ.
- charondebug - ṣe afihan iye wo o yẹ ki o ṣe ifilọjade aṣiṣe Charon.
- awọn alailẹgbẹ - ṣalaye boya ID alabaṣe kan pato yẹ ki o wa ni alailẹgbẹ.
- ẹnu-ọna conn1-to-gateway2 - lo lati ṣeto orukọ asopọ naa. iru - ṣalaye iru asopọ.
- Aifọwọyi - lo lati kede bi a ṣe le mu asopọ nigbati IPSec ti bẹrẹ tabi tun bẹrẹ.
- keyexchange - n ṣalaye ẹya ti ilana IKE lati lo.
- authby - ṣalaye bi awọn ẹgbẹ ṣe yẹ ki o jẹrisi ara wọn.
- osi - n ṣalaye adiresi IP ti iwoye nẹtiwọọki-gbangba ti olukopa apa osi.
- leftsubnet - n ṣalaye ẹrọ-ikọkọ ti o wa lẹhin alabaṣe apa osi.
- sọtun - n kede adiresi IP ti wiwo ti gbangba-nẹtiwọọki ti alabaṣe ti o tọ.
- rightsubnet - n kede nẹtiwọọki ikọkọ ti o wa lẹhin alabaṣe apa osi.
- ike - lo lati sọ atokọ ti awọn algorithmu IKE/ISAKMP SA/awọn algorithmu idaniloju lati ṣee lo. Akiyesi pe eyi le jẹ atokọ ti a ti pasẹ koma.
- esp - ṣe atokọ atokọ ti awọn ilana fifi ẹnọ kọ nkan/ifitonileti idanimọ ESP lati lo fun asopọ naa.
- ibinu - ṣalaye boya lati lo Ibinu tabi Ipo Akọkọ.
- awọn bọtini itẹwe - n kede nọmba awọn igbiyanju ti o yẹ ki o ṣe lati duna asopọ kan.
- ikelifetime - ṣalaye bi gigun ikanni ikanni ti asopọ kan yẹ ki o pẹ ṣaaju ki o to ṣe adehun iṣowo.
- igbesi aye - ṣalaye bi o ṣe pẹ to apeere kan pato ti asopọ kan yẹ ki o pẹ, lati idunadura aṣeyọri si ipari.
- dpddelay - ṣedeede aarin akoko pẹlu eyiti a firanṣẹ awọn ifiranṣẹ R_U_THERE/awọn paṣipaarọ ALAYE si ẹlẹgbẹ.
- dpdtimeout - lo lati kede aarin akoko asiko, lẹhin eyi gbogbo awọn isopọ si ẹgbẹ kan ni a parẹ ni ọran aiṣiṣẹ.
- dpdaction - ṣalaye bi o ṣe le lo ilana Iwari Ẹlẹgbẹ Deadkú (DPD) lati ṣakoso asopọ naa.
O le wa apejuwe ti gbogbo awọn iṣeto iṣeto fun ọna agbara Swan IPsec ti o lagbara nipasẹ kika oju-iwe eniyan ipsec.conf.
# man ipsec.conf
Igbese 4: Tito leto PSK fun Ijeri Ẹlẹgbẹ-si-Ẹlẹgbẹ
10. Itele, o nilo lati ṣe ina PSK lagbara lati lo nipasẹ awọn ẹlẹgbẹ fun ìfàṣẹsí bi atẹle.
# head -c 24 /dev/urandom | base64
11. Ṣafikun PSK ninu faili /etc/strongswan/ipsec.conf lori awọn ẹnu-ọna aabo aabo mejeeji.
# vi /etc/strongswan/ipsec.secrets
Tẹ ila atẹle ni faili naa.
#Site 1 Gateway 192.168.56.7 192.168.56.6 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL" #Site 1 Gateway 192.168.56.6 192.168.56.7 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL"
12. Lẹhinna bẹrẹ iṣẹ agbara to lagbara ati ṣayẹwo ipo awọn isopọ.
# systemctl restart strongswan # strongswan status
13. Idanwo ti o ba le wọle si awọn neti-ikọkọ ti ikọkọ lati boya awọn ẹnu-ọna aabo nipasẹ ṣiṣe pipaṣẹ ping kan.
# ping 10.20.1.1 # ping 10.10.1.1
14. Kẹhin ṣugbọn kii kere ju, lati kọ ẹkọ diẹ sii awọn ofin agbara lati mu ọwọ mu awọn isopọ/isalẹ ati diẹ sii, wo oju-iwe iranlọwọ alagbara.
# strongswan --help
Iyẹn ni gbogbo fun bayi! Lati pin awọn ero rẹ pẹlu wa tabi beere awọn ibeere, de ọdọ wa nipasẹ fọọmu esi ni isalẹ. Ati lati ni imọ siwaju sii nipa iwulo swanctl tuntun ati eto iṣeto irọrun diẹ sii, wo Iwe aṣẹ Olumulo Swan lagbara.