"LINUX VPN 設定" 修訂間的差異

出自 NCUCCWiki
前往: 導覽搜尋
(已建立頁面,內容為 "紅字的部分是須根據個人的帳號與密碼設定, 如test 帳號, 密碼:123456 Linux VPN Client 建置 一.參考網址 https://zh.codepre.com/how-to…")
 
 
(未顯示同一使用者於中間所作的 7 次修訂)
行 1: 行 1:
紅字的部分是須根據個人的帳號與密碼設定, 如test 帳號, 密碼:123456
 
  
 
Linux VPN Client 建置
 
Linux VPN Client 建置
  
一.參考網址 https://zh.codepre.com/how-to-6731.html  及https://kifarunix.com/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8/
+
一.參考網址 https://zh.codepre.com/how-to-6731.html  及 https://kifarunix.com/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8/
  
 
二.對CentOS 8 環境失敗
 
二.對CentOS 8 環境失敗
行 13: 行 12:
 
1. Install strongSwan
 
1. Install strongSwan
  
apt update
+
apt update
  
apt install strongswan libcharon-extra-plugins
+
apt install strongswan libcharon-extra-plugins
  
 
2. Install strongSwan VPN Server CA certificate on the Client
 
2. Install strongSwan VPN Server CA certificate on the Client
將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem  , 放置到/etc/ipsec.d/cacerts/ 目錄下
+
 
 +
將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem  , 放置到/etc/ipsec.d/cacerts/ 目錄下
  
 
3. Configure strongSwan VPN client
 
3. Configure strongSwan VPN client
(1) vi /etc/ipsec.conf
+
 
 +
(1) vi /etc/ipsec.conf
 +
 
 
   conn ipsec-ikev2-vpn-client
 
   conn ipsec-ikev2-vpn-client
  
行 37: 行 39:
  
 
     leftid=test
 
     leftid=test
 +
 +
      #根據個人的帳號與密碼設定, 如test 帳號
  
 
     leftauth=eap-mschapv2
 
     leftauth=eap-mschapv2
行 42: 行 46:
 
     eap_identity=%identity
 
     eap_identity=%identity
  
   
+
  (2)vi /etc/ipsec.secrets
 
 
(2)vi /etc/ipsec.secrets
 
 
 
  # This file holds shared secrets or RSA private keys for authentication.
 
 
 
 
  
# RSA private key for this host, authenticating it to any other host
+
  # This file holds shared secrets or RSA private keys for authentication.
  
# which knows the public part.
+
  # RSA private key for this host, authenticating it to any other host
  
+
  # which knows the public part.
  
# user id : EAP secret
+
  # user id : EAP secret
  
test : EAP "123456"
+
  test : EAP "123456"
  
# this file is managed with debconf and will contain the automatically created private key
+
  #根據個人的帳號與密碼設定, 如test 帳號, 密碼:123456
  
#include /var/lib/strongswan/ipsec.secrets.inc
+
  # this file is managed with debconf and will contain the automatically created private key
  
+
  #include /var/lib/strongswan/ipsec.secrets.inc
  
 
4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題
 
4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題
  
cp /etc/ssl/certs/DST_ROOT_X3.pem /etc/ipsec.d/cacerts/
+
  cp /etc/ssl/certs/DST_ROOT_X3.pem /etc/ipsec.d/cacerts/
  
cp /etc/ssl/certs/ISRG_Root_X1.pem  etc/ipsec.d/cacerts/
+
  cp /etc/ssl/certs/ISRG_Root_X1.pem  etc/ipsec.d/cacerts/
  
 
5.啟動 strongswan  
 
5.啟動 strongswan  
  
systemctl start strongswan  
+
  systemctl start strongswan  
  
ps:避免strongswan 在系統啟動時運行systemctl disable strongswan
+
  ps:避免strongswan 在系統啟動時運行systemctl disable strongswan
  
 
6.查看狀況
 
6.查看狀況
  
systemctl status strongswan
+
  systemctl status strongswan

於 2021年6月3日 (四) 05:46 的最新修訂

Linux VPN Client 建置

一.參考網址 https://zh.codepre.com/how-to-6731.htmlhttps://kifarunix.com/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8/

二.對CentOS 8 環境失敗

三.使用Ubuntu Live Server 18.04.5 環境測試OK

四. 設定方式如下

1. Install strongSwan

apt update
apt install strongswan libcharon-extra-plugins

2. Install strongSwan VPN Server CA certificate on the Client

將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem  , 放置到/etc/ipsec.d/cacerts/ 目錄下

3. Configure strongSwan VPN client

(1) vi /etc/ipsec.conf
  conn ipsec-ikev2-vpn-client
    auto=start
    right=vpn1.ncu.edu.tw
    rightid=vpn1.ncu.edu.tw
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=test
     #根據個人的帳號與密碼設定, 如test 帳號
    leftauth=eap-mschapv2
    eap_identity=%identity
(2)vi /etc/ipsec.secrets
 # This file holds shared secrets or RSA private keys for authentication.
 # RSA private key for this host, authenticating it to any other host
 # which knows the public part.
 # user id : EAP secret
 test : EAP "123456"
 #根據個人的帳號與密碼設定, 如test 帳號, 密碼:123456
 # this file is managed with debconf and will contain the automatically created private key
 #include /var/lib/strongswan/ipsec.secrets.inc

4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題

 cp /etc/ssl/certs/DST_ROOT_X3.pem /etc/ipsec.d/cacerts/
 cp /etc/ssl/certs/ISRG_Root_X1.pem  etc/ipsec.d/cacerts/

5.啟動 strongswan

 systemctl start strongswan 
 ps:避免strongswan 在系統啟動時運行systemctl disable strongswan

6.查看狀況

 systemctl status strongswan