"LINUX VPN 設定" 修訂間的差異
(已建立頁面,內容為 "紅字的部分是須根據個人的帳號與密碼設定, 如test 帳號, 密碼:123456 Linux VPN Client 建置 一.參考網址 https://zh.codepre.com/how-to…") |
|||
| (未顯示同一使用者於中間所作的 7 次修訂) | |||
| 行 1: | 行 1: | ||
| − | |||
Linux VPN Client 建置 | Linux VPN Client 建置 | ||
| − | 一.參考網址 https://zh.codepre.com/how-to-6731.html | + | 一.參考網址 https://zh.codepre.com/how-to-6731.html 及 https://kifarunix.com/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8/ |
二.對CentOS 8 環境失敗 | 二.對CentOS 8 環境失敗 | ||
| 行 13: | 行 12: | ||
1. Install strongSwan | 1. Install strongSwan | ||
| − | apt update | + | apt update |
| − | apt install strongswan libcharon-extra-plugins | + | apt install strongswan libcharon-extra-plugins |
2. Install strongSwan VPN Server CA certificate on the Client | 2. Install strongSwan VPN Server CA certificate on the Client | ||
| − | 將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem , 放置到/etc/ipsec.d/cacerts/ 目錄下 | + | |
| + | 將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem , 放置到/etc/ipsec.d/cacerts/ 目錄下 | ||
3. Configure strongSwan VPN client | 3. Configure strongSwan VPN client | ||
| − | (1) vi /etc/ipsec.conf | + | |
| + | (1) vi /etc/ipsec.conf | ||
| + | |||
conn ipsec-ikev2-vpn-client | conn ipsec-ikev2-vpn-client | ||
| 行 37: | 行 39: | ||
leftid=test | leftid=test | ||
| + | |||
| + | #根據個人的帳號與密碼設定, 如test 帳號 | ||
leftauth=eap-mschapv2 | leftauth=eap-mschapv2 | ||
| 行 42: | 行 46: | ||
eap_identity=%identity | eap_identity=%identity | ||
| − | + | (2)vi /etc/ipsec.secrets | |
| − | |||
| − | (2)vi /etc/ipsec.secrets | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | # RSA private | + | # This file holds shared secrets or RSA private keys for authentication. |
| − | # | + | # RSA private key for this host, authenticating it to any other host |
| − | + | # which knows the public part. | |
| − | # user id : EAP secret | + | # user id : EAP secret |
| − | test : EAP "123456" | + | test : EAP "123456" |
| − | # | + | #根據個人的帳號與密碼設定, 如test 帳號, 密碼:123456 |
| − | # | + | # this file is managed with debconf and will contain the automatically created private key |
| − | + | #include /var/lib/strongswan/ipsec.secrets.inc | |
4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題 | 4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題 | ||
| − | cp /etc/ssl/certs/DST_ROOT_X3.pem /etc/ipsec.d/cacerts/ | + | cp /etc/ssl/certs/DST_ROOT_X3.pem /etc/ipsec.d/cacerts/ |
| − | cp /etc/ssl/certs/ISRG_Root_X1.pem etc/ipsec.d/cacerts/ | + | cp /etc/ssl/certs/ISRG_Root_X1.pem etc/ipsec.d/cacerts/ |
5.啟動 strongswan | 5.啟動 strongswan | ||
| − | systemctl start strongswan | + | systemctl start strongswan |
| − | ps:避免strongswan 在系統啟動時運行systemctl disable strongswan | + | ps:避免strongswan 在系統啟動時運行systemctl disable strongswan |
6.查看狀況 | 6.查看狀況 | ||
| − | systemctl status strongswan | + | systemctl status strongswan |
於 2021年6月3日 (四) 05:46 的最新修訂
Linux VPN Client 建置
一.參考網址 https://zh.codepre.com/how-to-6731.html 及 https://kifarunix.com/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8/
二.對CentOS 8 環境失敗
三.使用Ubuntu Live Server 18.04.5 環境測試OK
四. 設定方式如下
1. Install strongSwan
apt update
apt install strongswan libcharon-extra-plugins
2. Install strongSwan VPN Server CA certificate on the Client
將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem , 放置到/etc/ipsec.d/cacerts/ 目錄下
3. Configure strongSwan VPN client
(1) vi /etc/ipsec.conf
conn ipsec-ikev2-vpn-client
auto=start
right=vpn1.ncu.edu.tw
rightid=vpn1.ncu.edu.tw
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftid=test
#根據個人的帳號與密碼設定, 如test 帳號
leftauth=eap-mschapv2
eap_identity=%identity
(2)vi /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# user id : EAP secret
test : EAP "123456"
#根據個人的帳號與密碼設定, 如test 帳號, 密碼:123456
# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc
4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題
cp /etc/ssl/certs/DST_ROOT_X3.pem /etc/ipsec.d/cacerts/
cp /etc/ssl/certs/ISRG_Root_X1.pem etc/ipsec.d/cacerts/
5.啟動 strongswan
systemctl start strongswan
ps:避免strongswan 在系統啟動時運行systemctl disable strongswan
6.查看狀況
systemctl status strongswan
