"LINUX VPN 設定" 修訂間的差異

出自 NCUCCWiki
前往: 導覽搜尋
行 18: 行 18:
  
 
2. Install strongSwan VPN Server CA certificate on the Client
 
2. Install strongSwan VPN Server CA certificate on the Client
 +
 
將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem  , 放置到/etc/ipsec.d/cacerts/ 目錄下
 
將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem  , 放置到/etc/ipsec.d/cacerts/ 目錄下
  
 
3. Configure strongSwan VPN client
 
3. Configure strongSwan VPN client
 +
 
(1) vi /etc/ipsec.conf
 
(1) vi /etc/ipsec.conf
 +
 
   conn ipsec-ikev2-vpn-client
 
   conn ipsec-ikev2-vpn-client
  
行 41: 行 44:
  
 
     eap_identity=%identity
 
     eap_identity=%identity
 
 
  
 
(2)vi /etc/ipsec.secrets
 
(2)vi /etc/ipsec.secrets
  
  # This file holds shared secrets or RSA private keys for authentication.
+
# This file holds shared secrets or RSA private keys for authentication.
 
 
 
  
 
# RSA private key for this host, authenticating it to any other host
 
# RSA private key for this host, authenticating it to any other host
  
 
# which knows the public part.
 
# which knows the public part.
 
 
  
 
# user id : EAP secret
 
# user id : EAP secret
行 63: 行 60:
  
 
#include /var/lib/strongswan/ipsec.secrets.inc
 
#include /var/lib/strongswan/ipsec.secrets.inc
 
 
  
 
4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題
 
4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題

於 2021年6月3日 (四) 03:43 的修訂

紅字的部分是須根據個人的帳號與密碼設定, 如test 帳號, 密碼:123456

Linux VPN Client 建置

一.參考網址 https://zh.codepre.com/how-to-6731.htmlhttps://kifarunix.com/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8/

二.對CentOS 8 環境失敗

三.使用Ubuntu Live Server 18.04.5 環境測試OK

四. 設定方式如下

1. Install strongSwan

apt update

apt install strongswan libcharon-extra-plugins

2. Install strongSwan VPN Server CA certificate on the Client

將vpn1.ncu.edu.tw 的chainXX.pem(/etc/letsencrypt/archive/vpn1.ncu.edu.tw 目錄下) , 更名成chain.pem , 放置到/etc/ipsec.d/cacerts/ 目錄下

3. Configure strongSwan VPN client

(1) vi /etc/ipsec.conf

  conn ipsec-ikev2-vpn-client
    auto=start
    right=vpn1.ncu.edu.tw
    rightid=vpn1.ncu.edu.tw
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=test
    leftauth=eap-mschapv2
    eap_identity=%identity

(2)vi /etc/ipsec.secrets

  1. This file holds shared secrets or RSA private keys for authentication.
  1. RSA private key for this host, authenticating it to any other host
  1. which knows the public part.
  1. user id : EAP secret

test : EAP "123456"

  1. this file is managed with debconf and will contain the automatically created private key
  1. include /var/lib/strongswan/ipsec.secrets.inc

4. 解決no issuer certificate found 'C=US , O="Let's Encrypt, CN=R3"憑證問題

cp /etc/ssl/certs/DST_ROOT_X3.pem /etc/ipsec.d/cacerts/

cp /etc/ssl/certs/ISRG_Root_X1.pem etc/ipsec.d/cacerts/

5.啟動 strongswan

systemctl start strongswan

ps:避免strongswan 在系統啟動時運行systemctl disable strongswan

6.查看狀況

systemctl status strongswan