取消勾选后,在拨号连接过程中,不新增一条本地的默认路由(即经由指定网关去往0.0.0.0的路由)。
生成私钥
$ umask 077 $ wg genkey > privatekey
由私钥生成公钥
$ wg pubkey < privatekey > publickey
一次性生成私钥和公钥
$ wg genkey | tee privatekey | wg pubkey > publickey
客户端标准配置文件
[Interface]
PrivateKey =
Address = 172.16.0.1/24
DNS = 8.8.8.8, 8.8.4.4
[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = hostname.com:51820
PersistentKeepalive = 25
生成二维码
方式1
$ qrencode -t ansiutf8 -r client.conf
方式2
$ qrencode -t ansiutf8 < client.conf
方式3
$ qrencode -t png -o client.png -r client.conf
AnyConnect Deployment Overview
Deploying AnyConnect refers to installing, configuring, and upgrading the AnyConnect client and its related files.
The Cisco AnyConnect Secure Mobility Client can be deployed to remote users by the following methods:
Predeploy—New installations and upgrades are done either by the end user, or by using an enterprise software management system (SMS).
Web Deploy—The AnyConnect package is loaded on the headend, which is either an ASA or FTD firewall, or an ISE server. When the user connects to a firewall or to ISE, AnyConnect is deployed to the client.
For new installations, the user connects to a headend to download the AnyConnect client. The client is either installed manually or automatically (web-launch).
Updates are done by AnyConnect running on a system where AnyConnect is already installed, or by directing the user to the ASA clientless portal.
When you deploy AnyConnect, you can include optional modules that enable extra features, and client profiles that configure the VPN and optional features.
Refer to the AnyConnect release notes for system, management, and endpoint requirements for ASA, IOS, Microsoft Windows, Linux, and macOS.
内容引用:
包信息
[root@tinc ~]# dnf info tinc Last metadata expiration check: 0:01:55 ago on Mon 12 Apr 2021 01:44:09 AM UTC. Installed Packages Name : tinc Version : 1.0.36 Release : 2.el8 Architecture : x86_64 Size : 629 k Source : tinc-1.0.36-2.el8.src.rpm Repository : @System From repo : epel Summary : A virtual private network daemon URL : http://www.tinc-vpn.org/ License : GPLv2+ Description : tinc is a Virtual Private Network (VPN) daemon that uses tunnelling : and encryption to create a secure private network between hosts on : the Internet. Because the tunnel appears to the IP level network : code as a normal network device, there is no need to adapt any : existing software. This tunnelling allows VPN sites to share : information with each other over the Internet without exposing any : information to others. [root@tinc ~]#
安装路径
[root@tinc ~]# rpm -lq tinc /usr/lib/.build-id /usr/lib/.build-id/ec /usr/lib/.build-id/ec/f0a564e8d20e169bed52480a235992928751ed /usr/lib/systemd/system/tinc.service /usr/lib/systemd/system/tinc@.service /usr/sbin/tincd /usr/share/doc/tinc /usr/share/doc/tinc/AUTHORS /usr/share/doc/tinc/COPYING.README /usr/share/doc/tinc/NEWS /usr/share/doc/tinc/README /usr/share/doc/tinc/THANKS /usr/share/doc/tinc/sample-config /usr/share/doc/tinc/sample-config/hosts /usr/share/doc/tinc/sample-config/hosts/alpha /usr/share/doc/tinc/sample-config/hosts/beta /usr/share/doc/tinc/sample-config/rsa_key.priv /usr/share/doc/tinc/sample-config/tinc-down /usr/share/doc/tinc/sample-config/tinc-up /usr/share/doc/tinc/sample-config/tinc.conf /usr/share/doc/tinc/texinfo.tex /usr/share/info/tinc.info.gz /usr/share/licenses/tinc /usr/share/licenses/tinc/COPYING /usr/share/man/man5/tinc.conf.5.gz /usr/share/man/man8/tincd.8.gz [root@tinc ~]#
服务配置文件示例
https://www.tinc-vpn.org/documentation/Main-configuration-variables.html#Main-configuration-variables
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc.conf # Sample tinc configuration file # This is a comment. # Spaces and tabs are eliminated. # The = sign isn't strictly necessary any longer, though you may want # to leave it in as it improves readability :) # Variable names are treated case insensitive. # The name of this tinc host. Required. Name = alpha # The internet host to connect with. # Comment these out to make yourself a listen-only connection # You must use the name of another tinc host. # May be used multiple times for redundance. ConnectTo = beta # The tap device tinc will use. # /dev/tap0 for ethertap, FreeBSD or OpenBSD # /dev/tun0 for Solaris # /dev/net/tun for Linux tun/tap Device = /dev/net/tun [root@tinc ~]#
主机配置文件示例
https://www.tinc-vpn.org/documentation/Host-configuration-variables.html#Host-configuration-variables
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/hosts/alpha # Sample host configuration file # The real IP address of this tinc host. Can be used by other tinc hosts. Address = 123.234.35.67 # Portnumber for incoming connections. Default is 655. Port = 655 # Subnet on the virtual private network that is local for this host. Subnet = 192.168.1.0/24 # The public key generated by `tincd -n example -K' is stored here -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- [root@tinc ~]#
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/hosts/beta # Sample host configuration file # This file was generated by host beta. # The real IP address of this tinc host. Can be used by other tinc hosts. Address = 123.45.67.189 # Portnumber for incoming connections. Default is 655. Port = 6500 # Subnet on the virtual private network that is local for this host. Subnet = 192.168.2.0/24 # The public key generated by `tincd -n example -K' is stored here -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- [root@tinc ~]#
启动和停止脚本示例(使用ifconfig命令依赖net-tools包)
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc-up #!/bin/sh # This file sets up the tap device. # It gives you the freedom to do anything you want with it. # Use the correct name for the tap device: # The environment variable $INTERFACE is set to the right name # on most platforms, but if it doesn't work try to set it manually. # Give it the right ip and netmask. Remember, the subnet of the # tap device must be larger than that of the individual Subnets # as defined in the host configuration file! ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0 [root@tinc ~]#
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc-down #!/bin/sh # This file closes down the tap device. ifconfig $INTERFACE down [root@tinc ~]#
使用ip命令示例
#!/bin/sh ip link set $INTERFACE up ip addr add 10.0.0.1/32 dev $INTERFACE ip route add 10.0.0.0/24 dev $INTERFACE
#!/bin/sh ip route del 10.0.0.0/24 dev $INTERFACE ip addr del 10.0.0.1/32 dev $INTERFACE ip link set $INTERFACE down
……
主机列表
DC 18.163.111.34 NPS 18.163.35.186 RRAS 18.162.114.236 PC 18.163.117.102
单机环境下RRAS(VPN)服务属性的安全标签页面
将本地用户Administrator的拨入权限设置为允许
在客户机PC上新建拨号VPN连接
查看VPN拨号连接属性配置
修改安全标签页设置
使用RRAS主机用户Administrator进行拨号连接
查看已建立连接的VPN会话信息(本地用户)
在活动目录中新建一个账户并设置拨入的网络接入权限为通过NPS网络策略控制
修改RRAS主机的安全标签页设置
重启RRAS服务
修改客户机PC的VPN连接账户为活动目录中新增用户账户
进行拨号连接
查看已建立连接的VPN会话信息(域用户)
安装向导欢迎页面
选择要安装的组件
同意最终用户许可协议
重要声明
选择安装目录
准备安装
安装进行中
完成安装并启动服务器管理器
选择要连接的服务器并点击连接
首次连接设置管理员密码
提示管理员密码设置成功
关闭弹出的简单设置窗口
选择是否设置开启IPsec功能
在管理器主界面进入VPN Gate设置
选择启用VPN Gate中继服务并加入研究志愿者队伍
VPN Gate服务设置选项界面
请勿在禁止使用VPN通信技术的国家使用VPN Gate服务
在管理器主界面进入动态域名设置
查看或修改该服务器的动态域名
在管理器主界面查看当前的动态域名解析主机名
查看当前已连接客户端会话信息
自签根证书导入客户端计算机
正确的自签CA证书导入路径(证书-本地计算机-受信任的根证书颁发机构)
查看已导入的CA证书详情
错误的自签CA证书导入路径(证书-当前用户-受信任的根证书颁发机构)
证书导入位置错误时的连接错误提示:IKE身份验证凭证不可接受
拨号连接属性设置详情
常规选项卡
安全选项卡
网络选项卡
建立连接后的状态信息
安装EPEL仓库源
[root@host1 ~]# yum -y install epel-release
更新缓存并安装StrongSwan及net-tools工具
[root@host1 ~]# yum makecache [root@host1 ~]# yum -y install strongswan net-tools
查看StrongSwan版本信息
[root@host1 ~]# yum info strongswan Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: repos-lax.psychz.net * epel: mirror.lax.genesisadaptive.com * extras: mirror.hostduplex.com * updates: repos-lax.psychz.net Installed Packages Name : strongswan Arch : x86_64 Version : 5.7.2 Release : 1.el7 Size : 4.0 M Repo : installed From repo : epel Summary : An OpenSource IPsec-based VPN and TNC solution URL : http://www.strongswan.org/ License : GPLv2+ Description : The strongSwan IPsec implementation supports both the IKEv1 and : IKEv2 key exchange protocols in conjunction with the native NETKEY : IPsec stack of the Linux kernel. [root@host1 ~]#
准备证书生成脚本
服务器证书脚本
[root@host1 ipsec.d]# cat server_key.sh #!/bin/bash if [ $1 ]; then CN=$1 echo "generating keys for $CN ..." else echo -e "usage:\n sh server_key.sh YOUR EXACT HOST NAME or SERVER IP\n Run this script in directory to store your keys" exit 1 fi mkdir -p private && mkdir -p cacerts && mkdir -p certs strongswan pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem strongswan pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" --outform pem > cacerts/strongswanCert.pem echo 'CA certs at cacerts/strongswanCert.pem' strongswan pki --print --in cacerts/strongswanCert.pem sleep 1 echo "generating server keys ..." strongswan pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem strongswan pki --pub --in private/vpnHostKey.pem --type rsa | \ strongswan pki --issue --lifetime 730 \ --cacert cacerts/strongswanCert.pem \ --cakey private/strongswanKey.pem \ --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" \ --san $CN \ --flag serverAuth --flag ikeIntermediate \ --outform pem > certs/vpnHostCert.pem echo "vpn server cert at certs/vpnHostCert.pem" strongswan pki --print --in certs/vpnHostCert.pem [root@host1 ipsec.d]#
客户端证书脚本
[root@host1 ipsec.d]# cat client_key.sh #!/bin/bash info="usage:\n sh client_key.sh USER_NAME EMAIL \n Run this script in directory to store your keys" if [ $1 ]; then if [ $2 ]; then NAME=$1 MAIL=$2 echo "generating keys for $NAME $MAIL ..." else echo -e $info exit 1 fi else echo -e $info exit 1 fi mkdir -p private && mkdir -p cacerts && mkdir -p certs keyfile="private/"$NAME"Key.pem" certfile="certs/"$NAME"Cert.pem" p12file=$NAME".p12" strongswan pki --gen --type rsa --size 2048 \ --outform pem \ > $keyfile strongswan pki --pub --in $keyfile --type rsa | \ strongswan pki --issue --lifetime 730 \ --cacert cacerts/strongswanCert.pem \ --cakey private/strongswanKey.pem \ --dn "C=HK, O=LINUXCACHE.COM, CN=$MAIL" \ --san $MAIL \ --outform pem > $certfile strongswan pki --print --in $certfile echo "Enter password to protect p12 cert for $NAME" openssl pkcs12 -export -inkey $keyfile \ -in $certfile -name "$NAME's VPN Certificate" \ -certfile cacerts/strongswanCert.pem \ -caname "strongSwan Root CA" \ -out $p12file if [ $? -eq 0 ]; then echo "cert for $NAME at $p12file" fi [root@host1 ipsec.d]#
生成服务器证书
[root@host1 ipsec.d]# ./server_key.sh 144.202.116.133 generating keys for 144.202.116.133 ... CA certs at cacerts/strongswanCert.pem subject: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" issuer: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" validity: not before Feb 01 02:02:11 2020, ok not after Jan 29 02:02:11 2030, ok (expires in 3650 days) serial: 1d:40:6a:e0:af:56:64:33 flags: CA CRLSign self-signed subjkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26 pubkey: RSA 4096 bits keyid: 7e:1e:66:62:f0:cc:d9:51:9e:ea:c0:97:37:d5:84:1c:b9:27:97:c2 subjkey: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26 generating server keys ... vpn server cert at certs/vpnHostCert.pem subject: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" issuer: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" validity: not before Feb 01 02:02:13 2020, ok not after Jan 31 02:02:13 2022, ok (expires in 730 days) serial: 1d:ff:d1:51:97:c9:46:72 altNames: 144.202.116.133 flags: serverAuth ikeIntermediate authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26 subjkeyId: c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe pubkey: RSA 2048 bits keyid: 15:7d:c7:47:3e:07:7b:66:92:d0:2e:75:8e:78:0e:6b:72:8e:5e:b2 subjkey: c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe [root@host1 ipsec.d]#
生成客户端证书并为密钥对设置密码
[root@host1 ipsec.d]# ./client_key.sh harveymei harvey.mei@msn.com generating keys for harveymei harvey.mei@msn.com ... subject: "C=HK, O=LINUXCACHE.COM, CN=harvey.mei@msn.com" issuer: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" validity: not before Feb 01 02:03:46 2020, ok not after Jan 31 02:03:46 2022, ok (expires in 730 days) serial: 60:f7:02:c5:33:21:3a:13 altNames: harvey.mei@msn.com flags: authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26 subjkeyId: ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40 pubkey: RSA 2048 bits keyid: 1a:8d:12:09:54:a6:a6:d4:f9:d4:7a:6c:75:0a:85:6d:90:b6:0d:fe subjkey: ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40 Enter password to protect p12 cert for harveymei Enter Export Password: Verifying - Enter Export Password: cert for harveymei at harveymei.p12 [root@host1 ipsec.d]#
复制客户端需要用到的证书
修改配置文件
修改ipsec.conf配置文件
初始配置文件
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections #conn sample-self-signed # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start #conn sample-with-ca-cert # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=HK, O=Linux strongSwan CN=peer name" # auto=start
修改为
config setup uniqueids=never charondebug="cfg 2, dmn 2, ike 2, net 0" conn %default left=%defaultroute leftsubnet=0.0.0.0/0 leftcert=vpnHostCert.pem right=%any rightsourceip=172.16.1.100/16 conn CiscoIPSec keyexchange=ikev1 fragmentation=yes rightauth=pubkey rightauth2=xauth leftsendcert=always rekey=no auto=add conn XauthPsk keyexchange=ikev1 leftauth=psk rightauth=psk rightauth2=xauth auto=add conn IpsecIKEv2 keyexchange=ikev2 leftauth=pubkey rightauth=pubkey leftsendcert=always auto=add conn IpsecIKEv2-EAP keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no leftauth=pubkey leftsendcert=always rightauth=eap-mschapv2 eap_identity=%any auto=add
修改strongswan.conf配置文件
初始配置文件
# strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf
修改为
charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/*.conf
语法变化/错误的处理
Feb 01 02:41:00 host1 strongswan[4598]: /etc/strongswan/strongswan.conf:3: syntax error, unexpected ., expecting : or '{' or '=' [.]
charon { load_modular = yes duplicheck{ enable = no } compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/*.conf
修改ipsec.secrets配置文件(账号密码)
初始配置文件
# ipsec.secrets - strongSwan IPsec secrets file
修改为
# ipsec.secrets - strongSwan IPsec secrets file : RSA vpnHostKey.pem : PSK "PSK_KEY" harveymei %any : EAP "harvey#pwd2020" harveymei %any : XAUTH "harvey#pwd2020"
开启内核及防火墙包转发设置
内核
[root@host1 strongswan]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf [root@host1 strongswan]# sysctl -p net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.eth0.accept_ra = 2 net.ipv4.ip_forward = 1 [root@host1 strongswan]#
防火墙
[root@host1 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@host1 ~]# firewall-cmd --permanent --add-service=ipsec success [root@host1 ~]# firewall-cmd --permanent --add-port=4500/udp success [root@host1 ~]# firewall-cmd --permanent --add-masquerade success [root@host1 ~]# firewall-cmd --reload success [root@host1 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ipsec ssh ports: 4500/udp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: [root@host1 ~]#
启动服务
[root@host1 ~]# systemctl enable strongswan Created symlink from /etc/systemd/system/multi-user.target.wants/strongswan.service to /usr/lib/systemd/system/strongswan.service. [root@host1 ~]# systemctl start strongswan
查看端口监听