一. Openssl生成证书
(1)CA证书
1.生成 CA 私钥(4096位 RSA) openssl genrsa-out caKey.pem40962.生成自签名 CA 证书(有效期10年) openssl req-x509-new-key caKey.pem-days3650-out caCert.pem-subj"/C=CN/O=MyVPN/CN=VPN CA"3.查看生成的 CA 证书 openssl x509-in caCert.pem-noout-text(2)服务端证书
1.生成服务端私钥 openssl genrsa-out serverKey.pem40962.生成证书签名请求(CSR) openssl req-new-key serverKey.pem-out serverReq.pem-subj"/CN=server.example.com"3.使用 CA 签发服务端证书(有效期2年) openssl x509-req-in serverReq.pem-CA caCert.pem-CAkey caKey.pem-CAcreateserial \-out serverCert.pem-days3650-sha256 \-extfile<(echo"subjectAltName=IP:192.168.1.202")4.设置私钥权限(StrongSwan 要求) chmod600server.key5.验证证书中的 SAN openssl x509-in serverCert.pem-noout-text(3)客户端
1.生成客户端私钥 openssl genrsa-out clientKey.pem40962.生成 CSR openssl req-new-key clientKey.pem-out clientReq.pem-subj"/CN=client.example.com"3.签发客户端证书 openssl x509-req-in clientReq.pem-CA caCert.pem-CAkey caKey.pem-CAcreateserial \-out clientCert.pem-days3650-sha256二. strongswan 证书存放位置
/etc/ipsec.d/
├── private/
│ └── serverKey.pem/clientKey.pem # 私钥文件(建议权限 600)
├── cacerts/
│ └── caCert.pem # CA 证书
├── certs/
│ └── serverCert.pem/clientCert.pem # 证书
三. strongswan服务器配置
1. /etc/ipsec.conf
config setup conn netauto=add compress=no keyexchange=ikev1 type=tunnel authby=pubkey right=%any left=%defaultroute rightsubnet=192.168.9.0/24leftsubnet=192.168.202.0/24leftcert=serverCert.pem leftid=@server.example.com ike=3des-sha1-modp1024 ikelifetime=24h esp=3des-sha1 lifetime=8h dpddelay=60dpdtimeout=60dpdaction=restart2. /etc/ipsec.secrets
:RSA serverKey.pem四. strongswan客户端配置
1. /etc/ipsec.conf
config setup conn netauto=start compress=no keyexchange=ikev1 type=tunnel authby=pubkey left=%defaultroute leftcert=clientCert.pem leftid=@client.example.com leftsubnet=192.168.9.0/24right=192.168.1.202rightid="CN=server.example.com"rightsubnet=192.168.202.0/0ike=3des-sha1-modp1024 ikelifetime=24h esp=3des-sha1 lifetime=8h2. /etc/ipsec.secrets
:RSA clientKey.pem五. 测试
1. ipsec开始
ipsec start/restart2. 查看连接状态
ipsec status/statusall
