Yadda za a Kafa VPN mai tushen IPsec tare da Strongswan akan Debian da Ubuntu
StrongSwan shine tushen budewa, dandamali na giciye, cikakken fasali kuma ana amfani dashi sosai akan tushen IPsec na tushen VPN (Virtual Private Network) wanda ke gudana akan Linux, FreeBSD, OS X, Windows, Android, da iOS. Babban mahimmanci ne wanda ke tallafawa ladabi na musayar Intanet na Intanet (IKEv1 da IKEv2) don kafa ƙungiyoyin tsaro (SA) tsakanin ƙwararru biyu.
Wannan labarin yana bayanin yadda za'a saita ƙofofin IPSec VPN site-to-site ta amfani da ƙarfiSwan akan sabobin Ubuntu da Debian. Ta hanyar yanar gizo-gizo muna nufin kowace ƙofa ta tsaro tana da ƙaramar net a bayanta. Bayan haka, takwarorin zasu tabbatar da junan su ta hanyar amfani da maɓallin da aka riga aka raba (PSK).
Ka tuna maye gurbin IPs masu zuwa tare da IPs na zahiri don daidaita yanayinka.
Shafin Farko na 1 (tecmint-devgateway)
OS 1: Debian or Ubuntu Public IP: 10.20.20.1 Private IP: 192.168.0.101/24 Private Subnet: 192.168.0.0/24
Tashar yanar gizo 2 Gateway (tecmint-prodgateway)
OS 2: Debian or Ubuntu Public IP: 10.20.20.3 Private IP: 10.0.2.15/24 Private Subnet: 10.0.2.0/24
Mataki 1: Bada damar turawa Kernel Packet
1. Da farko, kuna buƙatar daidaita kernel don ba da damar tura fakiti ta ƙara abubuwan canjin tsarin da ya dace a cikin /etc/sysctl.conf fayil ɗin daidaitawa a ƙofar tsaro biyu.
$ sudo vim /etc/sysctl.conf
Nemi layuka masu zuwa kuma baƙanta su kuma saita ƙimar su kamar yadda aka nuna (karanta ra'ayoyi a cikin fayil ɗin don ƙarin bayani).
net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
2. Na gaba, loda sabbin saitunan ta hanyar bin umarnin nan mai zuwa.
$ sudo sysctl -p
3. Idan kana da sabis na katangar UFW da aka kunna, kana buƙatar ƙara waɗannan ƙa'idodi zuwa fayil ɗin sanyi na /etc/ufw/before.rules kafin dokokin tacewa a cikin kofofin tsaro.
Shafin Farko na 1 (tecmint-devgateway)
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.2.0/24 -d 192.168.0.0/24 -j MASQUERADE COMMIT
Tashar yanar gizo 2 Gateway (tecmint-prodgateway)
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.0.0/24 -d 10.0.2.0/24 -j MASQUERADE COMMIT
4. Da zarar an kara dokokin Firewall, to sai ayi amfani da sabbin canje-canjen ta hanyar sake farawa UFW kamar yadda aka nuna.
$ sudo ufw disable $ sudo ufw enable
Mataki na 2: Shigar da ƙarfi mai ƙarfi a cikin Debian da Ubuntu
5. Sabunta ma'ajiyar bayanan kunshinku a dukkanin bangarorin tsaro biyu saika sanya packs din mai karfi ta amfani da APT package manager.
$ sudo apt update $ sudo apt install strongswan
6. Da zarar an gama shigarwa, rubutun mai sakawa zai fara sabis ɗin ƙarfi kuma ya ba shi damar farawa ta atomatik a tsarin boot. Kuna iya bincika matsayinta kuma ko an kunna ta ta amfani da umarni mai zuwa.
$ sudo systemctl status strongswan.service $ sudo systemctl is-enabled strongswan.service
Mataki 3: Harhadawa Gateofar Tsaro
7. Na gaba, kana buƙatar saita ƙofofin tsaro ta amfani da fayil ɗin sanyi /etc/ipsec.conf.
Shafin Farko na 1 (tecmint-devgateway)
$ sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig $ sudo nano /etc/ipsec.conf
Kwafa da liƙa saitin mai zuwa a cikin fayil ɗin.
config setup
charondebug="all"
uniqueids=yes
conn devgateway-to-prodgateway
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=10.20.20.1
leftsubnet=192.168.0.101/24
right=10.20.20.3
rightsubnet=10.0.2.15/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
Tashar yanar gizo 2 Gateway (tecmint-prodgateway)
$ sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig $ sudo cp /etc/ipsec.conf
Kwafa da liƙa saitin mai zuwa a cikin fayil ɗin.
config setup
charondebug="all"
uniqueids=yes
conn prodgateway-to-devgateway
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=10.20.20.3
leftsubnet=10.0.2.15/24
right=10.20.20.1
rightsubnet=192.168.0.101/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
Ga ma'anar kowane ma'aunin daidaitawa:
- saitin saiti - yana ƙayyade bayanin daidaitaccen bayani don IPSec wanda ya shafi duk haɗin.
- charondebug - yana bayyana yadda yakamata a shiga aikin cire kirjin Charon.
- keɓaɓɓun abubuwa - ya ƙayyade ko yakamata a keɓance ID na ɗan takara na musamman.
- conn prodgateway-to-devgateway - yana bayyana sunan haɗin.
- nau'in - ma'anar nau'in haɗin.
- auto - yadda ake sarrafa haɗi lokacin da aka fara ko sake farawa IPSec.
- keyexchange - yana bayyana sigar yarjejeniyar IKE don amfani.
- authby - yana bayyana yadda abokan aiki zasu tabbatar da junan su.
- hagu - yana bayyana adireshin IP na haɗin keɓaɓɓiyar hanyar sadarwar jama'a-mahalarta hagu.
- leftsubnet - yana bayyana ƙaramin sirri a bayan mahalarta hagu.
- dama - yana ƙayyade adireshin IP na haɗin haɗin haɗin haɗin jama'a-jama'a.
- rightsubnet - ya faɗi sashin layi na sirri bayan ɗan takarar hagu.
- ike - ya bayyana jerin IKE/ISAKMP SA encryption/algorithms na tabbatar da za a yi amfani da su. Kuna iya ƙara jerin wakafi-rabuwa.
- esp - yana bayyana jerin ESP encryption/algorithms na tabbatarwa don amfani da haɗin. Kuna iya ƙara jerin wakafi-rabuwa.
- m - bayyana ko amfani da Tsanani ko Babban Yanayi.
- keyingtries - ya faɗi adadin ƙoƙarin da ya kamata a yi don sasanta haɗin haɗi.
- ikelifetime - yana faɗi tsawon lokacin da maɓallin keying na haɗi ya kamata ya ƙare kafin a sake tattaunawa.
- rayuwa - yana bayyana tsawon lokacin da wani misali na haɗin kai ya kamata ya wuce, daga sasantawar nasara har zuwa ƙarewar.
- dpddelay - takan kayyade tazarar lokacin da ake aiko sakonnin R_U_THERE/musayar BAYANI ga takwarorinsu.
- dpdtimeout - yana ƙayyade tazara daga lokacin hutu, bayan haka duk wasu alaƙa da aboki ana share su idan ba ayi aiki ba.
- dpdaction - yana bayyana yadda za a yi amfani da yarjejeniyar Matasan Abokin Gano (DPD) don gudanar da haɗin haɗin.
Don ƙarin bayani game da sigogin daidaitawa na sama, karanta shafin ipsec.conf ta hanyar aiwatar da umarnin.
$ man ipsec.conf
Mataki na 4: Harhadawa cikin PSK don Tabbacin Abokan -an-ga-tsara
8. Bayan daidaitawa kofofin tsaro duka biyu, samar da amintaccen PSK wanda takwarorina zasu yi amfani dashi ta hanyar amfani da wannan umarni.
$ head -c 24 /dev/urandom | base64
9. Na gaba, ƙara PSK a cikin fayil din /etc/ipsec.secrets akan ƙofofin duka biyun.
$ sudo vim /etc/ipsec.secrets
Kwafa da liƙa layi mai zuwa.
------- Site 1 Gateway (tecmint-devgateway) ------- 10.20.20.1 10.20.20.3 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac=" ------- Site 2 Gateway (tecmint-prodgateway) ------- 10.20.20.3 10.20.20.1 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac="
10. Sake kunna shirin IPSec kuma bincika matsayinsa don duba haɗi.
$ sudo ipsec restart $ sudo ipsec status
11. A ƙarshe, tabbatar cewa zaka iya samun damar gidan sauro mai zaman kansa daga kofofin tsaro ta hanyar gudanar da umarnin ping.
$ ping 192.168.0.101 $ ping 10.0.2.15
12. Bayan haka, zaka iya tsayawa ka fara IPSec kamar yadda aka nuna.
$ sudo ipsec stop $ sudo ipsec start
13. Don ƙarin sani game da umarnin IPSec don kawo haɗin haɗi da ƙari da hannu, duba shafin taimako na IPSec.
$ ipsec --help
Shi ke nan! A cikin wannan labarin, mun bayyana yadda za a kafa IPSec VPN na rukunin yanar gizo ta amfani da karfiSwan akan sabobin Ubuntu da Debian, inda aka daidaita kofofin tsaro don tabbatar da juna ta hanyar amfani da PSK. Idan kuna da wasu tambayoyi ko tunani don rabawa, ku riske mu ta hanyar fom ɗin da ke ƙasa.