Yadda za a Kafa VPN mai tushen IPsec tare da Strongswan akan CentOS/RHEL 8
StrongSwan shine tushen budewa, dandamali da yawa, na zamani kuma cikakke na tushen tushen IPsec na tushen VPN don Linux wanda ke bayar da cikakken tallafi ga musayar Maɓallin Intanet (duka IKEv1 da IKEv2) don kafa ƙungiyoyin tsaro (SA) tsakanin takwarorinsu biyu. Cikakken fasali ne, mai daidaitaccen tsari ta ƙira kuma yana ba da ƙarin plugins waɗanda ke haɓaka ainihin aiki.
Shafi Labari: Yadda za a Kafa VPN mai tushen IPsec tare da Strongswan akan Debian da Ubuntu
A cikin wannan labarin, zaku koyi yadda ake saita mashigar yanar gizo ta IPsec VPN ƙofofin amfani da ƙarfiSwan akan sabobin CentOS/RHEL 8. Wannan yana bawa takwarorinsu damar tabbatar da junan su ta amfani da maɓallin da aka riga aka riga aka raba (PSK). Saitin shafin yanar gizo yana nufin kowace ƙofar tsaro tana da ƙananan raga a bayanta.
Kar ka manta da amfani da adiresoshin IP ɗin ku na ainihi yayin daidaitawa yayin bin jagorar.
Public IP: 192.168.56.7 Private IP: 10.10.1.1/24 Private Subnet: 10.10.1.0/24
Public IP: 192.168.56.6 Private IP: 10.20.1.1/24 Private Subnet: 10.20.1.0/24
Mataki na 1: Bayar da Gudanar da Kernel IP a CentOS 8
1. Fara ta hanyar kunna aikin isar da IP na kernel a cikin /etc/sysctl.conf fayil ɗin daidaitawa akan duka ƙofofin VPN.
# vi /etc/sysctl.conf
Sanya wadannan layukan a cikin fayil din.
net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
2. Bayan adana canje-canje a cikin fayil din, saika bi umarnin mai zuwa don loda sabbin sigogin kwaya a lokacin gudu.
# sysctl -p
3. Na gaba, ƙirƙirar hanya madaidaiciya madaidaiciya a cikin fayil ɗin/sauransu/sysconfig/hanyar sadarwar rubutu/hanya-eth0 a ƙofar tsaro biyu.
# vi /etc/sysconfig/network-scripts/route-eth0
Lineara layi mai zuwa a cikin fayil ɗin.
#Site 1 Gateway 10.20.1.0/24 via 192.168.56.7 #Site 2 Gateway 10.10.1.0/24 via 192.168.56.6
4. Sannan sake kunna manajan cibiyar sadarwa don amfani da sabbin canje-canjen.
# systemctl restart NetworkManager
Mataki 2: Shigar da ƙarfi mai ƙarfi a cikin CentOS 8
5. An bayar da kunshin ƙarfi mai ƙarfi a cikin ma'ajiyar EPEL. Don shigar da shi, kuna buƙatar kunna wurin ajiyar EPEL, sannan shigar da ƙarfi a ƙofar tsaro biyu.
# dnf install epel-release # dnf install strongswan
6. Don bincika sigar ƙawancen da aka sanya a ƙofar biyu, yi amfani da umarnin mai zuwa.
# strongswan version
7. Na gaba, fara hidimar karfi kuma ka bashi damar farawa kai tsaye daga boot din system. Don haka tabbatar da matsayi akan kofofin tsaro.
# systemctl start strongswan # systemctl enable strongswan # systemctl status strongswan
Lura: Sabon sigar karfi a cikin CentOS/REHL 8 yazo tare da tallafi ga duka swanctl (sabon, mai amfani da layin umarni mai ɗaukewa wanda aka gabatar tare da ƙarfiSwan 5.2.0, wanda aka yi amfani dashi don daidaitawa, sarrafawa da kulawa da IKE daemon Charon ta amfani da vici plugin) kuma mai amfani (ko ipsec) mai amfani ta amfani da kayan aikin da aka lalata.
8. Babban kundin adireshin sanyi shine/sauransu/karfi/wanda ya ƙunshi fayilolin sanyi don duka plugins:
# ls /etc/strongswan/
Don wannan jagorar, zamuyi amfani da IPsec mai amfani wanda ake kira ta amfani da umarnin ƙaƙƙarfan ƙarfi da kuma yanayin bugun jini. Don haka zamuyi amfani da fayilolin sanyi masu zuwa:
- /etc/strongswan/ipsec.conf - fayil ɗin daidaitawa don tsarin ƙarfi mai ƙarfi na Swan IPsec.
- /etc/strongswan/ipsec.secrets - fayil na sirri.
Mataki 3: Harhadawa Gateofar Tsaro
9. A wannan matakin, kuna buƙatar saita bayanan haɗin haɗin kan kowane ƙofofin tsaro na kowane rukunin yanar gizo ta amfani da fayil ɗin sanyi /etc/strongswan/ipsec.conf.
# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig # vi /etc/strongswan/ipsec.conf
Kwafa da liƙa saitin mai zuwa a cikin fayil ɗin.
config setup
charondebug="all"
uniqueids=yes
conn ateway1-to-gateway2
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=192.168.56.7
leftsubnet=10.10.1.1/24
right=192.168.56.6
rightsubnet=10.20.1.1/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig # vi /etc/strongswan/ipsec.conf
Kwafa da liƙa saitin mai zuwa a cikin fayil ɗin:
config setup
charondebug="all"
uniqueids=yes
conn 2gateway-to-gateway1
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=192.168.56.6
leftsubnet=10.20.1.1/24
right=192.168.56.7
rightsubnet=10.10.1.1/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
Bari mu ɗan taƙaita kowane sigogin daidaitawa a sama:
- saitin saiti - yana bayyana cikakken bayanin sanyi don IPSec wanda ya shafi duk haɗin.
- charondebug - ya kayyade nawa ya kamata a cire fitowar kwayar Charon.
- keɓaɓɓun abubuwa - yana bayyana ko yakamata a keɓance wani ID na ɗan takara na musamman.
- ƙofar ƙofa1-zuwa-ƙofa2 - ana amfani da shi don saita sunan haɗin.
- nau'in - ma'anar nau'in haɗin.
- Atomatik - ana amfani dashi don bayyana yadda ake ɗaukar haɗi lokacin da aka fara ko sake farawa IPSec.
- keyexchange - yana bayyana sigar yarjejeniyar IKE don amfani.
- authby - yana tantance yadda abokan aiki zasu tabbatar da juna.
- hagu - ya ba da sanarwar adireshin IP ɗin na mahaɗan mahaɗan haɗin yanar gizo-sadarwa.
- leftsubnet - yana ayyana maɓallin keɓaɓɓe a bayan mahalarcin hagu.
- dama - ya ayyana adireshin IP ɗin na haɗin keɓaɓɓiyar hanyar sadarwar jama'a.
- rightsubnet - ya bayyana maɓallin keɓaɓɓe a bayan mahalarta hagu.
- ike - ana amfani dashi don bayyana jerin IKE/ISAKMP SA encryption/algorithms na tabbatar da za ayi amfani dasu. Lura cewa wannan na iya zama jerin wakafi-rabuwa.
- esp - yana ƙayyade jerin ESP ɓoyayyen ɓoyayyen bayanan sirri/bayanan tabbatarwa wanda za'a yi amfani dasu don haɗin.
- m - ya bayyana ko don amfani da Tsanani ko Babban Yanayi.
- keyingtries - yana bayyana yawan ƙoƙarin da ya kamata a yi don sasanta haɗin haɗi.
- ikelifetime - yana ƙayyade tsawon lokacin da maɓallin keying na haɗi ya kamata ya ƙare kafin a sake tattaunawa.
- rayuwa - yana bayyana tsawon lokacin da wani misali na haɗin kai ya kamata ya wuce, daga sasantawar nasara har zuwa ƙarewar.
- dpddelay - yana bayyana tazarar lokacin da ake aiko saƙonnin R_U_THERE/musayar BAYANI ga tsaran.
- dpdtimeout - ana amfani dashi don bayyana tazarar lokacin hutun, bayan haka duk wasu hanyoyin haɗi zuwa aboki ana share su idan ba ayi aiki ba.
- dpdaction - yana ƙayyade yadda za a yi amfani da yarjejeniya ta Matasan Mafarki (DPD) don gudanar da haɗin haɗin.
Kuna iya samun bayanin duk sigogin daidaitawa don tsarin ƙarfi mai ƙarfi na Swan IPsec ta hanyar karanta shafin ipsec.conf mutum.
# man ipsec.conf
Mataki na 4: Harhadawa cikin PSK don Tabbacin Abokan -an-ga-tsara
10. Na gaba, kuna buƙatar samar da PSK mai ƙarfi don amfani da takwarorinku don tabbatarwa kamar haka.
# head -c 24 /dev/urandom | base64
11. theara PSK a cikin fayil din /etc/strongswan/ipsec.conf a ƙofar tsaro biyu.
# vi /etc/strongswan/ipsec.secrets
Shigar da layi na gaba a cikin fayil ɗin.
#Site 1 Gateway 192.168.56.7 192.168.56.6 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL" #Site 1 Gateway 192.168.56.6 192.168.56.7 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL"
12. Daga nan sai a fara service mai karfi sannan a duba yanayin alakar.
# systemctl restart strongswan # strongswan status
13. Gwada idan zaka sami damar shiga gidan sauro mai zaman kansa daga kofofin tsaro ta hanyar tafiyar da umarnin ping.
# ping 10.20.1.1 # ping 10.10.1.1
14. Lastarshe amma ba mafi ƙaranci ba, don ƙarin koyon ƙaƙƙarfan umarni don kawo haɗin haɗi/ƙasa da ƙari da hannu, duba shafin taimako mai ƙarfi.
# strongswan --help
Wannan kenan a yanzu! Don raba ra'ayoyinku tare da mu ko yin tambayoyi, isa gare mu ta hanyar fom ɗin da ke ƙasa. Kuma don ƙarin koyo game da sabon mai amfani da swanctl da sabon tsarin daidaitawa mai sassauci, duba Takaddun Bayanai na Mai Amfani mai ƙarfi.