Konfigurasikan Client VPN strongSwan di Ubuntu 18.04/CentOS 8

oleh

Ikuti tutorial ini untuk mempelajari cara mengkonfigurasi client VPN strongSwan di Ubuntu 18.04/CentOS 8. Tutorial kami sebelumnya memberikan panduan langkah demi langkah tentang cara menyiapkan server VPN strongSwan di Debian 10 Buster.

Ikuti tautan di bawah ini untuk mempelajari cara menginstal dan menyiapkan server StrongSwan VPN di Debian 10 Buster.

Siapkan VPN IPSEC menggunakan StrongSwan di Debian 10

Setelah Anda memiliki pengaturan server VPN StrongSwan, Anda sekarang dapat melanjutkan untuk menguji penetapan IP dan koneksi lokal melalui server VPN.

Dalam demo ini, kami menggunakan Ubuntu 18.04 dan CentOS 8 sebagai client VPN strongSwan pengujian kami.

Konfigurasikan Client VPN strongSwan di Ubuntu 18.04/CentOS 8

Instal strongSwan di Ubuntu 18.04

strongSwan dan plugin tambahan dapat diinstal di Ubuntu 18.04 dengan menjalankan perintah di bawah ini;

apt update
apt install strongswan libcharon-extra-plugins

Instal strongSwan di CentOS 8

paket strongSwan disediakan oleh repo EPEL pada CentOS 8 dan turunan serupa. Oleh karena itu, mulailah dengan menginstal repo EPEL;

dnf install epel-release
dnf update
dnf install strongswan strongswan-charon-nm

Instal sertifikat CA Server VPN strongSwan pada Client

Copy the strongSwan CA certificate generated above, /etc/ipsec.d/cacerts/vpn_ca_cert.pemke server client dan;

  • letakkan di /etc/ipsec.d/cacerts/direktori di Ubuntu 18.04
  • letakkan di /etc/strongswan/ipsec.d/cacerts direktori di CentOS 8.

Konfigurasi client VPN strongSwan di Ubuntu 18.04/CentOS 8

Di Ubuntu 18.04;

Perbarui /etc/ipsec.conffile konfigurasi untuk menentukan cara terhubung ke server StrongSwan VPN. Lihat file konfigurasi di bawah ini;

vim /etc/ipsec.conf
conn ipsec-ikev2-vpn-client auto=start right=vpnsvr.kifarunix-demo.com rightid=vpnsvr.kifarunix-demo.com rightsubnet=0.0.0.0/0 rightauth=pubkey leftsourceip=%config leftid=vpnsecure leftauth=eap-mschapv2 eap_identity=%identity

Siapkan rahasia otentikasi

vim /etc/ipsec.secrets
... # user id : EAP secret vpnsecure : EAP "[email protected]" # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc

Simpan file konfigurasi dan mulai ulang strongswan.

systemctl restart strongswan

Nonaktifkan strongSwan agar tidak berjalan pada boot sistem;

systemctl disable strongswan

Periksa statusnya;

ipsec statusall
Security Associations (1 up, 0 connecting): ipsec-ikev2-vpn-client[1]: ESTABLISHED 1 minutes ago, 10.0.2.15[vpnsecure]...192.168.56.174[vpnsvr.kifarunix-demo.com] ipsec-ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cc36db97_i cb5ceb5b_o ipsec-ikev2-vpn-client{1}: 172.16.7.1/32 === 0.0.0.0/0

Pada CentOS 8;

Perbarui /etc/strongswan/ipsec.conffile konfigurasi untuk menentukan cara terhubung ke server StrongSwan VPN.

vim /etc/strongswan/ipsec.conf
conn ipsec-ikev2-vpn-client auto=start right=vpnsvr.kifarunix-demo.com rightid=vpnsvr.kifarunix-demo.com rightsubnet=0.0.0.0/0 rightauth=pubkey leftsourceip=%config leftid=koromicha leftauth=eap-mschapv2 eap_identity=%identity

Selanjutnya, buka /etc/strongswan/ipsec.secretsfile konfigurasi dan atur detail otentikasi EAP seperti yang ditentukan di server.

vim /etc/strongswan/ipsec.secrets
# user id : EAP secret koromicha : EAP "mypassword"

Mulai ulang strongswan.

systemctl restart strongswan

Nonaktifkan strongSwan agar tidak berjalan pada boot sistem;

systemctl disable strongswan

Periksa status koneksi VPN

strongswan statusall
Security Associations (1 up, 0 connecting): ipsec-ikev2-vpn-client[1]: ESTABLISHED 2 minutes ago, 10.0.2.15[vpnsecure]...192.168.56.174[vpnsvr.kifarunix-demo.com] ipsec-ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c573b6a1_i cd8306eb_o ipsec-ikev2-vpn-client{1}: 172.16.7.2/32 === 0.0.0.0/0

On the strongSwan VPN Server, periksa statusnya;

Dalam demo ini, server VPN StrongSwan kami berjalan di Debian 10 Buster. Oleh karena itu, Anda dapat memeriksa status seperti yang ditunjukkan di bawah ini;

ipsec status
Security Associations (2 up, 0 connecting): ipsec-ikev2-vpn[4]: ESTABLISHED 18 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]…192.168.56.1[koromicha] ipsec-ikev2-vpn{4}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c4e5f1c2_i c8e1a02f_o ipsec-ikev2-vpn{4}: 0.0.0.0/0 === 172.16.7.2/32 ipsec-ikev2-vpn[3]: ESTABLISHED 21 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]…192.168.56.1[vpnsecure] ipsec-ikev2-vpn{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7a4ee1d_i c558073b_o  ipsec-ikev2-vpn{3}: 0.0.0.0/0 === 172.16.7.1/32

Uji Koneksi Client VPN

Sekarang kami memiliki dua client yang diberi alamat masing-masing;

  • Ubuntu 18.04: 172.16.7.1
  • CentOS 8: 172.16.7.2

Untuk menguji koneksi, Anda cukup menjalankan tes ping.

Dari Ubuntu 18.04, ping CentOS 8;

ping 172.16.7.2
PING 172.16.7.2 (172.16.7.2) 56(84) bytes of data. 64 bytes from 172.16.7.2: icmp_seq=1 ttl=64 time=3.18 ms 64 bytes from 172.16.7.2: icmp_seq=2 ttl=64 time=4.15 ms 64 bytes from 172.16.7.2: icmp_seq=3 ttl=64 time=3.47 ms 64 bytes from 172.16.7.2: icmp_seq=4 ttl=64 time=3.61 ms --- 172.16.7.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 10ms rtt min/avg/max/mdev = 3.176/3.602/4.154/0.360 ms

Dari CentOS 8, ping Ubuntu 18.04.

ping 172.16.7.1
PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data. 64 bytes from 172.16.7.1: icmp_seq=1 ttl=64 time=3.24 ms 64 bytes from 172.16.7.1: icmp_seq=2 ttl=64 time=4.37 ms 64 bytes from 172.16.7.1: icmp_seq=3 ttl=64 time=4.08 ms 64 bytes from 172.16.7.1: icmp_seq=4 ttl=64 time=3.43 ms --- 172.16.7.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 9ms rtt min/avg/max/mdev = 3.237/3.780/4.371/0.462 ms

Cobalah untuk SSH kedua sisi;

ssh [email protected]
authenticity of host '172.16.7.2 (172.16.7.2)' can't be established. ECDSA key fingerprint is SHA256:wKoh/MWvCicV6cEe6jY19AkcBgk1lyjZorQt3aqflJM. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.7.2' (ECDSA) to the list of known hosts. [email protected]'s password: [[email protected] ~]$
ssh [email protected]
authenticity of host '172.16.7.1 (172.16.7.1)' can't be established. ECDSA key fingerprint is SHA256:v20whQz4a4zpTJQfny/CGG56fRnP3Dpx8g5CkeCtFpo. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.7.1' (ECDSA) to the list of known hosts. [email protected]'s password: Linux debian 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Feb 26 00:54:04 2020 from 172.16.7.2 [email protected]:~$

Itu menandai akhir dari panduan kami tentang cara mengonfigurasi Client VPN strongSwan di Ubuntu 1
8.04/CentOS 8.

Tutorial Terkait

Hubungkan ke Cisco VPN Menggunakan file PCF di Ubuntu

Konfigurasikan IPSEC VPN menggunakan StrongSwan di Ubuntu 18.04

Instal dan Siapkan Server OpenVPN di Fedora 29/CentOS 7

Instal Client Cisco AnyConnect di CentOS 8