本文详细介绍了在CentOS 6系统下搭建IPsec VPN服务器及客户端配置的过程,包括安装必要的软件包、配置密钥、设置IPsec策略、创建VPN用户等步骤,旨在帮助读者快速搭建并配置IPsec VPN服务。
<li><a href="#id1" title="准备工作">准备工作</a></li>
<li><a href="#id2" title="服务器端配置">服务器端配置</a></li>
<li><a href="#id3" title="客户端配置">客户端配置</a></li>
<p>在互联网日益普及的今天,网络安全问题愈发重要,IPsec VPN作为一种安全且可靠的远程接入技术,广泛应用于企业内部网络和远程办公场景,本文将深入讲解如何在CentOS 6操作系统上搭建IPsec VPN服务器及其客户端的配置方法。
准备工作
1、硬件环境:一台安装有CentOS 6操作系统的服务器,确保网络连接稳定。
2、软件环境:服务器端和客户端均需安装IPsec VPN所需的软件包。
服务器端配置
1、安装IPsec软件包:
```bash
yum install ipsec-tools strongswan
```
2、生成CA证书和服务器证书:
- 创建CA目录:
```bash
mkdir -p /etc/ipsec.d/certs
```
- 创建CA私钥:
```bash
openssl genpkey -algorithm RSA -out /etc/ipsec.d/certs/ca.key -pkeyopt rsa_keygen_bits:2048
```
- 创建CA自签证书:
```bash
openssl req -new -x509 -days 3650 -key /etc/ipsec.d/certs/ca.key -out /etc/ipsec.d/certs/ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/CN=MyCompanyCA"
```
- 创建服务器私钥:
```bash
openssl genpkey -algorithm RSA -out /etc/ipsec.d/certs/server.key -pkeyopt rsa_keygen_bits:2048
```
- 创建服务器证书请求:
```bash
openssl req -new -key /etc/ipsec.d/certs/server.key -out /etc/ipsec.d/certs/server.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/CN=MyCompanyServer"
```
- 使用CA签发服务器证书:
```bash
openssl x509 -req -in /etc/ipsec.d/certs/server.csr -CA /etc/ipsec.d/certs/ca.crt -CAkey /etc/ipsec.d/certs/ca.key -set_serial 1 -out /etc/ipsec.d/certs/server.crt
```
3、配置IPsec策略文件:
编辑<code>/etc/ipsec.conf</code>文件,添加以下内容:
```bash
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, knl 2, auth 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
conn myvpn
left=%defaultroute
leftsubnet=0.0.0.0/0
leftauth=psk
leftsubnet=192.168.1.0/24
leftauth=rsasig
leftcert=/etc/ipsec.d/certs/server.crt
leftkey=/etc/ipsec.d/certs/server.key
right=%any
rightdns=8.8.8.8
rightauth=psk
rightsubnet=192.168.2.0/24
rightauth=rsasig
rightcert=/etc/ipsec.d/certs/server.crt
rightkey=/etc/ipsec.d/certs/server.key
auto=add
```
4、配置IPsec密钥文件:
编辑<code>/etc/ipsec.secrets</code>文件,添加以下内容:
```bash
: PSK "MyVPNPassword"
192.168.1.0/24 : PSK "MyVPNPassword"
```
5、启动IPsec服务:
```bash
systemctl start ipsec
systemctl enable ipsec
```
客户端配置
1、安装IPsec软件包:
```bash
yum install ipsec-tools strongswan
```
2、配置IPsec策略文件:
编辑<code>/etc/ipsec.conf</code>文件,添加以下内容:
```bash
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, knl 2, auth 2"
conn myvpn
right=%any
rightdns=8.8.8.8
rightsourceip=192.168.1.0/24
left=%defaultroute
leftsubnet=0.0.0.0/0
leftauth=psk
leftsubnet=192.168.2.0/24
leftauth=rsasig
leftcert=/etc/ipsec.d/certs/server.crt
leftkey=/etc/ipsec.d/certs/server.key
rightauth=psk
rightsubnet=192.168.2.0/24
rightkey=/etc/ipsec.d/certs/server.key
auto=start
```
3、配置IPsec密钥文件:
编辑<code>/etc/ipsec.secrets</code>文件,添加以下内容:
```bash
: PSK "MyVPNPassword"
192.168.2.0/24 : PSK "MyVPNPassword"
```
4、启动IPsec服务:
```bash
systemctl start ipsec
systemctl enable ipsec
```
通过上述步骤,您便可以在CentOS 6上成功搭建一个基于IPsec VPN的远程访问服务器,完成客户端配置后,用户即可通过VPN连接到服务器,实现安全稳定的远程访问。
