このページの翻訳:
- 日本語 (ja)
- English (en)
最近の更新
- 02 Apache2で自己認証ssl [中間証明書の整合性確認]
最近の更新
StrongswanでIKEv2 EAP 認証でWindowsから接続してみる。
証明書自体は、こちらなどで用意10 Docker Let's Encrypt
シンボリックリンクだけ貼る
cd /etc/strongswan/ipsec.d
ln -s /app/certs/vpn2.kumolabo.com.crt certs/cert.pem
ln -s /app/certs/vpn2.kumolabo.com.key private/privkey.pem
ln -s /app/certs/vpn2.kumolabo.com.chain.pem cacerts/chain.pem
ipsec.conf
conn %default type=tunnel authby=psk keyingtries=3 keyexchange=ikev2 ike=aes256-sha256-modp2048 esp=aes256-sha256-modp2048 conn IPSec-IKEv2-EAP leftsubnet=0.0.0.0/0 leftid=vpn.hogehoge.com left=%any leftcert=cert.pem leftsendcert=always rightid=%any right=%any rightsourceip=192.168.100.0/24 rightauth=eap-mschapv2 eap_identity=%any auto=add
下記は、vpnuserを用意した場合。
ユーザ | vpnuser |
パスワード | hogehoge |
ipsec.secrets
: RSA privkey.pem vpnuser : EAP hogehoge
iptables -I INPUT -p udp --dport 4500 -j ACCEPT iptables -I INPUT -p udp --dport 500 -j ACCEPT iptables -t nat -A POSTROUTING -j MASQUERADE
firewall-cmd --permanent --zone=public --add-service=ipsec firewall-cmd --permanent --zone=public --add-port=4500/udp firewall-cmd --reload
sysctl -w net.ipv4.ip_forward=1
strongswan側に合わせて設定変更
認証アルゴリズム | SHA256 |
暗号化アルゴリズム | AES256 |
DHグループ | Group14 |
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN 接続" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup NONE -DHGroup Group14 -Force
> Get-VpnConnection -Name 'VPN'| Select-Object -ExpandProperty IPsecCustomPolicy AuthenticationTransformConstants : SHA256128 CipherTransformConstants : AES256 DHGroup : Group14 IntegrityCheckMethod : SHA256 PfsGroup : None EncryptionMethod : AES256
Mar 18 21:26:39 vpn-test charon: 05[LIB] opening '/etc/strongswan/ipsec.d/certs/cert.pem' failed: Permission denied
setenforce 0