主页
本文以Ubuntu 22.04系统为例,安装strongswan软件,配置VPN协议IKEv2。
查看 Ubuntu 系统版本信息可以使用lsb_release 命令:
Shell$ lsb_release --all Distributor ID: Ubuntu Description: Ubuntu 22.04.2 LTS Release: 22.04 Codename: jammy
安装VPN相关软件包
使用包管理apt软件安装strongswan附属插件及相关工具:
sudo apt install strongswan strongswan-swanctl sudo apt install libstrongswan-extra-plugins libcharon-extra-plugins sudo apt install libcharon-extauth-plugins libstrongswan-standard-plugins sudo apt install resolvconf curl
引入系统信任证书列表
strongswan软件默认未配置信任证书,以下步骤将重新导入系统信任证书列表:
sudo rm -f /etc/ipsec.d/cacerts/* sudo ln -s /etc/ssl/certs/* /etc/ipsec.d/cacerts/
创建VPN连接
方式 1: 使用ipsec命令
例子中的用户jAccount账号名假定为myname,密码假定为mypassword,请替换:
编辑文件1 /etc/ipsec.conf
conn "sjtu-staff" keyexchange=ikev2 left=%config leftsourceip=%config4,%config6 leftauth=eap-peap ike=aes128-sha1-modp1024, aes256-sha1-modp1024, 3des-sha1-modp1024! esp=aes128-sha1-modp1024, aes128-sha2_256-modp1024, 3des-sha1-modp1024! right=vpn.sjtu.edu.cn rightid=%any rightsendcert=never rightsubnet=0.0.0.0/0,2000::/3 rightauth=pubkey eap_identity="myname" # jAccount ID auto=add aaa_identity="@radius.net.sjtu.edu.cn" conn "sjtu-student" keyexchange=ikev2 left=%config leftsourceip=%config4,%config6 leftauth=eap-peap right=stu.vpn.sjtu.edu.cn rightid=@stu.vpn.sjtu.edu.cn rightsendcert=never rightsubnet=0.0.0.0/0,2000::/3 rightauth=pubkey eap_identity="myname" # jAccount ID auto=add aaa_identity="@radius.net.sjtu.edu.cn"
编辑文件2. /etc/ipsec.secrets
"myname" : EAP "mypassword"
【注意】
1、其中“myname”是您jAccount账号名,“mypassword”是您jAccount密码。
2、":"冒号左右两侧均为空格,不可用TAB键。
编辑文件3. /etc/strongswan.d/charon/revocation.conf
load = no
重新启动VPN,命令如下:
sudo ipsec restart
连接VPN,命令如下:
sudo ipsec up "sjtu-staff" #教职工VPN sudo ipsec up "sjtu-student" #学生VPN
断开VPN,命令如下:
sudo ipsec down "sjtu-staff" #教职工VPN sudo ipsec down "sjtu-student" #学生VPN
方式 2: 使用swanctl命令
编辑文件1 /etc/swanctl/conf.d/sjtuvpn.conf
swanctl引用的配置目录/etc/swanctl/conf.d/
示例文件名为 sjtuvpn.conf,内容如下,其中用户jAccount账号名假定为myname,密码假定为mypassword,请替换:
connections {
vpn-staff {
vips = 0.0.0.0,::
remote_addrs = vpn.sjtu.edu.cn
send_certreq = no
local {
auth = eap-peap
eap_id = myname
aaa_id = @radius.net.sjtu.edu.cn
}
remote {
auth = pubkey
id = %any
}
children {
vpn-staff {
remote_ts = 0.0.0.0/0,::/0
esp_proposals = aes128-sha1-modp1024, aes128-sha2_256-modp1024, 3des-sha1-modp1024,default
}
}
version = 2
mobike = no
proposals = aes128-sha1-modp1024, aes256-sha1-modp1024,3des-sha1-modp1024,default
}
vpn-student {
vips = 0.0.0.0,::
remote_addrs = stu.vpn.sjtu.edu.cn
send_certreq = no
local {
auth = eap-peap
eap_id = myname
aaa_id = @radius.net.sjtu.edu.cn
}
remote {
auth = pubkey
id = @stu.vpn.sjtu.edu.cn
}
children {
vpn-student {
remote_ts = 0.0.0.0/0,::/0
}
}
version = 2
mobike = no
}
}
secrets {
eap-jaccount {
id = myname
secret = "mypassword"
}
}
编辑文件2. /etc/strongswan.d/charon/revocation.conf
load = no
重新读取VPN配置,命令如下:
sudo ipsec restart sudo swanctl --load-all
连接VPN,命令如下:
sudo swanctl -i --child vpn-staff #教职工VPN sudo swanctl -i --child vpn-student #学生VPN
断开VPN,命令如下
sudo swanctl -t --ike vpn-staff #教职工VPN sudo swanctl -t --ike vpn-student #学生VPN
检查VPN是否生效
可通过命令行执行如下命令,查看连接VPN前后,命令反馈的IP地址是否发生变化
curl whatismyip.sjtu.edu.cn curl v6.whatismyip.sjtu.edu.cn
