Strongswan zu windows sieben: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
| (7 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
=VPN Gateway zertifikat= | =VPN Gateway zertifikat= | ||
| + | ==create certs== | ||
| + | ===ipsec pki=== | ||
*ipsec pki --gen > ca.key | *ipsec pki --gen > ca.key | ||
*ipsec pki --self --in ca.key --dn "C=DE, O=willux, CN=willux-ca" --ca > ca.crt | *ipsec pki --self --in ca.key --dn "C=DE, O=willux, CN=willux-ca" --ca > ca.crt | ||
*ipsec pki --gen > huey.xinux.org.key | *ipsec pki --gen > huey.xinux.org.key | ||
*ipsec pki --pub --in huey.xinux.org.key | ipsec pki --issue --flag serverAuth --flag ikeIntermediate --san huey.xinux.org --cacert ca.crt --cakey ca.key --dn "C=DE, O=willux, CN=huey.xinux.org" > huey.xinux.org.crt | *ipsec pki --pub --in huey.xinux.org.key | ipsec pki --issue --flag serverAuth --flag ikeIntermediate --san huey.xinux.org --cacert ca.crt --cakey ca.key --dn "C=DE, O=willux, CN=huey.xinux.org" > huey.xinux.org.crt | ||
| + | ===openssl=== | ||
| + | *[[openssl#reqext in $CLIENT.cnf | important since win7]] | ||
| + | |||
| + | ==certs== | ||
| + | */etc/ipsec.d/certs/huey.xinux.org.crt | ||
| + | */etc/ipsec.d/cacerts/xinux-ca.crt | ||
| + | */etc/ipsec.d/private/huey.xinux.org.key | ||
| + | ==/etc/ipsec.conf== | ||
| + | <pre> | ||
| + | config setup | ||
| + | #plutostart=no | ||
| + | |||
| + | conn %default | ||
| + | keyexchange=ikev2 | ||
| + | ike=aes256-sha1-modp1024! | ||
| + | esp=aes256-sha1! | ||
| + | dpdaction=clear | ||
| + | dpddelay=300s | ||
| + | rekey=no | ||
| + | |||
| + | conn win7 | ||
| + | left=%any | ||
| + | leftsubnet=0.0.0.0/0 | ||
| + | leftauth=pubkey | ||
| + | leftcert=huey.xinux.org.crt | ||
| + | leftid=@huey.xinux.org | ||
| + | right=%any | ||
| + | rightsourceip=10.10.3.0/24 | ||
| + | rightauth=eap-mschapv2 | ||
| + | #rightsendcert=never # see note | ||
| + | eap_identity=%any | ||
| + | auto=add | ||
| + | </pre> | ||
| + | ==/etc/ipsec.secrets== | ||
| + | <pre> | ||
| + | : RSA huey.xinux.org.key "lummel" | ||
| + | thomas : EAP "tummel" | ||
| + | xinux : EAP "wummel" | ||
| + | </pre> | ||
| + | ==/etc/strongswan.conf== | ||
| + | <pre> | ||
| + | charon { | ||
| + | dns1 = 192.168.240.200 | ||
| + | nbns1 = 192.168.240.200 | ||
| + | load_modular = yes | ||
| + | |||
| + | } | ||
| + | </pre> | ||
| + | |||
=windows client= | =windows client= | ||
*wichtig | *wichtig | ||
DNS name verwenden keine IP | DNS name verwenden keine IP | ||
Aktuelle Version vom 31. Oktober 2014, 11:54 Uhr
VPN Gateway zertifikat
create certs
ipsec pki
- ipsec pki --gen > ca.key
- ipsec pki --self --in ca.key --dn "C=DE, O=willux, CN=willux-ca" --ca > ca.crt
- ipsec pki --gen > huey.xinux.org.key
- ipsec pki --pub --in huey.xinux.org.key | ipsec pki --issue --flag serverAuth --flag ikeIntermediate --san huey.xinux.org --cacert ca.crt --cakey ca.key --dn "C=DE, O=willux, CN=huey.xinux.org" > huey.xinux.org.crt
openssl
certs
- /etc/ipsec.d/certs/huey.xinux.org.crt
- /etc/ipsec.d/cacerts/xinux-ca.crt
- /etc/ipsec.d/private/huey.xinux.org.key
/etc/ipsec.conf
config setup
#plutostart=no
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
conn win7
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=huey.xinux.org.crt
leftid=@huey.xinux.org
right=%any
rightsourceip=10.10.3.0/24
rightauth=eap-mschapv2
#rightsendcert=never # see note
eap_identity=%any
auto=add
/etc/ipsec.secrets
: RSA huey.xinux.org.key "lummel" thomas : EAP "tummel" xinux : EAP "wummel"
/etc/strongswan.conf
charon {
dns1 = 192.168.240.200
nbns1 = 192.168.240.200
load_modular = yes
}
windows client
- wichtig
DNS name verwenden keine IP