綾小路龍之介の素人思考

[debian] VPN server (strongswan, IKEv2)

debian に strongswan IKEv2 で VPN サーバを構築、windows や andrond のクライアントで接続。

パッケージのインストール

# apt-get \
	install \
	strongswan \
	strongswan-pki \
;

CA 秘密鍵の作成。OpenSSH は必要ならば /dev/urandom を使うので、より頑強な /dev/random だけを使う ipsec コマンドを使う。

# ipsec \
	pki \
	--gen \
	--type rsa \
	--size 4096 \
	--outform der \
> /etc/ipsec.d/private/caprivatekey.der \
;

CA 証明書の作成

# ipsec \
	pki \
	--self \
	--ca \
	--lifetime 3650 \
	--in /etc/ipsec.d/private/caprivatekey.der \
	--type rsa \
	--dn "C=, O=, CN=fqdn.example.com" \
	--outform der \
> /etc/ipsec.d/cacerts/cacert.der \
;

CA 証明書の内容確認

# ipsec \
	pki \
	--print \
	--in /etc/ipsec.d/cacerts/cacert.der \
;

サーバ証明書の作成

# ipsec \
	pki \
	--gen \
	--type rsa \
	--size 4096 \
	--outform der \
> /etc/ipsec.d/private/serverkey.der \
;

CA 証明書を使ったサーバ証明書の署名

# ipsec \
	pki \
	--pub \
	--in /etc/ipsec.d/private/serverkey.der \
	--type rsa \
| ipsec \
	pki \
	--issue \
	--lifetime 3650 \
	--cacert /etc/ipsec.d/cacerts/cacert.der \
	--cakey /etc/ipsec.d/private/caprivatekey.der \
	--dn 'C=, O=, CN=fqdn.example.com' \
	--san 'fqdn.example.com' \
	--flag serverAuth \
	--flag ikeIntermediate \
	--outform der \
> /etc/ipsec.d/certs/servercert.der \
;

クライアント暗号鍵の作成

# ipsec \
	pki \
	--gen \
	--type rsa \
	--size 4096 \
	--outform pem \
> client_android.pem \
;
# ipsec \
	pki \
	--gen \
	--type rsa \
	--size 4096 \
	--outform pem \
> client_win10.pem \
;

CA 証明書を使ったクライアント証明書の署名

# ipsec \
	pki \
	--pub \
	--in client_android.pem \
	--type rsa \
| ipsec \
	pki \
	--issue \
	--lifetime 3650 \
	--cacert /etc/ipsec.d/cacerts/cacert.der \
	--cakey /etc/ipsec.d/private/caprivatekey.der \
	--dn 'C=, O=, CN=client_android@fqdn.example.com' \
	--san 'client_android@fqdn.example.com' \
	--outform pem \
> clientcert_android.pem \
;
# ipsec \
	pki \
	--pub \
	--in client_win10.pem \
	--type rsa \
| ipsec \
	pki \
	--issue \
	--lifetime 3650 \
	--cacert /etc/ipsec.d/cacerts/cacert.der \
	--cakey /etc/ipsec.d/private/caprivatekey.der \
	--dn 'C=, O=, CN=client_win10@fqdn.example.com' \
	--san 'clientuth=pubkey_win10@fqdn.example.com' \
	--outform pem \
> clientcert_win10.pem \
;

CA 証明書を pem 形式に変換

# openssl \
	x509 \
	-inform DER \
	-in /etc/ipsec.d/cacerts/cacert.der \
	-out /etc/ipsec.d/cacerts/cacert.pem \
	-outform PEM \
;

クライアント証明書、秘密鍵、CA 証明書を PKCS12 形式にまとめる

# openssl \
	pkcs12 \
	-export \
	-inkey client.pem \
	-in clientcert.pem \
	-name "Client Certificarte" \
	-certfile /etc/ipsec.d/cacerts/cacert.pem \
	-caname "CA Certificate" \
	-out vpn.p12 \
;
# openssl \
	pkcs12 \
	-export \
	-inkey client_win10.pem \
	-in clientcert_win10.pem \
	-name "Client Certificarte" \
	-certfile /etc/ipsec.d/cacerts/cacert.pem \
	-caname "CA Certificate" \
	-out vpn_win10.p12 \
;
# echo \
	': RSA serverkey.der' \
>> /etc/ipsec.secrets \
;
# vi -O /etc/ipsec.secrets /etc/ipsec.conf

リファレンス

  1. Setting-up a Simple CA Using the strongSwan PKI Tool - Setting-up a Simple CA Using the strongSwan PKI Tool - strongSwan
  2. ipsec.d - strongSwan
  3. Requirements for certificates used with Windows 7 - strongSwan
  4. Windows Clients - strongSwan
  5. ipsec pki --gen - strongSwan
  6. ipsec pki --self - strongSwan
  7. VPN server for remote clients using IKEv2 - Libreswan

ソーシャルブックマーク

  1. はてなブックマーク
  2. Google Bookmarks
  3. del.icio.us

ChangeLog

  1. Posted: 2007-10-12T00:18:42+09:00
  2. Modified: 2007-10-12T00:18:42+09:00
  3. Generated: 2019-05-08T23:09:10+09:00