我也找不到任何支持必要协议的Linux VPN软件.
解决方法
安装依赖项
以下是Ubuntu所需的软件包:
apt-get install strongswan-ikev2 strongswan-plugin-eap-tls # in Ubuntu 16.04 install libstrongswan-standard-plugins for p12 keypair container support apt-get install libstrongswan-standard-plugins
如果你在Ubuntu 16.04中安装libstrongswan-extra-plugins包,它将破坏strongSwan.这个包包含af-alg,ctr和gcrypt插件,它们与openssl插件冲突.在这种情况下,您必须删除包含openssl插件的libstrongswan-standard-plugins包,或禁用openssl插件:
sudo sed -i 's/\sload =.*/ load = no/g' /etc/strongswan.d/charon/openssl.conf
或af-alg,ctr和gcrypt插件:
sudo sed -i 's/\sload =.*/ load = no/g' /etc/strongswan.d/charon/{af-alg,ctr,gcrypt}.conf
生成密钥和证书
您必须首先生成自己的CA,然后必须使用X509v3主题备用名称(SAN)扩展(strongSwan FAQ)生成用户证书,该证书应对应于证书主题的公用名(CN).即CN =客户端主题的证书必须包含DNS:客户端SAN.这将允许您在strongSwan中指定不带CN =前缀的EAP身份.默认情况下,strongSwan将完整证书主题作为EAP身份进行传输,但Azure VPN网关不支持此功能.您可以阅读有关CN与SAN历史记录的更多信息:http://unmitigatedrisk.com/?p=381.
# Generate CA
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem
# Print CA certificate in base64 format,supported by Azure portal. Will be used later in this document.
openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo
# Generate user's certificate and put it into p12 bundle.
export PASSWORD="password"
export USERNAME="client"
ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"
# Generate p12 bundle
openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"
然后打开Azure门户,找到您的“虚拟网络网关”,并在“根证书”部分的“点对点”配置页面上粘贴上面打印的base64编码CA.
配置客户端
在网关的“站点到站点”配置页面上找到“下载VPN客户端”按钮,然后从下载的ZIP存档中解压缩VpnServerRoot.cer CA:
sudo unzip -j downloaded.zip Generic/VpnServerRoot.cer -d /etc/ipsec.d/cacerts
您可以使用以下命令进行验证:
openssl x509 -inform der -in /etc/ipsec.d/cacerts/VpnServerRoot.cer -text -noout
然后提取VPN服务器DNS:
$unzip -p downloaded.zip Generic/VpnSettings.xml | grep VpnServer <VpnServer>azuregateway-00112233-4455-6677-8899-aabbccddeeff-aabbccddeeff.cloudapp.net</VpnServer>
在下面的ipsec.conf中使用VpnServer值作为正确的值和以%为前缀的rightid值.
然后将用户的p12包复制到相应的目录中:
sudo cp client.p12 /etc/ipsec.d/private/
使用以下/etc/ipsec.conf配置:
config setup conn azure keyexchange=ikev2 type=tunnel leftfirewall=yes left=%any leftauth=eap-tls leftid=%client # use the DNS alternative name prefixed with the % right=azuregateway-00112233-4455-6677-8899-aabbccddeeff-aabbccddeeff.cloudapp.net # Azure VPN gateway address rightid=%azuregateway-00112233-4455-6677-8899-aabbccddeeff-aabbccddeeff.cloudapp.net # Azure VPN gateway address,prefixed with % rightsubnet=0.0.0.0/0 leftsourceip=%config auto=add
和/etc/ipsec.secrets内容:
: P12 client.p12 'password' # key filename inside /etc/ipsec.d/private directory
然后重新启动ipsec以重新读取配置并启动隧道:
sudo ipsec restart sudo ipsec up azure
MTU / MSS问题
由于MTU / MSS值较高且IKE Fragmentation,IPsec VPN客户端可能会遇到连接问题.要解决此问题,您必须明确设置MTU / MSS的1350值以及kernel-netlink strongSwan的charon配置(此配置仅适用于strongSwan版本> = 5.2.1).在/etc/strongswan.d/charon/kernel-netlink.conf配置文件中设置mtu和mss值:
mss = 1350 mtu = 1350
并重新启动隧道:
sudo ipsec restart sudo ipsec up azure
