StrongswanでIKEv2のVPNサーバを構築する3
ひとまず、、、
ユーザー・パスワードと証明書の認証ができたので他のやつもやってみる
過去記事
残件
- 共有シークレット
- EAP証明書
接続別
共有シークレット
/etc/strongswan/ipsec.conf
conn ikev2-vpn-secret authby=secret auto=add compress=no type=tunnel fragmentation=yes forceencaps=yes left=%any leftid=@vpn.test-ryuouen.link leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsourceip=192.168.100.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity
/etc/strongswan/ipsec.secrets
# 共有シークレット : PSK "mUERghoqa3WNauK310hH4gR2NbPw8TyN" # 任意の文字列
構成プロファイル
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>DNS</key> <dict> <key>ServerAddresses</key> <array> <string>8.8.8.8</string> <string>8.8.4.4</string> </array> <key>SupplementalMatchDomainsNoSearch</key> <integer>0</integer> </dict> <key>IKEv2</key> <dict> <key>AuthenticationMethod</key> <string>SharedSecret</string> <key>ChildSecurityAssociationParameters</key> <dict> <key>DiffieHellmanGroup</key> <integer>14</integer> <key>EncryptionAlgorithm</key> <string>AES-256</string> <key>IntegrityAlgorithm</key> <string>SHA2-256</string> <key>LifeTimeInMinutes</key> <integer>1440</integer> </dict> <key>DeadPeerDetectionRate</key> <string>Medium</string> <key>DisableMOBIKE</key> <integer>0</integer> <key>DisableRedirect</key> <integer>0</integer> <key>EnableCertificateRevocationCheck</key> <integer>0</integer> <key>EnableFallback</key> <integer>0</integer> <key>EnablePFS</key> <integer>0</integer> <key>ExtendedAuthEnabled</key> <false/> <key>IKESecurityAssociationParameters</key> <dict> <key>DiffieHellmanGroup</key> <integer>14</integer> <key>EncryptionAlgorithm</key> <string>AES-256</string> <key>IntegrityAlgorithm</key> <string>SHA2-256</string> <key>LifeTimeInMinutes</key> <integer>1440</integer> </dict> <key>LocalIdentifier</key> <string>vpn.test-ryuouen.link</string> <key>RemoteAddress</key> <string>vpn.test-ryuouen.link</string> <key>RemoteIdentifier</key> <string>vpn.test-ryuouen.link</string> <key>SharedSecret</key> <string>共有シークレットの値</string> <key>UseConfigurationAttributeInternalIPSubnet</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>VPN設定を構成します</string> <key>PayloadDisplayName</key> <string>VPN</string> <key>PayloadIdentifier</key> <string>com.apple.vpn.managed.任意のUUID</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>任意のUUID</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict> <key>HTTPEnable</key> <integer>0</integer> <key>HTTPSEnable</key> <integer>0</integer> </dict> <key>UserDefinedName</key> <string>IKEv2共有シークレット</string> <key>VPNType</key> <string>IKEv2</string> </dict> </array> <key>PayloadDisplayName</key> <string>vpnテスト4</string> <key>PayloadIdentifier</key> <string>ryuouenMacMini.任意のUUID</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>任意のUUID</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
EAP証明書
/etc/strongswan/ipsec.conf
conn ikev2-vpn-tls auto=add compress=no type=tunnel fragmentation=yes forceencaps=yes left=%any leftid=@vpn.test-ryuouen.link leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightauth=eap-tls rightid=vpnuser rightcert=vpnuser.cert.pem rightca="C=JP, ST=Fukuoka, O=自分のorganization, CN=自分のRoot CA" rightsourceip=192.168.100.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity
構成プロファイル
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>Password</key> <string>証明書のパスワード</string> <key>PayloadCertificateFileName</key> <string>vpnuser.p12</string> <key>PayloadContent</key> <data> MII... 証明書のデータ </data> <key>PayloadDescription</key> <string>PKCS#12フォーマットの証明書を追加します</string> <key>PayloadDisplayName</key> <string>vpnuser.p12</string> <key>PayloadIdentifier</key> <string>com.apple.security.pkcs12.一意のUUID</string> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>一意のUUID</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>DNS</key> <dict> <key>ServerAddresses</key> <array> <string>8.8.8.8</string> <string>8.8.4.4</string> </array> <key>SupplementalMatchDomainsNoSearch</key> <integer>0</integer> </dict> <key>IKEv2</key> <dict> <key>AuthenticationMethod</key> <string>None</string> <key>ChildSecurityAssociationParameters</key> <dict> <key>DiffieHellmanGroup</key> <integer>14</integer> <key>EncryptionAlgorithm</key> <string>AES-256</string> <key>IntegrityAlgorithm</key> <string>SHA2-256</string> <key>LifeTimeInMinutes</key> <integer>1440</integer> </dict> <key>DeadPeerDetectionRate</key> <string>Medium</string> <key>DisableMOBIKE</key> <false/> <key>DisableRedirect</key> <false/> <key>EnableCertificateRevocationCheck</key> <false/> <key>EnableFallback</key> <false/> <key>EnablePFS</key> <integer>0</integer> <key>ExtendedAuthEnabled</key> <true/> <key>IKESecurityAssociationParameters</key> <dict> <key>DiffieHellmanGroup</key> <integer>14</integer> <key>EncryptionAlgorithm</key> <string>AES-256</string> <key>IntegrityAlgorithm</key> <string>SHA2-256</string> <key>LifeTimeInMinutes</key> <integer>1440</integer> </dict> <key>LocalIdentifier</key> <string>vpnuser</string> <key>PayloadCertificateUUID</key> <string>証明書のUUID</string> <key>RemoteAddress</key> <string>vpn.test-ryuouen.link</string> <key>RemoteIdentifier</key> <string>vpn.test-ryuouen.link</string> <key>UseConfigurationAttributeInternalIPSubnet</key> <false/> </dict> <key>PayloadDescription</key> <string>VPN設定を構成します</string> <key>PayloadDisplayName</key> <string>VPN</string> <key>PayloadIdentifier</key> <string>com.apple.vpn.managed.一意のUUID</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>一意のUUID</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict> <key>HTTPEnable</key> <integer>0</integer> <key>HTTPSEnable</key> <integer>0</integer> </dict> <key>UserDefinedName</key> <string>IKEv2証明書(eap)</string> <key>VPNType</key> <string>IKEv2</string> </dict> </array> <key>PayloadDisplayName</key> <string>vpnテスト3</string> <key>PayloadIdentifier</key> <string>一意の文字列</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>一意のUUID</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
今回はここでおしまい