Linux 上的 Azure 点到站点 VPN 连接

tag-icon tag-icon linux azure point-to-site-vpn
Linux 上的 Azure 点到站点 VPN 连接

我正在尝试让本地 Linux VM 连接到我们现有的 Azure 点到站点 VPN。

Windows 计算机能够使用 zip 中提供的可执行文件轻松连接。P2S 配置隧道类型设置为IKEv2 and SSL VPN (SSTP),身份验证类型为 Azure 证书。

我开始关注官方指南. 在 Linux 机器上生成所有证书并将 base64 添加到指向站点配置根证书。

然后我继续本指南设置 VPN 连接但出现错误:

initiating IKE_SA azure[1] to [IP ADDRESS]
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.0.0.4[500] to [IP ADDRESS][500] (894 bytes)
retransmit 1 of request with message ID 0
sending packet: from 10.0.0.4[500] to [IP ADDRESS][500] (894 bytes)
...
retransmit 5 of request with message ID 0
sending packet: from 10.0.0.4[500] to [IP ADDRESS][500] (894 bytes)
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
establishing connection 'azure' failed

我的/etc/ipsec.conf文件内容是:

conn azure
        keyexchange=ikev2
        type=tunnel
        leftfirewall=yes
        left=%any
        leftauth=eap-tls
        leftid=%client
        right=azuregateway-[GUID].cloudapp.net
        rightid=%azuregateway-[GUID].cloudapp.net
        rightsubnet=0.0.0.0/0
        leftsourceip=%config
        auto=add

我用来达到这一点的命令依次为:

apt-get install strongswan-ikev2 strongswan-plugin-eap-tls -- Failed to find
apt-get install strongswan-swanctl && libcharon-extra-plugins && strongswan && libstrongswan-standard-plugins && strongswan-pki
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem
openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo
(copy / pasted the output of this to the Azure portal as a P2S root certificate)
export USERNAME="client"
export PASSWORD="Password1"
ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientA                                 uth --outform pem > "${USERNAME}Cert.pem"
openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"
cp VPN/VpnServerRoot.cer /etc/ipsec.d/cacerts/
cp client.p12 to /etc/ipsec.d/private/
Modified the ipsec.conf (see above)
Added the line
: P12 client.p12 'Password1'
to the /etc/ipsec.secrets file
ipsec restart
ipsec up azure

相关内容