我按照下面的链接在 CentOS 7 上使用 Strongswan 和 Let's encrypt 设置 IKEv2 VPN。
如何在 CentOS 7 上使用 Strongswan 和 Let's encrypt 设置 IKEv2 VPN
但该链接上的信息已被弃用。
我的 Let's encrypt 命令如下:
curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --register-account -m [email protected]
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
or
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone --force
sudo yum -y install psmisc
sudo fuser 80/tcp
sudo yum -y install lsof
sudo lsof -i tcp:80
service httpd stop
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
Your cert is in: /root/.acme.sh/my_domain.com/my_domain.com.cer
Your cert key is in: /root/.acme.sh/my_domain.com/my_domain.com.key
The intermediate CA cert is in: /root/.acme.sh/my_domain.com/ca.cer
And the full chain certs is there: /root/.acme.sh/my_domain.com/fullchain.cer
~/.acme.sh/acme.sh --installcert -d my_domain.com --key-file /root/private.key --fullchain-file /root/cert.crt
service httpd start
service httpd status
执行这些命令之后,我的 centos 7 vps 上有 4 个文件。
my_domain.com.cer
my_domain.com.key
ca.cer
fullchain.cer
首先我真的不知道应该放哪个文件证书文件夹以及我应该把哪个文件放在证书文件夹以及我应该把哪个文件放在私人的文件夹。
我刚刚做了这个:
sudo cp /root/.acme.sh/my_domain.com/fullchain.cer /etc/strongswan/ipsec.d/certs/
sudo cp /root/.acme.sh/my_domain.com/ca.cer /etc/strongswan/ipsec.d/cacerts/
sudo cp /root/.acme.sh/my_domain.com/my_domain.com.key /etc/strongswan/ipsec.d/private/
sudo cp /root/cert.crt /etc/strongswan/ipsec.d/cacerts/
sudo tree /etc/strongswan/ipsec.d/
我是否将这些文件放在了正确的文件夹中?
现在让我们看看 StrongSwan 配置:
nano -K /etc/strongswan/ipsec.conf
#global configuration IPsec
#chron logger
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
#define new ipsec connection
conn hakase-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@my_domain.com
leftcert=fullchain.cer
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.15.1.0/24
rightdns=1.1.1.1,8.8.8.8
rightsendcert=never
eap_identity=%identity
这是秘密文件:
nano -K /etc/strongswan/ipsec.secrets
: RSA "my_doman.com.key"
temp : EAP "123"
以下是 StrongSwan 运行后的状态:
[root@art_300 ~]# systemctl status strongswan -l
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2024-01-14 21:17:03 +0330; 11s ago
Main PID: 2056 (starter)
CGroup: /system.slice/strongswan.service
├─2056 /usr/libexec/strongswan/starter --daemon charon --nofork
└─2098 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0
Jan 14 21:17:03 art_300.buzz systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz strongswan[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1160.105.1.el7.x86_64, x86_64)
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] openssl FIPS mode(2) - enabled
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[JOB] spawning 16 worker threads
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: charon (2098) started after 60 ms
Jan 14 21:17:03 art_300.buzz strongswan[2056]: charon (2098) started after 60 ms
如您所知,该链接已被弃用且已过时。
现在告诉我我做错了什么以及如何修复:
构建 CRED_PRIVATE_KEY - RSA 失败,尝试了 10 个构建器