Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.6.7. 配置 IKEv2 远程访问 VPN Libreswan

路战员利用动态分配的 IP 地址 (如笔记本电脑)移动客户。它们使用证书进行身份验证。为了避免需要使用旧的 IKEv1 XAUTH 协议,以下示例中使用 IKEv2:
在服务器中:
conn roadwarriors
    ikev2=insist
    # Support (roaming) MOBIKE clients (RFC 4555)
    mobike=yes
    fragmentation=yes
    left=1.2.3.4
    # if access to the LAN is given, enable this, otherwise use 0.0.0.0/0
    # leftsubnet=10.10.0.0/16
    leftsubnet=0.0.0.0/0
    leftcert=vpn-server.example.com
    leftid=%fromcert
    leftxauthserver=yes
    leftmodecfgserver=yes
    right=%any
    # trust our own Certificate Agency
    rightca=%same
    # pick an IP address pool to assign to remote users
    # 100.64.0.0/16 prevents RFC1918 clashes when remote users are behind NAT
    rightaddresspool=100.64.13.100-100.64.13.254
    # if you want remote clients to use some local DNS zones and servers
    modecfgdns="1.2.3.4, 5.6.7.8"
    modecfgdomains="internal.company.com, corp"
    rightxauthclient=yes
    rightmodecfgclient=yes
    authby=rsasig
    # optionally, run the client X.509 ID through pam to allow/deny client
    # pam-authorize=yes
    # load connection, don't initiate
    auto=add
    # kill vanished roadwarriors
    dpddelay=1m
    dpdtimeout=5m
    dpdaction=%clear
其中:
left=1.2.3.4
1.2.3.4 值指定服务器的实际 IP 地址或主机名。
leftcert=vpn-server.example.com
这个选项指定一个指向用于导入证书的友好名称或 nickname 的证书。通常,名称作为 PKCS #12 证书捆绑包的一部分生成,格式为 a .p12 文件。有关详细信息,请参见pkcs12(1) 和pk12util(1) man page。
在移动客户端(即路径战器设备)上,使用之前配置的稍有变化:
conn to-vpn-server
    ikev2=insist
    # pick up our dynamic IP
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftcert=myname.example.com
    leftid=%fromcert
    leftmodecfgclient=yes
    # right can also be a DNS hostname
    right=1.2.3.4
    # if access to the remote LAN is required, enable this, otherwise use 0.0.0.0/0
    # rightsubnet=10.10.0.0/16
    rightsubnet=0.0.0.0/0
    # trust our own Certificate Agency
    rightca=%same
    authby=rsasig
    # allow narrowing to the server’s suggested assigned IP and remote subnet
    narrowing=yes
    # Support (roaming) MOBIKE clients (RFC 4555)
    mobike=yes
    # Initiate connection
    auto=start
其中:
auto=start
这个选项允许用户在 ipsec 系统服务启动时连接到 VPN。如果要在以后建立连接,将其替换为 auto=add