ืืืกืคืจ ืกืืืืช, ืืื ืฆืืจื ืืืจืื ืืืืืจ VPN ืืื ืืจืฉืช ื-VMWare Cloud Director ืืืื ืืืื ืช ืืืืื ืื ื ืคืจืืช ืืขื ื. ืืคืชืง ืืื ื ืืชืืืืจ ืืืืืช ืชืืืืจ ืืื, ืืื ืจืง ืืืจืื ืงืื ื.
ืืืืืจ ืืืืื ืื ืืฉื ืื ืืฉื ืช 2015 ื ืืฆื ืืืื ืืจื ื "
ืืืจืื ืืฆืขืจ, ืื ื ืืชื ืืื ืืืฉืชืืฉ ืื ืืฉืืจืืช, ืื... ืจืฆืืชื ืืฆืคื ื ืืืื ื ืืืชืจ, ืื ืชืขืืื ืืืชืืื ืขืฆืืืช, ืืืชืฆืืจื ืืืชืืืจืช ืื ืืืืชื ืขืืืืช ืืืืืจื NAT.
ืืื ื ืืืฆืชื ืืฉืืช ืืืืชืขืืง ืืชืืขืื.
ืืืกืืก, ืืงืืชื ืงืื ืคืืืืจืฆืื ืื ืืฉืชืืฉืชื ืืืจ ืืจืื ืืื, ืฉืืืคืฉืจืช ืื ืืืชืืืจ ืืืขื ืืื ืืขืจืืช ืืคืขืื, ืืคืฉืื ืืืกืคืชื ืื ืงืืข ืฉืืืคืฉืจ ืื ืืืชืืืจ ื-NSX Edge.
ืืืืืื ืฉืืชืงื ื ืืืืืจื ืืืื ืฉื ืฉืจืช Strongswan ืืื ืืขืืจ ืืชืืื ืฉื ืืขืจื ืื, ืืจืฉื ืื ืืืชืืืืก ื
ืื ืืืื ื ืขืืืจ ืืฉืืจืืช ืืืืืจืืช.
ืืืืืจืืช ืืืืืืจ ืฉืื ื ืชืืจืื ืื:
ัะพ ััะพัะพะฝั VMWare ะฒะฝะตัะฝะธะน ะฐะดัะตั 33.33.33.33 ะธ ะฒะฝัััะตะฝะฝัั ัะตัั 192.168.1.0/24
ัะพ ััะพัะพะฝั Linux ะฒะฝะตัะฝะธะน ะฐะดัะตั 22.22.22.22 ะธ ะฒะฝัััะตะฝะฝัั ัะตัั 10.10.10.0/24
ัะฐะบะถะต ะฟะพะฝะฐะดะพะฑะธััั ะฝะฐัััะพะธัั Let's encrypt ัะตััะธัะธะบะฐั ะดะปั ะฐะดัะตัะฐ vpn.linux.ext
PSK ั ะพะฑะตะธั
ััะพัะพะฝ: ChangeMeNow!
ืชืฆืืจื ื-NSX Edge:
ืืงืกื
Enabled: yes
Enable perfect forward secrecy (PFS): yes
Name: VPN_strongswan (ะปัะฑะพะต, ะฟะพ ะฒะฐัะตะผั ะฒัะฑะพัั)
Local Id: 33.33.33.33
Local Endpoint: 33.33.33.33
Local Subnets: 192.168.1.0/24
Peer Id: vpn.linux.ext
Peer Endpoint: 22.22.22.22
Peer Subnets: 10.10.10.0/24
Encryption Algorithm: AES256
Authentication: PSK
Pre-Shared Key: ChangeMeNow!
Diffie-Hellman Group: 14 (2048 bit โ ะฟัะธะตะผะปะตะผัะน ะบะพะผะฟัะพะผะธัั ะผะตะถะดั ัะบะพัะพัััั ะธ ะฑะตะทะพะฟะฐัะฝะพัััั. ะะพ ะตัะปะธ ั
ะพัะธัะต, ะผะพะถะตัะต ะฟะพััะฐะฒะธัั ะฑะพะปััะต)
Digest Algorithm: SHA256
IKE Option: IKEv2
IKE Responder Only: no
Session Type: Policy Based Session
ืืกื
ืืชืงื ื ืืกืืจืื ืืกืืื:
ipsec.conf
# /etc/ipsec.conf
config setup
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=300s
fragmentation=yes
rekey=no
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
left=%any
leftsubnet=10.10.10.0/24
leftcert=certificate.pem
leftfirewall=yes
leftsendcert=always
right=%any
rightsourceip=192.168.1.0/24
rightdns=77.88.8.8,8.8.4.4
eap_identity=%identity
# IKEv2
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
# BlackBerry, Windows, Android
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
# macOS, iOS
conn IKEv2-MSCHAPv2-Apple
also="IPSec-IKEv2"
rightauth=eap-mschapv2
leftid=vpn.linux.ext
# Android IPsec Hybrid RSA
conn IKEv1-Xauth
keyexchange=ikev1
rightauth=xauth
auto=add
# VMWare IPSec VPN
conn linux-nsx-psk
authby=secret
auto=start
leftid=vpn.linux.ext
left=10.10.10.10
leftsubnet=10.10.10.0/24
rightid=33.33.33.33
right=33.33.33.33
rightsubnet=192.168.1.0/24
ikelifetime=28800
keyexchange=ikev2
lifebytes=0
lifepackets=0
lifetime=1h
ipsec.secret
# /etc/ipsec.secrets
: RSA privkey.pem
# Create VPN users accounts
# ะะะะะะะะ! ะะพัะปะต ะปะพะณะธะฝะฐ ัะฝะฐัะฐะปะฐ ะฟัะพะฑะตะป, ะฟะพัะพะผ ะดะฒะพะตัะพัะธะต.
user1 : EAP "stongPass1"
user2 : EAP "stongPass2"
%any 33.33.33.33 : PSK "ChangeMeNow!"
ืืืืจ ืืื, ืคืฉืื ืงืจื ืฉืื ืืช ืืชืฆืืจื, ืืชืื ืืช ืืืืืืจ ืืืืืง ืฉืืื ื ืืฆืจ:
ipsec update
ipsec rereadsecrets
ipsec up linux-nsx-psk
ipsec status
ืื ื ืืงืืื ืฉืืืขืจื ืืงืื ื ืืื ืืืขืืื ืืืืกืืช ืืืืฉืื ืืื ืฉืขืืช.
ืืงืืจ: www.habr.com