ะ ัะธะปั ััะดะฐ ะฟัะธัะธะฝ, ะฟะพััะตะฑะพะฒะฐะปะพัั ะพัะณะฐะฝะธะทะพะฒะฐัั VPN-ัะพะตะดะธะฝะตะฝะธะต ะผะตะถะดั ัะตััั ะฒ VMWare Cloud Director ะธ ะพัะดะตะปัะฝะพะน ะผะฐัะธะฝะพะน Ubuntu ะฒ ะพะฑะปะฐะบะต. ะะฐะผะตัะบะฐ ะฝะต ะฟัะตัะตะฝะดัะตั ะฝะฐ ะฟะพะปะฝะพัะตะฝะฝะพะต ะพะฟะธัะฐะฝะธะต, ััะพ ะฟัะพััะพ ะฝะตะฑะพะปััะพะต howto.
ะ ัะตัะธ ะฝะฐัะปะฐัั ะตะดะธะฝััะฒะตะฝะฝะฐั ััะฐััั 2015 ะณะพะดะฐ ะฝะฐ ััั ัะตะผั ยซ
ะ ัะพะถะฐะปะตะฝะธั, ะฝะฐะฟััะผัั ะตั ะธัะฟะพะปัะทะพะฒะฐัั ะฝะต ะฟะพะปััะธะปะพัั, ั.ะบ. ั ะพัะตะปะพัั ัะธััะพะฒะฐะฝะธั ะฟะพะฝะฐะดัะถะฝะตะต, ะฝะต ัะฐะผะพะฟะพะดะฟะธัะฐะฝะฝะพะณะพ ัะตััะธัะธะบะฐัะฐ, ะดะฐ ะธ ะทะฐ NAT-ะพะผ ะพะฟะธััะฒะฐะตะผัะน ะบะพะฝัะธะณ ะฝะต ะทะฐัะฐะฑะพัะฐะป ะฑั.
ะะพััะพะผั, ะฟัะธัะปะพัั ัะตััั ะธ ะฟะพะบะพะฟะฐัััั ะฒ ะดะพะบัะผะตะฝัะฐัะธะธ.
ะะฐ ะพัะฝะพะฒั ั ะฒะทัะป ะดะฐะฒะฝะพ ะธัะฟะพะปัะทัะตะผัะน ะผะฝะพะน ะบะพะฝัะธะณ, ะฟะพะทะฒะพะปัััะธะน ะฟะพะดะบะปััะฐัััั ะฟัะฐะบัะธัะตัะบะธ ะธะท ะปัะฑะพะน ะะก ะธ ะฟัะพััะพ ะดะพะฑะฐะฒะธะป ะบ ะฝะตะผั ะบััะพะบ, ะฟะพะทะฒะพะปัััะธะน ะฟะพะดะบะปััะธัััั ะบ NSX Edge.
ะะพัะบะพะปัะบั ัััะฐะฝะพะฒะบะฐ ะธ ะฟะพะปะฝะพัะตะฝะฝะฐั ะฝะฐัััะพะนะบะฐ ัะตัะฒะตัะฐ Strongswan ะฒัั
ะพะดัั ะทะฐ ัะฐะผะบะธ ะทะฐะผะตัะบะธ, ะฟะพะทะฒะพะปั ัะตะฑะต ัะพัะปะฐัััั ะฝะฐ
ะัะฐะบ, ะฟะตัะตะนะดัะผ ะฝะตะฟะพััะตะดััะฒะตะฝะฝะพ ะบ ะฝะฐัััะพะนะบะฐะผ.
ะกั ะตะผะฐ ัะพะตะดะธะฝะตะฝะธั ั ะฝะฐั ะฑัะดะตั ะฒัะณะปัะดะตัั ะฒะพั ัะฐะบ:
ัะพ ััะพัะพะฝั VMWare ะฒะฝะตัะฝะธะน ะฐะดัะตั 33.33.33.33 ะธ ะฒะฝัััะตะฝะฝัั ัะตัั 192.168.1.0/24
ัะพ ััะพัะพะฝั Linux ะฒะฝะตัะฝะธะน ะฐะดัะตั 22.22.22.22 ะธ ะฒะฝัััะตะฝะฝัั ัะตัั 10.10.10.0/24
ัะฐะบะถะต ะฟะพะฝะฐะดะพะฑะธััั ะฝะฐัััะพะธัั Let's encrypt ัะตััะธัะธะบะฐั ะดะปั ะฐะดัะตัะฐ vpn.linux.ext
PSK ั ะพะฑะตะธั
ััะพัะพะฝ: ChangeMeNow!
ะะฐัััะพะนะบะฐ ัะพ ััะพัะพะฝั NSX Edge:
เบเปเปเบเบงเบฒเบก
Enabled: yes
Enable perfect forward secrecy (PFS): yes
Name: VPN_strongswan (ะปัะฑะพะต, ะฟะพ ะฒะฐัะตะผั ะฒัะฑะพัั)
Local Id: 33.33.33.33
Local Endpoint: 33.33.33.33
Local Subnets: 192.168.1.0/24
Peer Id: vpn.linux.ext
Peer Endpoint: 22.22.22.22
Peer Subnets: 10.10.10.0/24
Encryption Algorithm: AES256
Authentication: PSK
Pre-Shared Key: ChangeMeNow!
Diffie-Hellman Group: 14 (2048 bit โ ะฟัะธะตะผะปะตะผัะน ะบะพะผะฟัะพะผะธัั ะผะตะถะดั ัะบะพัะพัััั ะธ ะฑะตะทะพะฟะฐัะฝะพัััั. ะะพ ะตัะปะธ ั
ะพัะธัะต, ะผะพะถะตัะต ะฟะพััะฐะฒะธัั ะฑะพะปััะต)
Digest Algorithm: SHA256
IKE Option: IKEv2
IKE Responder Only: no
Session Type: Policy Based Session
เบเบฒเบ เปเปเบฒ เบเป
ะะฐัััะพะนะบะฐ ัะพ ััะพัะพะฝั Strongswan:
ipsec.conf
# /etc/ipsec.conf
config setup
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=300s
fragmentation=yes
rekey=no
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
left=%any
leftsubnet=10.10.10.0/24
leftcert=certificate.pem
leftfirewall=yes
leftsendcert=always
right=%any
rightsourceip=192.168.1.0/24
rightdns=77.88.8.8,8.8.4.4
eap_identity=%identity
# IKEv2
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
# BlackBerry, Windows, Android
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
# macOS, iOS
conn IKEv2-MSCHAPv2-Apple
also="IPSec-IKEv2"
rightauth=eap-mschapv2
leftid=vpn.linux.ext
# Android IPsec Hybrid RSA
conn IKEv1-Xauth
keyexchange=ikev1
rightauth=xauth
auto=add
# VMWare IPSec VPN
conn linux-nsx-psk
authby=secret
auto=start
leftid=vpn.linux.ext
left=10.10.10.10
leftsubnet=10.10.10.0/24
rightid=33.33.33.33
right=33.33.33.33
rightsubnet=192.168.1.0/24
ikelifetime=28800
keyexchange=ikev2
lifebytes=0
lifepackets=0
lifetime=1h
ipsec.secret
# /etc/ipsec.secrets
: RSA privkey.pem
# Create VPN users accounts
# ะะะะะะะะ! ะะพัะปะต ะปะพะณะธะฝะฐ ัะฝะฐัะฐะปะฐ ะฟัะพะฑะตะป, ะฟะพัะพะผ ะดะฒะพะตัะพัะธะต.
user1 : EAP "stongPass1"
user2 : EAP "stongPass2"
%any 33.33.33.33 : PSK "ChangeMeNow!"
ะฟะพัะปะต ััะพะณะพ ะดะพััะฐัะพัะฝะพ ะฟะตัะตัะธัะฐัั ะบะพะฝัะธะณ, ะทะฐะฟัััะธัั ัะพะตะดะธะฝะตะฝะธะต ะธ ะฟัะพะฒะตัะธัั, ััะพ ะพะฝะพ ัััะฐะฝะพะฒะปะตะฝะพ:
ipsec update
ipsec rereadsecrets
ipsec up linux-nsx-psk
ipsec status
ะะฐะดะตััั, ััะฐ ะฝะตะฑะพะปััะฐั ะทะฐะผะตัะบะฐ ะพะบะฐะถะตััั ะฟะพะปะตะทะฝะพะน ะธ ััะบะพะฝะพะผะธั ะบะพะผั-ะฝะธะฑัะดั ะฟะฐัั ัะฐัะพะฒ.
เปเบซเบผเปเบเบเปเปเบกเบนเบ: www.habr.com