ืคึผืจืึธื”ืึธืกื˜ืขืจ > ื‘ืœืึธื’ > ืึทื“ืžื™ื ื™ืกื˜ืจืึทืฆื™ืข > IPSec ื˜ื•ื ืขืœ ืฆื•ื•ื™ืฉืŸ Strongswan ื”ื™ื ื˜ืขืจ NAT ืื•ืŸ VMWare NSX Edge

IPSec ื˜ื•ื ืขืœ ืฆื•ื•ื™ืฉืŸ Strongswan ื”ื™ื ื˜ืขืจ NAT ืื•ืŸ VMWare NSX Edge

ืคึฟืึทืจ ืึท ื ื•ืžืขืจ ืคื•ืŸ ืกื™ื‘ื•ืช, ืขืก ืื™ื– ื ื™ื™ื˜ื™ืง ืฆื• ืึธืจื’ืึทื ื™ื–ื™ืจืŸ ืึท ื•ื•ืคึผืŸ ืคึฟืึทืจื‘ื™ื ื“ื•ื ื’ ืฆื•ื•ื™ืฉืŸ ื“ื™ ื ืขืฅ ืื™ืŸ VMWare ืงืœืึธื•ื“ ื“ื™ืจืขืงื˜ืึธืจ ืื•ืŸ ืึท ื‘ืึทื–ื•ื ื“ืขืจ ื•ื‘ื•ื ื˜ื• ืžืึทืฉื™ืŸ ืื™ืŸ ื“ื™ ื•ื•ืึธืœืงืŸ. ื“ืขืจ ืฆืขื˜ืœ ื˜ื•ื˜ ื ื™ืฉื˜ ืคืึทืจื”ื™ื˜ืŸ ืฆื• ื–ื™ื™ืŸ ืึท ืคื•ืœ ื‘ืึทืฉืจื™ื™ึทื‘ื•ื ื’, ืขืก ืื™ื– ื ืึธืจ ืึท ืงืœื™ื™ืŸ ื•ื•ื™ื˜ืึธ.

IPSec ื˜ื•ื ืขืœ ืฆื•ื•ื™ืฉืŸ Strongswan ื”ื™ื ื˜ืขืจ NAT ืื•ืŸ VMWare NSX Edge

ื“ืขืจ ื‘ืœื•ื™ื– ืึทืจื˜ื™ืงืœ ืื•ื™ืฃ ื“ืขื ื˜ืขืžืข ืคื•ืŸ โ€‹โ€‹2015 ืื™ื– ื’ืขืคึฟื•ื ืขืŸ ืื•ื™ืฃ ื“ืขืจ ืื™ื ื˜ืขืจื ืขืฅ "ืคึผืœืึทืฅ ืฆื• ืคึผืœืึทืฅ IPSEC VPN ืฆื•ื•ื™ืฉืŸ NSX Edge ืื•ืŸ Linux strongSwan'.

ืฆื•ื ื‘ืึทื“ื•ื™ืขืจืŸ, ืขืก ืื™ื– ื ื™ื˜ ืžืขื’ืœืขืš ืฆื• ื ื•ืฆืŸ ืขืก ื’ืœื™ื™ึทืš, ื•ื•ื™ื™ึทืœ ... ืื™ืš ื’ืขื•ื•ืืœื˜ ืžืขืจ ืคืึทืจืœืึธื–ืœืขืš ืขื ืงืจื™ืคึผืฉืึทืŸ, ื ื™ืฉื˜ ืึท ื–ื™ืš-ื’ืขื—ืชืžืขื˜ ื‘ืึทื•ื•ื™ื™ึทื–ืŸ, ืื•ืŸ ื“ื™ ื“ื™ืกืงืจื™ื™ื‘ื“ ืงืึทื ืคื™ื’ื™ืขืจื™ื™ืฉืึทืŸ ื•ื•ืึธืœื˜ ื ื™ืฉื˜ ื”ืึธื‘ืŸ ื’ืขืืจื‘ืขื˜ ื”ื™ื ื˜ืขืจ NAT.

ื“ืขืจืคึฟืึทืจ ื”ืึธื‘ ืื™ืš ื–ื™ืš ื’ืขืžื•ื–ื˜ ืึทืจืึธืคึผื–ืขืฆืŸ ืื•ืŸ ื–ื™ืš ืคึฟืึทืจื˜ื™ืคึฟืŸ ืื™ืŸ ื“ืขืจ ื“ืึธืงื•ืžืขื ื˜ืึทืฆื™ืข.

ื•ื•ื™ ืึท ื™ืงืขืจ, ืื™ืš ื’ืขื ื•ืžืขืŸ ืึท ืงืึทื ืคื™ื’ื™ืขืจื™ื™ืฉืึทืŸ ื•ื•ืึธืก ืื™ืš ื’ืขื•ื•ื™ื™ื ื˜ ืคึฟืึทืจ ืึท ืœืึทื ื’ ืฆื™ื™ึทื˜, ื•ื•ืึธืก ืึทืœืึทื•ื– ืžื™ืจ ืฆื• ืคืึทืจื‘ื™ื ื“ืŸ ืคื•ืŸ ื›ึผืžืขื˜ ืงื™ื™ืŸ ืึทืก, ืื•ืŸ ืคืฉื•ื˜ ืฆื•ื’ืขื’ืขื‘ืŸ ืึท ืฉื˜ื™ืง ืฆื• ืขืก ื•ื•ืึธืก ืึทืœืึทื•ื– ืžื™ืจ ืฆื• ืคืึทืจื‘ื™ื ื“ืŸ ืฆื• NSX Edge.

ื–ื™ื ื˜ ื™ื ืกื˜ืึธืœื™ื ื’ ืื•ืŸ ื’ืึธืจ ืงืึทื ืคื™ื’ื™ืขืจื™ื ื’ ื“ื™ Strongswan ืกืขืจื•ื•ืขืจ ืื™ื– ื•ื•ื™ื™ึทื˜ืขืจ ืคื•ืŸ ื“ืขื ืคืึทืจื ืขื ืคื•ืŸ ื“ืขื ื˜ืึธืŸ, ืœืึธื–ืŸ ืžื™ืจ ืึธืคึผืฉื™ืงืŸ ืฆื• ื’ื•ื˜ ืžืึทื˜ืขืจื™ืึทืœ ืื•ื™ืฃ ื“ืขื ื˜ืขืžืข.

ืึทื–ื•ื™, ืœืึธื–ืŸ ืื•ื ื“ื– ื’ื™ื™ืŸ ื’ืœื™ื™ึทืš ืฆื• ื“ื™ ืกืขื˜ื˜ื™ื ื’ืก.

ืื•ื ื“ื–ืขืจ ืงืฉืจ ื“ื™ืึทื’ืจืึทืžืข ื•ื•ืขื˜ ืงื•ืงืŸ ื•ื•ื™ ื“ืึธืก:

IPSec ื˜ื•ื ืขืœ ืฆื•ื•ื™ืฉืŸ Strongswan ื”ื™ื ื˜ืขืจ NAT ืื•ืŸ VMWare NSX Edge

ัะพ ัั‚ะพั€ะพะฝั‹ VMWare ะฒะฝะตัˆะฝะธะน ะฐะดั€ะตั 33.33.33.33 ะธ ะฒะฝัƒั‚ั€ะตะฝะฝัั ัะตั‚ัŒ 192.168.1.0/24
ัะพ ัั‚ะพั€ะพะฝั‹ Linux ะฒะฝะตัˆะฝะธะน ะฐะดั€ะตั 22.22.22.22 ะธ ะฒะฝัƒั‚ั€ะตะฝะฝัั ัะตั‚ัŒ 10.10.10.0/24
ั‚ะฐะบะถะต ะฟะพะฝะฐะดะพะฑะธั‚ัั ะฝะฐัั‚ั€ะพะธั‚ัŒ Let's encrypt ัะตั€ั‚ะธั„ะธะบะฐั‚ ะดะปั ะฐะดั€ะตัะฐ vpn.linux.ext
PSK ั ะพะฑะตะธั… ัั‚ะพั€ะพะฝ: ChangeMeNow!

ืงืึทื ืคื™ื’ื™ืขืจื™ื™ืฉืึทืŸ ืคื•ืŸ NSX Edge:

ื˜ืขืงืกื˜

Enabled: yes
Enable perfect forward secrecy (PFS): yes
Name: VPN_strongswan (ะปัŽะฑะพะต, ะฟะพ ะฒะฐัˆะตะผัƒ ะฒั‹ะฑะพั€ัƒ)
Local Id: 33.33.33.33
Local Endpoint: 33.33.33.33
Local Subnets: 192.168.1.0/24
Peer Id: vpn.linux.ext
Peer Endpoint: 22.22.22.22
Peer Subnets: 10.10.10.0/24
Encryption Algorithm: AES256
Authentication: PSK
Pre-Shared Key: ChangeMeNow!
Diffie-Hellman Group: 14 (2048 bit โ€” ะฟั€ะธะตะผะปะตะผั‹ะน ะบะพะผะฟั€ะพะผะธัั ะผะตะถะดัƒ ัะบะพั€ะพัั‚ัŒัŽ ะธ ะฑะตะทะพะฟะฐัะฝะพัั‚ัŒัŽ. ะะพ ะตัะปะธ ั…ะพั‚ะธั‚ะต, ะผะพะถะตั‚ะต ะฟะพัั‚ะฐะฒะธั‚ัŒ ะฑะพะปัŒัˆะต)
Digest Algorithm: SHA256
IKE Option: IKEv2
IKE Responder Only: no
Session Type: Policy Based Session

ืกืงืจืขืขื ืฉืึธืฅ
IPSec ื˜ื•ื ืขืœ ืฆื•ื•ื™ืฉืŸ Strongswan ื”ื™ื ื˜ืขืจ NAT ืื•ืŸ VMWare NSX Edge
IPSec ื˜ื•ื ืขืœ ืฆื•ื•ื™ืฉืŸ Strongswan ื”ื™ื ื˜ืขืจ NAT ืื•ืŸ VMWare NSX Edge

ืกืขื˜ืึทืคึผ ืคึฟื•ืŸ Strongswan:

ipsec.conf

# /etc/ipsec.conf
config setup

conn %default
	dpdaction=clear
	dpddelay=35s
	dpdtimeout=300s

	fragmentation=yes
	rekey=no

	ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
	esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

	left=%any
	leftsubnet=10.10.10.0/24
        leftcert=certificate.pem
	leftfirewall=yes
	leftsendcert=always

	right=%any
	rightsourceip=192.168.1.0/24
	rightdns=77.88.8.8,8.8.4.4

	eap_identity=%identity

# IKEv2
conn IPSec-IKEv2
	keyexchange=ikev2
	auto=add

# BlackBerry, Windows, Android
conn IPSec-IKEv2-EAP
	also="IPSec-IKEv2"
	rightauth=eap-mschapv2

# macOS, iOS
conn IKEv2-MSCHAPv2-Apple
	also="IPSec-IKEv2"
	rightauth=eap-mschapv2
	leftid=vpn.linux.ext

# Android IPsec Hybrid RSA
conn IKEv1-Xauth
	keyexchange=ikev1
	rightauth=xauth
	auto=add

# VMWare IPSec VPN
conn linux-nsx-psk
	authby=secret
	auto=start
	leftid=vpn.linux.ext
	left=10.10.10.10
	leftsubnet=10.10.10.0/24
	rightid=33.33.33.33
	right=33.33.33.33
	rightsubnet=192.168.1.0/24
	ikelifetime=28800
	keyexchange=ikev2
	lifebytes=0
	lifepackets=0
	lifetime=1h

ipsec.secret

# /etc/ipsec.secrets
: RSA privkey.pem

# Create VPN users accounts
# ะ’ะะ˜ะœะะะ˜ะ•! ะŸะพัะปะต ะปะพะณะธะฝะฐ ัะฝะฐั‡ะฐะปะฐ ะฟั€ะพะฑะตะป, ะฟะพั‚ะพะผ ะดะฒะพะตั‚ะพั‡ะธะต.

user1 : EAP "stongPass1"
user2 : EAP "stongPass2"
%any 33.33.33.33 : PSK "ChangeMeNow!"

ื ืึธืš ื“ืขื, ื ืึธืจ ืœื™ื™ืขื ืขืŸ ื“ื™ ืงืึทื ืคื™ื’ื™ืขืจื™ื™ืฉืึทืŸ, ืึธื ื”ื™ื™ื‘ ื“ื™ ืงืฉืจ ืื•ืŸ ืงืึธื ื˜ืจืึธืœื™ืจืŸ ืึทื– ืขืก ืื™ื– ื’ืขื’ืจื™ื ื“ืขื˜:

ipsec update
ipsec rereadsecrets
ipsec up linux-nsx-psk
ipsec status

ืื™ืš ื”ืึธืคึฟืŸ ื“ืขื ื‘ื™ืกืœ ื˜ืึธืŸ ืื™ื– ื ื•ืฆื™ืง ืื•ืŸ ืกืึทื•ื•ืขืก ืขืžืขืฆืขืจ ืึท ืคึผืึธืจ ืคื•ืŸ ืฉืขื”.

ืžืงื•ืจ: www.habr.com

ืœื™ื™ื’ืŸ ืึท ื‘ืึทืžืขืจืงื•ื ื’