一、环境介绍
Server IP:192.168.30.133 System: CentOS 6.5 Client:Winodows
二、编译安装StrongSwan
1.下载StrongSwan
wget http://download.strongswan.org/strongswan.tar.gz
2.安装相关库
yum install pam-devel openssl-devel make gcc gmp-devel
3.编译安装
tar zxvf strongswan.tar.gz cd strongswan-* ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql \--disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka \--enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap \--enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym \--enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls make && make install && echo OK
注:如果出现错误:
configure: WARNING: unrecognized options: --enable-nat-transport checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... configure: error: newly created file is older than distributed files! Check your system clock 解决方法:(原因:时间不对) cp -Rf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime cat /etc/sysconfig/clock ntpdate 133.100.11.8(或 s2m.time.edu.cn) sed -i 's#ZONE="America/New_York"#ZONE="Asia/Shanghai"#g' /etc/sysconfig/clock hwclock -w date -R
4、生成证书
ipsec pki --gen --outform pem > ca.pem ipsec pki --self --in ca.pem --dn "C=com, O=myvpn, CN=VPN CA" --ca --outform pem >ca.cert.pem ipsec pki --gen --outform pem > server.pem ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem \--dn "C=com, O=myvpn, CN=192.168.30.133" --san="192.168.30.133" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem ipsec pki --gen --outform pem > client.pem ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=VPN Client" --outform pem > client.cert.pem openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "VPN CA" -out client.cert.p12 注意:CN=192.168.30.133为你的VPS外网地址
5、安装证书
cp -rf ca.cert.pem /etc/ipsec.d/cacerts/ cp -rf server.cert.pem /etc/ipsec.d/certs/ cp -rf server.pem /etc/ipsec.d/private/ cp -rf client.cert.pem /etc/ipsec.d/certs/ cp -rf client.pem /etc/ipsec.d/private/
【卸载证书:非第一次安装时需要此步操作,如果第一次安装不用此步骤】
rm -rf /etc/ipsec.d/cacerts/ca.cert.pem
rm -rf /etc/ipsec.d/certs/server.cert.pem
rm -rf /etc/ipsec.d/private/server.pem
rm -rf /etc/ipsec.d/certs/client.cert.pem
rm -rf /etc/ipsec.d/private/client.pem
6、配置strongswan
a、修改/etc/ipsec.conf;如下:
# vim /etc/ipsec.conf
config setup
strictcrlpolicy=no
uniqueids=no #多台设备同时在线
conn iOS_cert
keyexchange=ikev1
# strongswan version >= , compatible with iOS
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftsubnet=
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=
rightcert=client.cert.pem
auto=add
#also supports iOS PSK and Shrew on Windows
conn android_xauth_psk
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=
auto=add
# compatible with "strongSwan VPN Client" for Android 4.0+
# and Windows cert mode.
conn networkmanager-strongswan
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftsubnet=
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=
rightcert=client.cert.pem
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=
rightsendcert=never
eap_identity=%any
auto=add
[该配置文件详解请参考:https://zh.opensuse.org/SDB:Setup_Ipsec_VPN_with_Strongswan]
b、修改/etc/strongswan.conf 将内容替换成如下:
vim /etc/strongswan.conf
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
c、修改/etc/ipsec.secrets(没有此文件请自行创建)
vim /etc/ipsec.secrets : RSA server.pem : PSK "myPSKkey" : XAUTH "myXAUTHPass" [用户名] %any : EAP "[密码]" 【解:】 将上面的myPSKkey单词更改为你需要的PSK认证方式的密钥; 将上面的myXAUTHPass单词更改为你需要的XAUTH认证方式的密码,该认证方式的用户名是随意的; 将上面的[用户名]改为自己想要的登录名,[密码]改为自己想要的密码([]符号去掉),可以添加多行,得到多个用户,这即是使用IKEv2的用户名+密码认证方式的登录凭据.
7、配置网络转发规则转发
a、设置iptables规则
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport -j ACCEPT
iptables -A INPUT -p tcp --dport -j ACCEPT
iptables -A INPUT -p udp --dport -j ACCEPT
iptables -A INPUT -p udp --dport -j ACCEPT
iptables -A INPUT -p tcp --dport -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -j MASQUERADE
iptables -t nat -A POSTROUTING -s -j MASQUERADE
iptables -t nat -A POSTROUTING -s -j MASQUERADE
iptables -t nat -A POSTROUTING -s -j MASQUERADE
注意iptables规则的顺序。以下做为参考:
# Generated by iptables-save v1.4.7 on Thu Dec 8 12:51:52 2016
*nat
:PREROUTING ACCEPT [2:156]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.10.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.11.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.12.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.13.0.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Dec 8 12:51:52 2016
# Generated by iptables-save v1.4.7 on Thu Dec 8 12:51:52 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39:3992]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/24 -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -j ACCEPT
-A FORWARD -s 10.12.0.0/24 -j ACCEPT
-A FORWARD -s 10.13.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Dec 8 12:51:52 2016
service iptables restart
b、设置ip_forward转发
vim /etc/sysctl.conf
net.ipv4.ip_forward =
改为:
net.ipv4.ip_forward =
sysctl -p
至此,strongswan就已经配置完成了,以下来测试
Windows 7测试拨号:http://zlyang.blog.51cto.com/1196234/1881212
二、部署Freeradius+mysql+daloradius
1、安装Freeradius和Mysql
yum -y install freeradius freeradius-mysql freeradius-utils mysql-server
2、启动Mysql及设置密码
service mysqld start
chkconfig mysqld on
mysql_secure_installation
3、导入Freeradius库数据
mysql -uroot -p
mysql> CREATE DATABASE radius;
mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@'localhost' IDENTIFIED BY "radpass";
mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@'%' IDENTIFIED BY "radpass";
mysql> flush privileges;
mysql> use radius;
mysql> SOURCE /etc/raddb/sql/mysql/schema.sql
mysql> SOURCE /etc/raddb/sql/mysql/cui.sql
mysql> SOURCE /etc/raddb/sql/mysql/ippool.sql
mysql> SOURCE /etc/raddb/sql/mysql/nas.sql
mysql> SOURCE /etc/raddb/sql/mysql/wimax.sql
4、配置Freeradius连接Mysql
vim /etc/raddb/sql.conf
# Connection info:
server = "localhost"
#port =
login = "radius"
password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
#第108行 readclients = yes
5、使用sql数据库里的nas表读取客户端信息
vim /etc/raddb/radiusd.conf
#$INCLUDE sql.conf
修改后:
$INCLUDE sql.conf
vim /etc/raddb/sites-available/default
需要修改的行数及修改后的结果:例:#001行 line001
#170行 #files
# sql
# #radutmp
# sradutmp
# sql
# #radutmp
# sql
# sql
# sql
vim /etc/raddb/sites-available/inner-tunnel
# #file
# sql
# #radutmp
# sql
# sql
# sql
修改密钥:
vim /etc/raddb/clients.conf
secret = testing123
6、添加测试用户:
mysql -uroot -p
mysql> use radius;
mysql> insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test');
mysql> flush privileges;
mysql> exit;
测试Freeradius+Mysql
以Debug模式启动Freeradius:
radiusd -X
另启一个窗口测试下:
radtest test test testing123
Sending Access-Request of id 71 to 127.0.0.1 port 1812
User-Name = "yzl"
User-Password = "yzl"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=71, length=55
Reply-Message = "Hello yzl !"
Reply-Message = "Regexp match for PAP"
看到”Access-Accept“说明成功。
7、部署Daloradius
a、安装LAMP环境:
yum -y install php-mysql php php-gd php-pear-DB httpd
b、下载Daloradius
下载地址:http://jaist.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
汉化版地址:http://pan.baidu.com/s/1c2h2h2K
wget http://jaist.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
tar xf daloradius-.tar.gz
c、导入daloradius库文件
mysql -uroot -p
mysql> use radius;
mysql> SOURCE /soft/daloradius-/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
d、修改daloradius连接库文件:
vi /soft/daloradius-/library/daloradius.conf.php
$configValues['DALORADIUS_VERSION'] = '0.9-9';
$configValues[';
$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radpass';
$configValues['CONFIG_DB_NAME'] = 'radius';
$configValues['CONFIG_FILE_RADIUS_PROXY'] = '/etc/raddb/proxy.conf';
$configValues['CONFIG_PATH_RADIUS_DICT'] = '/etc/raddb';
$configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/var/www/html/daloradius/var';
$configValues['CONFIG_LOG_FILE'] = '/var/www/html/daloradius/var/daloradius.log';
e、拷备文件至apache工作目录:/var/www/html
mv /tmp/daloradius- /var/www/html/daloradius
f、创建日志文件:
touch /var/www/html/daloradius/var/daloradius.log
g、赋权给apache:
chown -R apache:apache /var/www/html/daloradius
h、修改redius日志文件:
vim /etc/raddb/radiusd.conf
#file = ${logdir}/radius.log
file = /var/log/radius.log
chmod 644 /var/log/messages
vim /var/www/html/daloradius/library/exten-radius_log.php
$logfile_loc = array();
$logfile_loc[] = '/var/log/freeradius/radius.log';
$logfile_loc[] = '/usr/local/var/log/radius/radius.log';
$logfile_loc[] = '/var/log/radius/radius.log';
$logfile_loc[] = '/var/log/radius.log';
i、将用户的同步会话限制为只有一个,新用户必须添加到用户组
vim /etc/raddb/sql/mysql/dialup.conf
查找simul_count_query将290-293行注释去掉
mysql -uroot -p
mysql> use radius;
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) VALUES (NULL , ');
j、修改apache配置文件
vi /etc/httpd/conf/httpd.conf
ServerName x.x.x.x:80
注:x.x.x.x为你的本机ip或域名
k、启动apache
service httpd start
chkconfig httpd on
service radiusd start
chkconfig radiusd on
iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport -j ACCEPT
/etc/init.d/iptables save
/etc/init.d/iptables restart
chmod /var/log/radius.log
可以使用web登录:
http://ip-address-or-hostname/daloradius Username: administrator Password: radius
三、StrongSwan和Freeradius整合:
a、修改:/etc/strongswan.d/charon/eap-radius.conf
vim /etc/strongswan.d/charon/eap-radius.conf
#开启在线人数查询#第4行accounting = yes#第8行accounting_close_on_timeout = yes#查找server{}在这里添加以下内容
#93行
vpnserver {
secret = testing123
address = 127.0.0.1
}
b、修改/etc/ipsec.conf
#把所有的rightauth=
rightauth=eap-radius
c、重启服务
ipsec stop
ipsec start --nofork
测试下看是否成功拨号;
四、Daloradius优化及设置计费
1、Web汉化
下载Daloradius汉化版:http://pan.baidu.com/s/1c2h2h2K 将其中的main.conf、config-lang.conf做相应的替换;把zh-cn.conf上传到/var/www/html/daloradius/lang/
service httpd restart
然后在daloradius的管理页面中选择:config--language settings----Chinese---apply
2、限制用户的每日总使用时间和登录时间:
vim /etc/raddb/radiusd.conf
#将747行取消注释
$INCLUDE sql/mysql/counter.conf
vim /etc/raddb/sql/mysql/counter.conf
#将60-63行加注释,然后添加以下
# query = "SELECT SUM(acctsessiontime - \
# GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), )) \
# FROM radacct WHERE username = '%{%k}' AND \
# UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"
query = "SELECT IFNULL(SUM(acctsessiontime - \
GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), )),) \
FROM radacct WHERE username = '%{%k}' AND \
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"
vim /etc/raddb/sites-available/default
authorize {
...
#修改192,加上#
#daily
#在193行添加
dailycounter
#在462之后添加
post-auth {
if(control:Auth-Type =~ /.*AP/){
update reply {
Reply-Message := "Hello %{User-Name} !"
Reply-Message := "Regexp match for %{0}"
}
}
vim /etc/raddb/dictionary
#在最后添加以下:
ATTRIBUTE Daily-Session-Time integer
ATTRIBUTE Max-Daily-Session integer
在mysql库创建相应的字段:
mysql -uradius -p
mysql> use radius;
mysql> delete from radacct;
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) VALUES (NULL , is seconds = 8h
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) VALUES (NULL , 'users', 'Login-Time', ':=', 'Al0001-2359');
3、限制用户的每日和每月的数据使用和帐户到期
vim /etc/raddb/sql/mysql/counter.conf
#在最后添加以下:
sqlcounter dailytrafficcounter {
counter-name = Daily-Traffic
check-name = Max-Daily-Traffic
reply-name = Daily-Traffic-Limit
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT (SUM(AcctInputOctets + AcctOutputOctets)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"
}
sqlcounter monthlytrafficcounter {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Monthly-Traffic-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT (SUM(AcctInputOctets + AcctOutputOctets)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"
}
vim /etc/raddb/dictionary
#在最后添加以下:
ATTRIBUTE Max-Daily-Traffic integer
ATTRIBUTE Daily-Traffic-Limit integer
ATTRIBUTE Max-Monthly-Traffic integer
ATTRIBUTE Monthly-Traffic-Limit integer
vim /etc/raddb/sites-available/default
#在193行之后添加
dailytrafficcounter
monthlytrafficcounter
在mysql库创建相应的字段:
mysql -uroot -p
mysql> use radius;
mysql> delete from radacct;
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) VALUES (NULL , bytes=** bytes= Gbyte, 填写时以byte为单位 每月最大流量1G
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) VALUES (NULL , bytes=**= Mbyte 每天最大流量为100M
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) VALUES (NULL , 'users', 'Expiration', ':=', '1 Oct 2017'); # 设定账号过期
service radiusd restart
到此,所有的都已经部署完毕了!祝你成功!
如有问题可在下方回复!