ipsec pki --gen --type ecdsa --size 256 > /etc/ipsec.d/private/caKey.key
出现错误
building CRED_PRIVATE_KEY - ECDSA failed, tried 2 builders
编译时加上 --enable-openssl
ipsec pki --self --ca --in /etc/ipsec.d/private/caKey.key --type ecdsa --digest sha512 --outform pem --dn "C=US, O=IPSec VPN, CN=IPSec VPN Certificate Authority" > /etc/ipsec.d/cacerts/caCert.cer
创建两个私钥
ipsec pki --gen --type ecdsa --size 256 > /etc/ipsec.d/private/ubuntu-red.key
ipsec pki --gen --type ecdsa --size 256 > /etc/ipsec.d/private/ubuntu-blue.key
创建公钥
ipsec pki --pub --type ecdsa --in /etc/ipsec.d/private/ubuntu-red.key | ipsec pki --issue --outform pem --digest sha512 --cacert /etc/ipsec.d/cacerts/caCert.cer --cakey /etc/ipsec.d/private/caKey.key --dn "C=US, O=IPSec VPN, CN=ubuntu-red" --san ubuntu-red > /etc/ipsec.d/certs/ubuntu-red.cer
ipsec pki --pub --type ecdsa --in /etc/ipsec.d/private/ubuntu-blue.key | ipsec pki --issue --outform pem --digest sha512 --cacert /etc/ipsec.d/cacerts/caCert.cer --cakey /etc/ipsec.d/private/caKey.key --dn "C=US, O=IPSec VPN, CN=ubuntu-blue" --san ubuntu-blue > /etc/ipsec.d/certs/ubuntu-blue.cer
假设服务器为red
编辑/etc/ipsec.conf
添加
conn red-to-blue
keyexchange=ikev2
rekey=no
left=%defaultroute
leftsubnet=0.0.0.0/0
authby=pubkey
auto=add
leftid=@ubuntu-red
leftcert=ubuntu-red.cer
right=%any
rightsubnet=192.168.2.0/24
rightid=@ubuntu-blue
type=tunnel
编辑 ipsec.secrets
: ECDSA /etc/ipsec.d/private/ubuntu-red.key
copy 根证 私钥 公钥到相应目录
编辑 ipsec.secrets
: ECDSA /etc/ipsec.d/private/ubuntu-blue.key
编辑 /etc/ipsec.conf
conn blue-to-red
keyexchange=ikev2
rekey=no
left=%defaultroute
leftsubnet=0.0.0.0/0
authby=pubkey
leftid=@ubuntu-blue
leftcert=ubuntu-blue.cer
rightid=@ubuntu-red
right=47.93.216.68
rightsubnet=172.17.94.120/20
type=tunnel
auto=start
阅读(2132) | 评论(0) | 转发(0) |