一、環境介紹
Server IP:192.168.30.133
System: CentOS 6.5
Client:Winodows 7
二、編譯安裝StrongSwan
1.下載StrongSwan
# wget http://download.strongswan.org/strongswan.tar.gz
2.安裝相關庫
# yum update -y
# yum install pam-devel openssl-devel make gcc gmp-devel
3.編譯安裝
# ./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
make -j 8 && make install && echo OK
注:如果出現錯誤:
configure: WARNING: unrecognized options: --enable-nat-transport
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... configure: error: newly created file
is older than distributed files!Check your system clock
解決方法:(原因:時間不對)
# cp -Rf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
# cat /etc/sysconfig/clock
# ntpdate 133.100.11.8(或 s2m.time.edu.cn)
# sed -i 's#ZONE="America/New_York"#ZONE="Asia/Shanghai"#g' /etc/sysconfig/clock
# hwclock -w
# date -R
4、生成證書
# mkdir key && cd key
#### 生成一個私鑰 ####
# ipsec pki --gen --outform pem > ca.pem
# ipsec pki --self --in ca.pem --dn "C=cn, O=***stsck, CN=*** CA" \
--ca --lifetime 3650 --outform pem >ca.cert.pem
# ipsec pki --gen --outform pem > server.pem
# ipsec pki --pub --in server.pem | ipsec pki --issue --lifetime 1200 \
--cacert ca.cert.pem --cakey ca.pem --dn "C=cn, O=***stsck, CN=192.168.30.133" \
--san="192.168.30.133" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
# ipsec pki --gen --outform pem > client.pem
# ipsec pki --pub --in client.pem | ipsec pki --issue --cacert \
ca.cert.pem --cakey ca.pem --dn "C=cn, O=***stsck, CN=*** Client" --outform pem > client.cert.pem
備註:C 表示國家,O 表示組織名,如***stack CN爲通用名保持默認。(在整個部署過程中要保持一致)
CN=192.168.30.133爲你的VPS外網地址
5、安裝證書
cp ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp server.cert.pem /usr/local/etc/ipsec.d/certs/
cp server.pem /usr/local/etc/ipsec.d/private/
cp client.cert.pem /usr/local/etc/ipsec.d/certs/
cp client.pem /usr/local/etc/ipsec.d/private/
【卸載證書:非第一次安裝時需要此步操作,如果第一次安裝不用此步驟】
rm -rf /usr/local/etc/ipsec.d/cacerts/ca.cert.pem
rm -rf /usr/local/etc/ipsec.d/certs/server.cert.pem
rm -rf /usr/local/etc/ipsec.d/private/server.pem
rm -rf /usr/local/etc/ipsec.d/certs/client.cert.pem
rm -rf /usr/local/etc/ipsec.d/private/client.pem
6、配置strongswan
a、修改/usr/local/etc/ipsec.conf;如下:
# vim /etc/ipsec.conf
config setup strictcrlpolicy=no uniqueids=no #多臺設備同時在線 conn iOS_cert
keyexchange=ikev1
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.11.0.0/24
rightcert=client.cert.pem
auto=add
conn android_xauth_psk
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.12.0.0/24
auto=add
conn networkmanager-strongswan
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=10.13.0.0/24
rightcert=client.cert.pem
auto=add
conn ios_ikev2
keyexchange=ikev2
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!
rekey=no
left=%defaultroute
leftid=192.168.30.133
leftsendcert=always
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.14.0.0/24
rightsendcert=never
eap_identity=%any
dpdaction=clear
fragmentation=yes
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.15.0.0/24
rightsendcert=never
eap_identity=%any
auto=add
[該配置文件詳解請參考:https://zh.opensuse.org/SDB:Setup_Ipsec_***_with_Strongswan]
b、修改/usrlocal/etc/strongswan.conf 將內容替換成如下:
# vim /usr/local/etc/strongswan.conf
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
c、修改/usr/local/etc/ipsec.secrets(沒有此文件請自行創建)
# vim /usr/local/etc/ipsec.secrets
: RSA server.pem
: PSK "myPSKkey"
: XAUTH "myXAUTHPass"
[用戶名] %any : EAP "[密碼]
【解:】
將上面的myPSKkey單詞更改爲你需要的PSK認證方式的密鑰;
將上面的myXAUTHPass單詞更改爲你需要的XAUTH認證方式的密碼,該認證方式的用戶名是隨意的;
將上面的[用戶名]改爲自己想要的登錄名,[密碼]改爲自己想要的密碼([]符號去掉),可以添加多行,
得到多個用戶,這即是使用IKEv2的用戶名+密碼認證方式的登錄憑據.
7、配置網絡轉發規則轉發
a、設置iptables規則
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.11.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.13.0.0/24 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -j MASQUERADE
# service iptables save
注意iptables規則的順序。以下做爲參考:
# Generated by iptables-save v1.4.7 on Thu Dec 8 12:51:52 2016
*nat
:PREROUTING ACCEPT [2:156]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.10.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.11.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.12.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.13.0.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Dec 8 12:51:52 2016
# Generated by iptables-save v1.4.7 on Thu Dec 8 12:51:52 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39:3992]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/24 -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -j ACCEPT
-A FORWARD -s 10.12.0.0/24 -j ACCEPT
-A FORWARD -s 10.13.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Dec 8 12:51:52 2016
# service iptables restart
b、設置ip_forward轉發
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 0
改爲:
net.ipv4.ip_forward = 1
sysctl -p
c、下載ca.cert.pem證書導入windows客戶端或蘋果Mac系統:證書的具體導入方法:
Windows 7測試撥號:http://zlyang.blog.51cto.com/1196234/1881212
# yum -y install lrzsz
# cd /soft/strongswan-5.5.1/key
# sz ca.cert.pem
二、部署Freeradius+mysql+daloradius
1、安裝Freeradius和Mysql
# yum -y install freeradius freeradius-mysql freeradius-utils mysql-server
2、啓動Mysql及設置密碼
# service mysqld start
# chkconfig mysqld on
# mysql_secure_installation
3、導入Freeradius庫數據
# mysql -uroot -p
mysql> CREATE DATABASE radius;
mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@'localhost' IDENTIFIED BY "radpass";
mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@'%' IDENTIFIED BY "radpass";
mysql> flush privileges;
mysql> use radius;
mysql> SOURCE /etc/raddb/sql/mysql/schema.sql
mysql> SOURCE /etc/raddb/sql/mysql/cui.sql
mysql> SOURCE /etc/raddb/sql/mysql/ippool.sql
mysql> SOURCE /etc/raddb/sql/mysql/nas.sql
mysql> SOURCE /etc/raddb/sql/mysql/wimax.sql
4、配置Freeradius連接Mysql
# vim /etc/raddb/sql.conf
# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
#第108行
readclients = yes
5、使用sql數據庫裏的nas表讀取客戶端信息
# vim /etc/raddb/radiusd.conf
#$INCLUDE sql.conf
修改後:
$INCLUDE sql.conf
# vim /etc/raddb/sites-available/default
需要修改的行數及修改後的結果:例:#001行 line001
#170行 #files
#177 sql
#396 #radutmp
#397 sradutmp
#406 sql
#450 #radutmp
#454 sql
#475 sql
#577 sql
# vim /etc/raddb/sites-available/inner-tunnel
#125 #file
#132 sql
#252 #radutmp
#256 sql
#278 sql
#302 sql
修改密鑰:
# vim /etc/raddb/clients.conf
secret = testing123
6、添加測試用戶:
# mysql -uroot -p
mysql> use radius;
mysql> insert into radcheck (username,attribute,op,value) \
values ('test','User-Password',':=','test');
mysql> flush privileges;
mysql> exit;
測試Freeradius+Mysql
以Debug模式啓動Freeradius:
# radiusd -X
另啓一個窗口測試下:
# radtest test test . testing123
Sending Access-Request of id 71 to 127.0.0.1 port 1812
User-Name = "yzl"
User-Password = "yzl"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=71, length=55
Reply-Message = "Hello yzl !"
Reply-Message = "Regexp match for PAP"
看到”Access-Accept“說明成功。
7、部署Daloradius
a、安裝LAMP環境:
# yum -y install php-mysql php php-gd php-pear-DB httpd
b、下載Daloradius
下載地址:
http://jaist.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
漢化版地址:http://pan.baidu.com/s/1c2h2h2K
# cd /soft
# wget \
http://jaist.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
# tar xf daloradius-0.9-9.tar.gz
c、導入daloradius庫文件
# mysql -uroot -p
mysql> use radius;
mysql> SOURCE /soft/daloradius-0.9-9/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
d、修改daloradius連接庫文件:
# vim /soft/daloradius-0.9-9/library/daloradius.conf.php
$configValues['DALORADIUS_VERSION'] = '0.9-9';
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radpass';
$configValues['CONFIG_DB_NAME'] = 'radius';
$configValues['CONFIG_FILE_RADIUS_PROXY'] = '/etc/raddb/proxy.conf';
$configValues['CONFIG_PATH_RADIUS_DICT'] = '/etc/raddb';
$configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/var/www/html/daloradius/var';
$configValues['CONFIG_LOG_FILE'] = '/var/www/html/daloradius/var/daloradius.log';
e、拷備文件至apache工作目錄:/var/www/html
# mv /soft/daloradius-0.9-9 /var/www/html/daloradius
f、創建日誌文件:
# touch /var/www/html/daloradius/var/daloradius.log
g、賦權給apache:
# chown -R apache:apache /var/www/html/daloradius
h、修改redius日誌文件:
# vim /etc/raddb/radiusd.conf
#file = ${logdir}/radius.log
file = /var/log/radius.log
# chmod 644 /var/log/messages
# vim /var/www/html/daloradius/library/exten-radius_log.php
$logfile_loc = array();
$logfile_loc[1] = '/var/log/freeradius/radius.log';
$logfile_loc[2] = '/usr/local/var/log/radius/radius.log';
$logfile_loc[3] = '/var/log/radius/radius.log';
$logfile_loc[4] = '/var/log/radius.log';
i、將用戶的同步會話限制爲只有一個,新用戶必須添加到用戶組
# vim /etc/raddb/sql/mysql/dialup.conf
查找simul_count_query將290-293行註釋去掉
# mysql -uroot -p
mysql> use radius;
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \
VALUES (NULL , 'users', 'Simultaneous-Use', ':=', '1');
j、修改apache配置文件
# vim /etc/httpd/conf/httpd.conf
# ServerName x.x.x.x:80
注:x.x.x.x爲你的本機ip或域名k、啓動apache
# service httpd start
# chkconfig httpd on
# service radiusd start
# chkconfig radiusd on
# iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT /etc/init.d/iptables save /etc/init.d/iptables restart
# chmod 644 /var/log/radius.log
可以使用web登錄:
http://ip-address-or-hostname/daloradiusUsername: administrator
Password: radius
三、StrongSwan和Freeradius整合:
a、修改:/usr/local/etc/strongswan.d/charon/eap-radius.conf
# vim /usr/local/etc/strongswan.d/charon/eap-radius.conf
#開啓在線人數查詢
#第4行
accounting = yes
#第8行
accounting_close_on_timeout = yes
#查找server{}在這裏添加以下內容
#93行
***server {
secret = testing123
address = 127.0.0.1
}
b、修改/usr/local/etc/ipsec.conf
c、配置ikev2支蘋果Mac系統:/etc/raddb/eap.conf
d、重啓服務
# service radiusd restart
# ipsec stop
# ipsec start --nofork
測試下看是否成功撥號
四、Daloradius優化及設置計費
1、Web漢化
下載Daloradius漢化版:http://pan.baidu.com/s/1c2h2h2K
將其中的main.conf、config-lang.conf做相應的替換;把zh-cn.conf上傳到/var/www/html/daloradius/lang/ service httpd restart 然後在daloradius的管理頁面中選擇:config--language settings----Chinese---apply
2、限制用戶的每日總使用時間和登錄時間:
# vim /etc/raddb/radiusd.conf
#將747行取消註釋
$INCLUDE sql/mysql/counter.conf
# vim /etc/raddb/sql/mysql/counter.conf
#將60-63行加註釋,然後添加以下
60 # query = "SELECT SUM(acctsessiontime - \
61 # GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
62 # FROM radacct WHERE username = '%{%k}' AND \
63 # UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"
64
65 query = "SELECT IFNULL(SUM(acctsessiontime - \
66 GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)),0) \
67 FROM radacct WHERE username = '%{%k}' AND \
68 UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"
#
# vim /etc/raddb/dictionary
#在最後添加以下:
ATTRIBUTE Daily-Session-Time 3000 integer
ATTRIBUTE Max-Daily-Session 3001 integer
在mysql庫創建相應的字段:
# mysql -uradius -p
mysql> use radius;
mysql> delete from radacct;
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \
VALUES (NULL , 'users', 'Max-Daily-Session', ':=', '28800'); # 28800 is seconds = 8h
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \
VALUES (NULL , 'users', 'Login-Time', ':=', 'Al0001-2359');
3、限制用戶的每日和每月的數據使用和帳戶到期
# vim /etc/raddb/sql/mysql/counter.conf
#在最後添加以下:
sqlcounter dailytrafficcounter {
counter-name = Daily-Traffic
check-name = Max-Daily-Traffic
reply-name = Daily-Traffic-Limit
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT (SUM(AcctInputOctets + AcctOutputOctets)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"
}
sqlcounter monthlytrafficcounter {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Monthly-Traffic-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT (SUM(AcctInputOctets + AcctOutputOctets)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"
}
# vim /etc/raddb/dictionary
#在最後添加以下:
ATTRIBUTE Max-Daily-Traffic 3002 integer
ATTRIBUTE Daily-Traffic-Limit 3003 integer
ATTRIBUTE Max-Monthly-Traffic 3004 integer
ATTRIBUTE Monthly-Traffic-Limit 3005 integer
# vim /etc/raddb/sites-available/default
#在193行之後添加
dailytrafficcounter
monthlytrafficcounter
在mysql庫創建相應的字段:
# mysql -uroot -p
mysql> use radius;
mysql> delete from radacct;
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \
VALUES (NULL , 'users', 'Max-Monthly-Traffic', ':=', '1073741824');
# 1073741824 bytes=1024*1024*1024 bytes=1 Gbyte, 填寫時以byte爲單位 每月最大流量1G
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \
VALUES (NULL , 'users', 'Max-Daily-Traffic', ':=', '104857600');
# 104857600 bytes=100*1024*1024=100 Mbyte 每天最大流量爲100M
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \
VALUES (NULL , 'users', 'Expiration', ':=', '1 Oct 2017'); # 設定賬號過期
mysql> exit
# service radiusd restart
到此,所有的都已經部署完畢了!祝你成功!
如有問題可在下方回覆!