Создание сертификатов CA, сервера и клиента.
1 2 3 4 5 6 7 |
/certificate add name=CA country=RU state=SPb locality=SPb organization=ORG common-name=vpn.domain.ru subject-alt-name=DNS:vpn.domain.ru key-size=2048 days-valid=3650 key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign /certificate sign CA /certificate add name=vpn.domain.ru country=RU state=SPb locality=SPb organization=ORG common-name=vpn.domain.ru subject-alt-name=DNS:vpn.domain.ru key-size=2048 days-valid=3650 key-usage=tls-server /certificate sign vpn.domain.ru ca=CA /certificate add name=chelovek@domain.ru country=RU state=SPb locality=SPb organization=ORD common-name=chelovek@domain.ru subject-alt-name=email:chelovek@domain.ru key-size=2048 days-valid=3650 key-usage=tls-client /certificate sign chelovek@domain.ru ca=CA /certificate export-certificate chelovek@domain.ru type=pkcs12 export-passphrase=12345678 |
Конфигурация IPSec IKEv2 на Mikrotik
1 2 3 4 5 6 7 8 |
/ip pool add name=ikev2 ranges=192.168.24.0/24 /ip ipsec mode-config add address-pool="ikev2" address-prefix-length=32 name="ikev2" split-include=192.168.24.0/24,192.168.124.0/24 system-dns=yes /ip ipsec proposal add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=20h name="ikev2proposal" pfs-group=none /ip ipsec profile add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="ikev2profile" nat-traversal=yes proposal-check=obey /ip ipsec policy group add name="ikev2" /ip ipsec policy add dst-address=192.168.24.0/24 group="ikev2" proposal="ikev2proposal" src-address=0.0.0.0/0 template=yes sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 ipsec-protocols=esp level=require protocol=all action=encrypt /ip ipsec peer add exchange-mode=ike2 address=0.0.0.0/0 name="ikev2peer" passive=yes send-initial-contact=yes profile="ikev2profile" /ip ipsec identity add auth-method=digital-signature certificate=vpn.domain.ru remote-certificate=chelovek@domain.ru generate-policy=port-strict match-by=certificate mode-config="ikev2" peer="ikev2peer" policy-template-group="ikev2" remote-id=user-fqdn:chelovek@domain.ru |
Пара правил
1 2 |
/ip firewall filter add action=accept chain=input connection-state=new dst-port=500,4500 in-interface=ether1 protocol=udp /ip firewall filter add action=accept chain=forward connection-state=new ipsec-policy=in,ipsec |
На клиентах
Windows 10. экспортируем пользователю PKCS#12 файл cert_export_chelovek@domain.com.p12 и устанавливаем в Cert:\LocalMachine\Root\ (требуются права администратора)
Под пользователем (или с -AllUserConnection под администратором) (Без -MachineCertificateIssuerFilter нельзя будет подключаться к нескольким VPN-ам.) запускаем:
1 2 3 4 |
$site="domain.com" $thumb=(ls Cert:\LocalMachine\Root\ -Recurse | where {$_.subject -like "*CN=$site*"}).Thumbprint Export-Certificate -FilePath $site'.cer' -Cert Cert:\LocalMachine\Root\$thumb Add-VpnConnection -Name $site -ServerAddress $site -TunnelType Ikev2 -AuthenticationMethod MachineCertificate -SplitTunneling -MachineCertificateIssuerFilter $site'.cer' |
Подключаем VPN соединение.
Centos 8
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
dnf install strongswan strongswan-charon-nm /etc/strongswan/ipsec.d/cacerts/cert_export_CA.crt /etc/strongswan/ipsec.d/certs/cert_export_chelovek@domain.ru.crt /etc/strongswan/ipsec.d/private/cert_export_chelovek@domain.ru.key /etc/strongswan/ipsec.conf conn vpn keyexchange=ikev2 right=vpn.domain.ru rightid=%vpn.domain.ru rightsubnet=192.168.24.0/24 leftauth=pubkey leftsourceip=%config leftcert=cert_export_chelovek@domain.ru auto=add strongswan up vpn |