{"id":120,"date":"2014-06-12T16:33:31","date_gmt":"2014-06-12T07:33:31","guid":{"rendered":"http:\/\/fsck.jp\/?p=120"},"modified":"2018-06-25T15:10:57","modified_gmt":"2018-06-25T06:10:57","slug":"%e8%87%aa%e5%ae%85-vps%e9%96%93%e3%81%a7ipsec-strongswan-rsa%e8%a8%bc%e6%98%8e%e6%9b%b8%e8%aa%8d%e8%a8%bc","status":"publish","type":"post","link":"https:\/\/fsck.jp\/?p=120","title":{"rendered":"\u81ea\u5b85-VPS\u9593\u3067IPsec (strongswan X.509\u8a3c\u660e\u66f8\u8a8d\u8a3c)"},"content":{"rendered":"

\u524d\u306e\u8a18\u4e8b<\/a>\u3068\u540c\u3058\u69cb\u6210\u3067\u3001\u8a8d\u8a3c\u306b\u8a3c\u660e\u66f8\u3092\u5c0e\u5165\u3057\u3066\u307f\u305f\u3002<\/p>\n

\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u306f\u524d\u306e\u8a18\u4e8b<\/a>\u3068\u540c\u3058\u3067\u3001\u4ee5\u4e0b\u306e\u56f3\u306e\u3088\u3046\u306b\u306a\u308b\u3002
\n\"\"<\/a><\/p>\n

\u524d\u63d0:
\n\u30fbVPS \u306e OS \u306f CentOS 7.5\u3001\u81ea\u5b85\u5074\u30b5\u30fc\u30d0\u306f Raspbian 9.4 \u3067\u3042\u308b\u3002
\n\u30fbIPsec \u5b9f\u88c5\u306b\u306f strongswan \u3092\u5229\u7528\u3059\u308b\u3002
\n\u30fb\u8a3c\u660e\u66f8\u4f5c\u6210\u306b\u306fOpenSSL\u3092\u4f7f\u3044\u3001PEM \u30d5\u30a1\u30a4\u30eb\u306e\u5f62\u3067\u7ba1\u7406\u3059\u308b\u3002
\n\u30fb\u81ea\u5b85\u5074\u306eIPsec\u7aef\u70b9 (\u30db\u30b9\u30c8\u540d:myserver1) \u3068\u540c\u4e00\u306e\u30b5\u30fc\u30d0\u306b CA \u3092\u4f5c\u6210\u3057\u3066\u304a\u304d\u3001\u3053\u306e CA \u4e0a\u3067\u4e21\u5074\u306e\u7aef\u70b9\u7528\u306e\u8a3c\u660e\u66f8\u3092\u767a\u884c\u3059\u308b\u3002<\/p>\n

1. strongswan \u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h3>\n

user@myserver1:~$ sudo apt-get install strongswan
\n[user@myvps1 ~]$ sudo yum install epel-release
\n[user@myvps1 ~]$ sudo yum install strongswan<\/code><\/p>\n

\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u306f\u524d\u3005\u56de\u306e\u8a18\u4e8b<\/a>\u3068\u540c\u4e00\u306e\u8a2d\u5b9a\u3092\u3057\u3066\u304a\u304f\u3002<\/p>\n

\u81ea\u5b85\u5185\u30b5\u30fc\u30d0\u5074\u306e\u8a2d\u5b9a\u3002
\nuser@myserver1:~$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n

net.ipv4.ip_forward=1\u3000\u3000#28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059<\/pre>\n
user@myserver1:~$ sudo sysctl -p \/etc\/sysctl.conf<\/code><\/p>\n
VPS \u306e\u65b9\u306b\u3082\u540c\u3058\u8a2d\u5b9a\u3092\u5b9f\u65bd\u3059\u308b\u3002
\n[user@myvps1 ~]$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n
net.ipv4.ip_forward=1\u3000\u3000#\u8ffd\u8a18\u3059\u308b<\/pre>\n
[user@myvps1 ~]$ sudo sysctl -p \/etc\/sysctl.conf<\/code><\/p>\n
\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb(ufw)\u3092\u9589\u3058\u3066\u3044\u308b\u5834\u5408\u306f\u3001UDP 500 \u3068 4500 \u3092\u7a7a\u3051\u3066\u304a\u304f\u3053\u3068\u3002<\/p>\n
2. \u8a3c\u660e\u66f8\u306e\u4f5c\u6210<\/h3>\n
myserver1 \u4e0a\u306b CA \u306e\u305f\u3081\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3068\u8a2d\u5b9a\u3092\u6e96\u5099\u3059\u308b\u3002
\nuser@myserver1:~$ sudo mkdir \/etc\/ssl\/CA
\nuser@myserver1:~$ sudo mkdir \/etc\/ssl\/newcerts
\nuser@myserver1:~$ sudo sh -c \"echo '01' > \/etc\/ssl\/CA\/serial\"
\nuser@myserver1:~$ sudo sh -c \"echo '01' > \/etc\/ssl\/CA\/crlnumber\"
\nuser@myserver1:~$ sudo touch \/etc\/ssl\/CA\/index.txt
\nuser@myserver1:~$ sudo vi \/etc\/ssl\/openssl.cnf<\/code><\/p>\n
\/etc\/ssl\/openssl.cnf\u306e\u629c\u7c8b:<\/p>\n
\r\ndir\t\t= \/etc\/ssl\t\t# Where everything is kept\r\ndatabase\t= $dir\/CA\/index.txt\t# database index file.\r\ncertificate\t= $dir\/certs\/ca1.crt \t# The CA certificate\r\nserial\t\t= $dir\/CA\/serial \t\t# The current serial number\r\ncrlnumber\t= $dir\/CA\/crlnumber # the current crl number\r\n                    # must be commented out to leave a V1 CRL\r\ncrl     = $dir\/crl\/crl.pem\r\nprivate_key\t= $dir\/private\/ca1.key<\/pre>\n
CA \u9375\u30fb\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3059\u308b\u3002
\nuser@myserver1:~$ sudo openssl req -new -x509 -extensions v3_ca -keyout \/etc\/ssl\/private\/ca1.key -out \/etc\/ssl\/certs\/ca1.crt -days 3652
\n(snip)
\nCountry Name (2 letter code) [AU]:JP
\nState or Province Name (full name) [Some-State]:Aichi
\nLocality Name (eg, city) []:Nagoya
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Home
\nOrganizational Unit Name (eg, section) []:CA
\nCommon Name (e.g. server FQDN or YOUR name) []:ca1.home.example.com
\nEmail Address []:<\/code><\/p>\n
myserver1 \u306e\u79d8\u5bc6\u9375\u3092\u4f5c\u6210\u3059\u308b\u3002
\nuser@myserver1:~$ openssl genrsa -aes256 -out \/etc\/ssl\/private\/myserver1.key 2048
\nEnter pass phrase for myserver1.key:********
\n(\u5f8c\u3067\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u524a\u9664\u3059\u308b\u306e\u3067\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u306f\u3053\u3053\u3067\u306f\u9069\u5f53\u306b\u6c7a\u3081\u308b)
\nVerifying - Enter pass phrase for myserver1.key:********<\/code><\/p>\n
\u79d8\u5bc6\u9375\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u524a\u9664\u3057\u3066\u304a\u304f\u3002
\nuser@myserver1:~$ openssl rsa -in \/etc\/ssl\/private\/myserver1.key -out \/etc\/ssl\/private\/myserver1.key
\nEnter pass phrase for myserver1.key:********
\nwriting RSA key<\/code><\/p>\n
myserver1 \u306e CSR \u3092\u4f5c\u6210\u3059\u308b\u3002
\nuser@myserver1:~$ openssl req -new -days 1826 -key \/etc\/ssl\/private\/myserver1.key -out \/etc\/ssl\/cert\/myserver1.csr
\n(snip)
\nCountry Name (2 letter code) [AU]:JP
\nState or Province Name (full name) [Some-State]:Aichi
\nLocality Name (eg, city) []:Nagoya
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Home
\nOrganizational Unit Name (eg, section) []:Server
\nCommon Name (e.g. server FQDN or YOUR name) []:myserver1.home.example.com
\nEmail Address []:
\nPlease enter the following 'extra' attributes
\nto be sent with your certificate request
\nA challenge password []:
\nAn optional company name []:<\/code><\/p>\n
CA \u9375\u3092\u4f7f\u3063\u3066 CSR \u306b\u7f72\u540d\u3059\u308b\u3002
\nuser@myserver1:~$ sudo openssl ca -in \/etc\/ssl\/cert\/myserver1.csr -config \/etc\/ssl\/openssl.cnf
\nEnter pass phrase for \/etc\/ssl\/private\/ca.key:********
\n(snip)
\nSign the certificate? [y\/n]:y
\n1 out of 1 certificate requests certified, commit? [y\/n]y
\n(snip)
\nData Base Updated<\/code><\/p>\n
CA \u8a3c\u660e\u66f8\u3068\u30db\u30b9\u30c8\u8a3c\u660e\u66f8\u30fb\u9375\u3092 strongswan \u7528\u306b\u914d\u7f6e\u3059\u308b\u3002
\nuser@myserver1:~$ sudo cp \/etc\/ssl\/certs\/ca1.crt \/etc\/ipsec.d\/cacerts\/
\nuser@myserver1:~$ sudo cp \/etc\/ssl\/newcerts\/01.pem \/etc\/ipsec.d\/certs\/myserver1.crt
\nuser@myserver1:~$ sudo cp \/etc\/ssl\/private\/myserver1.key \/etc\/ipsec.d\/private\/<\/code><\/p>\n
myvps1 \u7528\u306e\u8a3c\u660e\u66f8\u3082\u540c\u69d8\u306b\u4f5c\u6210\u3059\u308b\u3002
\nuser@myserver1:~$ openssl genrsa -aes256 -out \/etc\/ssl\/private\/myvps1.key 2048
\nuser@myserver1:~$ openssl rsa -in \/etc\/ssl\/private\/myvps1.key -out \/etc\/ssl\/private\/myvps1.key
\nuser@myserver1:~$ openssl req -new -days 1826 -key \/etc\/ssl\/private\/myvps1.key -out \/etc\/ssl\/cert\/myvps1.csr
\nuser@myserver1:~$ sudo openssl ca -in \/etc\/ssl\/cert\/myvps1.csr -config \/etc\/ssl\/openssl.cnf<\/code><\/p>\n
\u3044\u307e\u4f5c\u6210\u3057\u305f myvps1 \u7528\u306e\u30db\u30b9\u30c8\u8a3c\u660e\u66f8\u30fb\u9375\u3001CA\u8a3c\u660e\u66f8\u3092 myvps1 \u5074\u306b\u30b3\u30d4\u30fc\u3059\u308b\u3002
\nuser@myserver1:~$ cp \/etc\/ssl\/certs\/ca1.crt .
\nuser@myserver1:~$ cp \/etc\/ssl\/newcerts\/02.pem .\/myvps1.crt
\nuser@myserver1:~$ sudo cp \/etc\/ssl\/private\/myvps1.key .
\nuser@myserver1:~$ sudo chown user myvps1.key
\nuser@myserver1:~$ scp ca1.crt myvps1.crt myvps1.key myvps1:<\/code><\/p>\n
myvps1 \u4e0a\u3067\u8a3c\u660e\u66f8\u30fb\u9375\u3092\u914d\u7f6e\u3059\u308b\u3002
\n[user@myvps1 ~]$ sudo cp ca1.crt \/etc\/strongswan\/ipsec.d\/cacerts\/
\n[user@myvps1 ~]$ sudo cp myvps1.crt \/etc\/strongswan\/ipsec.d\/certs\/
\n[user@myvps1 ~]$ sudo cp myvps1.key \/etc\/strongswan\/ipsec.d\/private\/<\/code><\/p>\n
\u4f5c\u696d\u7528\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3059\u308b\u3002
\n[user@myvps1 ~]$ rm ca1.crt myvps1.crt myvps1.key
\nuser@myserver1:~$ rm ca1.crt myvps1.crt myvps1.key<\/code><\/p>\n
3. strongswan \u306e\u8a2d\u5b9a (myserver1\u5074)<\/h3>\n
\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u7de8\u96c6\u3059\u308b\u3002
\nuser@myserver1:~$ sudo vi \/etc\/ipsec.conf<\/code><\/p>\n
config setup \u30bb\u30af\u30b7\u30e7\u30f3\u306e\u5f8c\u306b\u4ee5\u4e0b\u306e\u5185\u5bb9\u3092\u8ffd\u52a0\u3059\u308b\u3002<\/p>\n
conn myhome-to-vps\r\n\tauthby=rsasig\r\n\tauto=start\r\n\tcloseaction=restart\r\n\tdpdaction=restart\r\n\tleft=192.168.100.240\r\n\tleftsubnet=192.168.100.0\/24\r\n\tleftcert=myserver1.crt\r\n\tright=203.0.113.180\r\n\trightsubnet=203.0.113.180\/32\r\n\trightid=\"C=JP, ST=Aichi, O=Home, OU=Server, CN=myvps1.vpsnet.example.com\"<\/pre>\n
\u3053\u3061\u3089\u5074\u304b\u3089\u63a5\u7d9a\u3092\u958b\u59cb\u3059\u308b\u305f\u3081\u3001auto=start \u3092\u8a18\u8ff0\u3059\u308b\u3002\u307e\u305f\u63a5\u7d9a\u304c\u5207\u308c\u305f\u3068\u304d\u306b\u306f\u3053\u3061\u3089\u5074\u304b\u3089\u518d\u63a5\u7d9a\u3092\u5b9f\u884c\u3059\u308b\u305f\u3081\u3001closeaction=restart \u3068 dpdaction=restart \u3092\u8a18\u8ff0\u3059\u308b\u3002<\/p>\n
\u30d1\u30b9\u30ef\u30fc\u30c9\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u79d8\u5bc6\u9375\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u8a18\u8ff0\u3059\u308b\u3002
\nuser@myserver1:~$ sudo vi \/etc\/ipsec.secrets<\/code><\/p>\n
\r\n: RSA myserver1.key<\/pre>\n
4. strongswan \u306e\u8a2d\u5b9a (myvps1\u5074)<\/h3>\n
\u3053\u3061\u3089\u3082\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u7de8\u96c6\u3059\u308b\u3002
\n[user@myvps1 ~]$ sudo vi \/etc\/strongswan\/ipsec.conf<\/code><\/p>\n
\u4ee5\u4e0b\u306e\u5185\u5bb9\u3092\u8ffd\u52a0\u3059\u308b\u3002<\/p>\n
conn myhome-to-vps\r\n\tauthby=rsasig\r\n\tauto=add\r\n\tcloseaction=clear\r\n\tdpdaction=clear\r\n\tleft=203.0.113.180\r\n\tleftsubnet=203.0.113.180\/32\r\n\tleftcert=myvps1.crt\r\n\tright=%any\r\n\trightsubnet=192.168.100.0\/24\r\n\trightid=\"C=JP, ST=Aichi, O=Home, OU=Server, CN=myserver1.home.example.com\"<\/pre>\n
\u30d1\u30b9\u30ef\u30fc\u30c9\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u79d8\u5bc6\u9375\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u8a18\u8ff0\u3059\u308b\u3002
\n[user@myvps1 ~]$ sudo vi \/etc\/strongswan\/ipsec.secrets<\/code><\/p>\n
: RSA myvps1.key<\/pre>\n
5. \u30b5\u30fc\u30d3\u30b9\u8d77\u52d5\u3068\u78ba\u8a8d<\/h3>\n
\u30b5\u30fc\u30d3\u30b9\u3092\u8d77\u52d5\u3059\u308b\u3002<\/p>\n
user@myserver1:~$ sudo service strongswan start
\n[user@myvps1 ~]$ sudo service strongswan start<\/code><\/p>\n
\u63a5\u7d9a\u3067\u304d\u305f\u304b\u3069\u3046\u304b\u3001ip xfrm state \u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3059\u308b\u3002<\/p>\n
\r\nuser@myserver1:~$ sudo ip xfrm state\r\nsrc 192.168.100.240 dst 203.0.113.180\r\n\tproto esp spi 0xbaef12dc reqid 1 mode tunnel\r\n\treplay-window 32 flag af-unspec\r\n\tauth-trunc hmac(sha1) 0x6bde34f03f729b5a3c1d93c112ea6a40bf312742 96\r\n\tenc cbc(aes) 0x4f2fa3876e41e825be32a4e710a5f193\r\n\tencap type espinudp sport 4500 dport 4500 addr 0.0.0.0\r\nsrc 203.0.113.180 dst 192.168.100.240\r\n\tproto esp spi 0xbb4b32e0 reqid 1 mode tunnel\r\n\treplay-window 32 flag af-unspec\r\n\tauth-trunc hmac(sha1) 0x44b52fad2bf912e10b61706add1337f823ec344e 96\r\n\tenc cbc(aes) 0xaf32405118ac467efb02f5f76e59aad1\r\n\tencap type espinudp sport 4500 dport 4500 addr 0.0.0.0<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u524d\u306e\u8a18\u4e8b\u3068\u540c\u3058\u69cb\u6210\u3067\u3001\u8a8d\u8a3c\u306b\u8a3c\u660e\u66f8\u3092\u5c0e\u5165\u3057\u3066\u307f\u305f\u3002 \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u306f\u524d\u306e\u8a18\u4e8b\u3068\u540c\u3058\u3067\u3001\u4ee5\u4e0b\u306e\u56f3\u306e\u3088\u3046\u306b\u306a\u308b\u3002 \u524d\u63d0: \u30fbVPS \u306e OS \u306f CentOS 7.5\u3001\u81ea\u5b85\u5074\u30b5\u30fc\u30d0\u306f Raspbian 9.4 \u3067\u3042\u308b\u3002 \u30fb […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[20,22,13,23,12,7],"tags":[],"_links":{"self":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/120"}],"collection":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=120"}],"version-history":[{"count":0,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions"}],"wp:attachment":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}