3月 052020
 

Generic Routing Encapsulation 通用路由封装协议

主机列表

18.163.50.194/172.31.44.248
18.162.60.60/172.31.37.49

查找系统可用的内核模块

[centos@ip-172-31-44-248 ~]$ ls -alRUv /lib/modules/$(uname -r)/kernel |grep ip_gre
-rw-r--r--. 1 root root 9396 Nov 29 2018 ip_gre.ko.xz
[centos@ip-172-31-44-248 ~]$

加载ip_gre模块

[root@ip-172-31-44-248 ~]# modprobe ip_gre
[root@ip-172-31-44-248 ~]#

[root@ip-172-31-37-49 ~]# modprobe ip_gre
[root@ip-172-31-37-49 ~]#

新增tun0网卡配置

本端隧道地址192.168.192.1
对端隧道地址192.168.192.2

[root@ip-172-31-44-248 ~]# vi /etc/sysconfig/network-scripts/ifcfg-tun0
DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
DEVICETYPE=tunnel
TYPE=GRE
PEER_INNER_IPADDR=192.168.192.2
PEER_OUTER_IPADDR=18.162.60.60
MY_INNER_IPADDR=192.168.192.1

启用tun0网卡

[root@ip-172-31-44-248 ~]# ifup tun0

查看接口信息

[root@ip-172-31-44-248 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:84:f5:b0:db:f6 brd ff:ff:ff:ff:ff:ff
    inet 172.31.44.248/20 brd 172.31.47.255 scope global dynamic ens5
       valid_lft 2667sec preferred_lft 2667sec
    inet6 fe80::c84:f5ff:feb0:dbf6/64 scope link 
       valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: tun0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8977 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 0.0.0.0 peer 18.162.60.60
    inet 192.168.192.1 peer 192.168.192.2/32 scope global tun0
       valid_lft forever preferred_lft forever
[root@ip-172-31-44-248 ~]#

新增tun0网卡配置

本端隧道地址192.168.192.2
对端隧道地址192.168.192.1

[root@ip-172-31-37-49 ~]# vi /etc/sysconfig/network-scripts/ifcfg-tun0
DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
DEVICETYPE=tunnel
TYPE=GRE
PEER_INNER_IPADDR=192.168.192.1
PEER_OUTER_IPADDR=18.163.50.194
MY_INNER_IPADDR=192.168.192.2

启用tun0网卡

[root@ip-172-31-37-49 ~]# ifup tun0

查看接口信息

[root@ip-172-31-37-49 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:4a:2b:48:b8:aa brd ff:ff:ff:ff:ff:ff
    inet 172.31.37.49/20 brd 172.31.47.255 scope global dynamic ens5
       valid_lft 2692sec preferred_lft 2692sec
    inet6 fe80::c4a:2bff:fe48:b8aa/64 scope link 
       valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: tun0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8977 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 0.0.0.0 peer 18.163.50.194
    inet 192.168.192.2 peer 192.168.192.1/32 scope global tun0
       valid_lft forever preferred_lft forever
[root@ip-172-31-37-49 ~]# 

分别使用对端IP地址进行ping测试

[root@ip-172-31-37-49 ~]# ping -c 4 192.168.192.1
PING 192.168.192.1 (192.168.192.1) 56(84) bytes of data.
64 bytes from 192.168.192.1: icmp_seq=1 ttl=64 time=0.297 ms
64 bytes from 192.168.192.1: icmp_seq=2 ttl=64 time=0.283 ms
64 bytes from 192.168.192.1: icmp_seq=3 ttl=64 time=0.237 ms
64 bytes from 192.168.192.1: icmp_seq=4 ttl=64 time=0.268 ms

--- 192.168.192.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.237/0.271/0.297/0.025 ms
[root@ip-172-31-37-49 ~]#


[root@ip-172-31-44-248 ~]# ping -c 4 192.168.192.2
PING 192.168.192.2 (192.168.192.2) 56(84) bytes of data.
64 bytes from 192.168.192.2: icmp_seq=1 ttl=64 time=0.249 ms
64 bytes from 192.168.192.2: icmp_seq=2 ttl=64 time=0.279 ms
64 bytes from 192.168.192.2: icmp_seq=3 ttl=64 time=0.196 ms
64 bytes from 192.168.192.2: icmp_seq=4 ttl=64 time=0.214 ms

--- 192.168.192.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.196/0.234/0.279/0.035 ms
[root@ip-172-31-44-248 ~]#
3月 022020
 

安装向导欢迎页面

选择要安装的组件

同意最终用户许可协议

重要声明

选择安装目录

准备安装

安装进行中

完成安装并启动服务器管理器

选择要连接的服务器并点击连接

首次连接设置管理员密码

提示管理员密码设置成功

关闭弹出的简单设置窗口

选择是否设置开启IPsec功能

在管理器主界面进入VPN Gate设置

选择启用VPN Gate中继服务并加入研究志愿者队伍

VPN Gate服务设置选项界面

请勿在禁止使用VPN通信技术的国家使用VPN Gate服务

在管理器主界面进入动态域名设置

查看或修改该服务器的动态域名

在管理器主界面查看当前的动态域名解析主机名

查看当前已连接客户端会话信息

2月 272020
 

主机列表

ansible 167.179.84.153 }Z5c,jM-?bQec#z-
server1 149.28.24.11 A7f{v#PAB8$!-K8q
server2 45.76.216.130 7]Mf%YKRFP[9H!*K
server3 108.160.137.54 _Rr3%[2rg,JJQpwQ

在ansible主机上配置hosts文件

[root@ansible ~]# vi /etc/hosts
149.28.24.11 server1
45.76.216.130 server2
108.160.137.54 server3

确认主机名及IP对应关系

[root@ansible ~]# ping -c 1 server1
PING server1 (149.28.24.11) 56(84) bytes of data.
64 bytes from server1 (149.28.24.11): icmp_seq=1 ttl=61 time=0.360 ms

--- server1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.360/0.360/0.360/0.000 ms
[root@ansible ~]# ping -c 1 server2
PING server2 (45.76.216.130) 56(84) bytes of data.
64 bytes from server2 (45.76.216.130): icmp_seq=1 ttl=57 time=0.933 ms

--- server2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.933/0.933/0.933/0.000 ms
[root@ansible ~]# ping -c 1 server3
PING server3 (108.160.137.54) 56(84) bytes of data.
64 bytes from server3 (108.160.137.54): icmp_seq=1 ttl=57 time=0.982 ms

--- server3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.982/0.982/0.982/0.000 ms
[root@ansible ~]#

解决首次登录远程系统的严格主机密钥检查交互(保存远程主机公钥)

[root@ansible ~]# ssh root@server1
The authenticity of host 'server1 (149.28.24.11)' can't be established.
ECDSA key fingerprint is SHA256:NUM9LGuAESXFeEyluk7GqoY3vC7rmLvzyf4Fr5p0tWs.
ECDSA key fingerprint is MD5:36:02:b3:0c:d0:33:db:a5:a5:68:21:4f:ce:87:01:aa.
Are you sure you want to continue connecting (yes/no)? ^C
[root@ansible ~]#

[root@ansible ~]# ls .ssh/
[root@ansible ~]#

修改本机ssh客户端配置文件

[root@ansible ~]# vi /etc/ssh/ssh_config
# StrictHostKeyChecking ask
StrictHostKeyChecking no

查看ansible版本信息

[root@ansible ~]# ansible --version
ansible 2.9.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
[root@ansible ~]#

编辑ansible主机配置文件(注意server1密码的转义字符)

[root@ansible ~]# vi /etc/ansible/hosts
[servers]
server1 ansible_user=root ansible_password=A7f{v\#PAB8$!-K8q
server2 ansible_user=root ansible_password=7]Mf%YKRFP[9H!*K
server3 ansible_user=root ansible_password=_Rr3%[2rg,JJQpwQ

连接测试

[root@ansible ~]# ansible servers -m ping
server2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
server3 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
server1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
[root@ansible ~]#

本地已保存的远程主机公钥信息

[root@ansible ~]# ls .ssh/
known_hosts
[root@ansible ~]# cat .ssh/known_hosts
server1,149.28.24.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCv/uWIj+5gWiri6BdEYw+QQYuE3wIfdW0FhgdCIY92UXf1P9rhRI9q5FQMQ1sJuKfzSihEsU2uwnQ8P45zE3Yc=
server2,45.76.216.130 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+LjHvPrUcao6A5zNJwPgjRUOQAtxPCzMoEUOl21jMKiTPpDe87feCz2S/k6bo0Paf3G9lKdJg5B+r9dCZMBOU=
server3,108.160.137.54 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL+8jA1/3alAX2YtrLVUfJGvyCeCcpsJFG7WGwTgB5y4i0pBxPum0AYSw/G5ehaM8KPLCjEbCwUYS+XW83XYY10=
[root@ansible ~]#

创建密钥对

[root@ansible ~]# ssh-keygen -b 4096 -t rsa -C "harvey.mei@linuxcache.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):/root/.ssh/id_rsa_ansible
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_ansible.
Your public key has been saved in id_rsa_ansible.pub.
The key fingerprint is:
SHA256:Cv6UZ+/72ZTeeeuYP5ePrKmr7YhcZG6DVwwzXqXmLuU harvey.mei@linuxcache.com
The key's randomart image is:
+---[RSA 4096]----+
|            .    |
|           o     |
|        + +      |
|       . O       |
|    .   S =      |
|   . . B =     . |
|    . = X E   o .|
|     + B *   Bo=+|
|      + o+O==+B=O|
+----[SHA256]-----+
[root@ansible ~]#

查看公钥信息

[root@ansible ~]# cat .ssh/id_rsa_ansible.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
[root@ansible ~]#

将公钥信息复制给一个变量

[root@ansible ~]# pubkey=`cat .ssh/id_rsa_ansible.pub`
[root@ansible ~]# echo $pubkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
[root@ansible ~]#

使用Ansible的shell模块,对目的主机组执行公钥的导入操作

[root@ansible ~]# ansible servers -m shell -a "cd /root/; umask 077; test -d .ssh || mkdir .ssh; echo -e ${pubkey} >> .ssh/authorized_keys"
server1 | CHANGED | rc=0 >>

server3 | CHANGED | rc=0 >>

server2 | CHANGED | rc=0 >>

[root@ansible ~]#

通过Ansible远程执行查看目的主机已导入的公钥信息

[root@ansible ~]# ansible servers -m shell -a "cat .ssh/authorized_keys"
server3 | CHANGED | rc=0 >>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
server1 | CHANGED | rc=0 >>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
server2 | CHANGED | rc=0 >>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com
[root@ansible ~]#

修改Ansible主机配置文件以启用私钥登录验证

[root@ansible ~]# vi /etc/ansible/hosts
[servers]
server1 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible
server2 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible
server3 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible

测试成功

[root@ansible ~]# ansible servers -m ping
server3 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
server2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
server1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
[root@ansible ~]#

在执行ansible命令时指定私钥参数

[root@ansible ~]# vi /etc/ansible/hosts
[servers]
server1 ansible_user=root
server2 ansible_user=root
server3 ansible_user=root

测试成功

[root@ansible ~]# ansible servers --private-key=.ssh/id_rsa_ansible -m command -a hostname
server1 | CHANGED | rc=0 >>
server1
server2 | CHANGED | rc=0 >>
server2
server3 | CHANGED | rc=0 >>
server3
[root@ansible ~]#
2月 202020
 

禁用防火墙

[root@radius ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
[root@radius ~]# systemctl stop firewalld
[root@radius ~]#

安装AMP环境

[root@radius ~]# yum install php php-pdo php-mysql php-gd php-pear httpd mariadb-server mariadb

创建数据库

MariaDB [(none)]> create database radius;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on radius.* to radius@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> set password for radius@localhost=password('radiuspassword');
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

设置系统及PHP时区

[root@radius ~]# cp /usr/share/zoneinfo/Asia/Hong_Kong /etc/localtime
cp: overwrite ‘/etc/localtime’? y
[root@radius ~]#
[root@radius ~]# vi /etc/php.ini
;date.timezone =
date.timezone = Asia/Hong_Kong

安装Free RADIUS及相关组件软件包

[root@radius html]# yum install freeradius freeradius-utils freeradius-mysql

查看FreeRADIUS安装包路径

[root@radius html]# rpm -lq freeradius
/etc/logrotate.d/radiusd
/etc/pam.d/radiusd
/etc/raddb
/etc/raddb/README.rst
/etc/raddb/certs
/etc/raddb/certs/Makefile
/etc/raddb/certs/README
/etc/raddb/certs/bootstrap
/etc/raddb/certs/ca.cnf
/etc/raddb/certs/client.cnf
/etc/raddb/certs/passwords.mk
/etc/raddb/certs/server.cnf
/etc/raddb/certs/xpextensions
/etc/raddb/clients.conf
/etc/raddb/dictionary
/etc/raddb/hints
/etc/raddb/huntgroups
/etc/raddb/mods-available
/etc/raddb/mods-available/README.rst
/etc/raddb/mods-available/always
/etc/raddb/mods-available/attr_filter
/etc/raddb/mods-available/cache
/etc/raddb/mods-available/cache_eap
/etc/raddb/mods-available/chap
/etc/raddb/mods-available/counter
/etc/raddb/mods-available/cui
/etc/raddb/mods-available/date
/etc/raddb/mods-available/detail
/etc/raddb/mods-available/detail.example.com
/etc/raddb/mods-available/detail.log
/etc/raddb/mods-available/dhcp
/etc/raddb/mods-available/dhcp_sqlippool
/etc/raddb/mods-available/digest
/etc/raddb/mods-available/dynamic_clients
/etc/raddb/mods-available/eap
/etc/raddb/mods-available/echo
/etc/raddb/mods-available/etc_group
/etc/raddb/mods-available/exec
/etc/raddb/mods-available/expiration
/etc/raddb/mods-available/expr
/etc/raddb/mods-available/files
/etc/raddb/mods-available/idn
/etc/raddb/mods-available/inner-eap
/etc/raddb/mods-available/ippool
/etc/raddb/mods-available/linelog
/etc/raddb/mods-available/logintime
/etc/raddb/mods-available/mac2ip
/etc/raddb/mods-available/mac2vlan
/etc/raddb/mods-available/mschap
/etc/raddb/mods-available/ntlm_auth
/etc/raddb/mods-available/opendirectory
/etc/raddb/mods-available/otp
/etc/raddb/mods-available/pam
/etc/raddb/mods-available/pap
/etc/raddb/mods-available/passwd
/etc/raddb/mods-available/preprocess
/etc/raddb/mods-available/python
/etc/raddb/mods-available/radutmp
/etc/raddb/mods-available/realm
/etc/raddb/mods-available/redis
/etc/raddb/mods-available/rediswho
/etc/raddb/mods-available/replicate
/etc/raddb/mods-available/rest
/etc/raddb/mods-available/smbpasswd
/etc/raddb/mods-available/smsotp
/etc/raddb/mods-available/soh
/etc/raddb/mods-available/sometimes
/etc/raddb/mods-available/sql
/etc/raddb/mods-available/sqlcounter
/etc/raddb/mods-available/sqlippool
/etc/raddb/mods-available/sradutmp
/etc/raddb/mods-available/unix
/etc/raddb/mods-available/unpack
/etc/raddb/mods-available/utf8
/etc/raddb/mods-available/wimax
/etc/raddb/mods-available/yubikey
/etc/raddb/mods-config
/etc/raddb/mods-config/README.rst
/etc/raddb/mods-config/attr_filter
/etc/raddb/mods-config/attr_filter/access_challenge
/etc/raddb/mods-config/attr_filter/access_reject
/etc/raddb/mods-config/attr_filter/accounting_response
/etc/raddb/mods-config/attr_filter/post-proxy
/etc/raddb/mods-config/attr_filter/pre-proxy
/etc/raddb/mods-config/files
/etc/raddb/mods-config/files/accounting
/etc/raddb/mods-config/files/authorize
/etc/raddb/mods-config/files/pre-proxy
/etc/raddb/mods-config/preprocess
/etc/raddb/mods-config/preprocess/hints
/etc/raddb/mods-config/preprocess/huntgroups
/etc/raddb/mods-config/sql
/etc/raddb/mods-config/sql/counter
/etc/raddb/mods-config/sql/cui
/etc/raddb/mods-config/sql/ippool
/etc/raddb/mods-config/sql/ippool-dhcp
/etc/raddb/mods-config/sql/main
/etc/raddb/mods-enabled
/etc/raddb/mods-enabled/always
/etc/raddb/mods-enabled/attr_filter
/etc/raddb/mods-enabled/cache_eap
/etc/raddb/mods-enabled/chap
/etc/raddb/mods-enabled/date
/etc/raddb/mods-enabled/detail
/etc/raddb/mods-enabled/detail.log
/etc/raddb/mods-enabled/dhcp
/etc/raddb/mods-enabled/digest
/etc/raddb/mods-enabled/dynamic_clients
/etc/raddb/mods-enabled/eap
/etc/raddb/mods-enabled/echo
/etc/raddb/mods-enabled/exec
/etc/raddb/mods-enabled/expiration
/etc/raddb/mods-enabled/expr
/etc/raddb/mods-enabled/files
/etc/raddb/mods-enabled/linelog
/etc/raddb/mods-enabled/logintime
/etc/raddb/mods-enabled/mschap
/etc/raddb/mods-enabled/ntlm_auth
/etc/raddb/mods-enabled/pap
/etc/raddb/mods-enabled/passwd
/etc/raddb/mods-enabled/preprocess
/etc/raddb/mods-enabled/radutmp
/etc/raddb/mods-enabled/realm
/etc/raddb/mods-enabled/replicate
/etc/raddb/mods-enabled/soh
/etc/raddb/mods-enabled/sradutmp
/etc/raddb/mods-enabled/unix
/etc/raddb/mods-enabled/unpack
/etc/raddb/mods-enabled/utf8
/etc/raddb/panic.gdb
/etc/raddb/policy.d
/etc/raddb/policy.d/accounting
/etc/raddb/policy.d/canonicalization
/etc/raddb/policy.d/control
/etc/raddb/policy.d/cui
/etc/raddb/policy.d/debug
/etc/raddb/policy.d/dhcp
/etc/raddb/policy.d/eap
/etc/raddb/policy.d/filter
/etc/raddb/policy.d/operator-name
/etc/raddb/proxy.conf
/etc/raddb/radiusd.conf
/etc/raddb/sites-available
/etc/raddb/sites-available/README
/etc/raddb/sites-available/buffered-sql
/etc/raddb/sites-available/challenge
/etc/raddb/sites-available/channel_bindings
/etc/raddb/sites-available/check-eap-tls
/etc/raddb/sites-available/coa
/etc/raddb/sites-available/control-socket
/etc/raddb/sites-available/copy-acct-to-home-server
/etc/raddb/sites-available/decoupled-accounting
/etc/raddb/sites-available/default
/etc/raddb/sites-available/dhcp
/etc/raddb/sites-available/dhcp.relay
/etc/raddb/sites-available/dynamic-clients
/etc/raddb/sites-available/example
/etc/raddb/sites-available/inner-tunnel
/etc/raddb/sites-available/originate-coa
/etc/raddb/sites-available/proxy-inner-tunnel
/etc/raddb/sites-available/robust-proxy-accounting
/etc/raddb/sites-available/soh
/etc/raddb/sites-available/status
/etc/raddb/sites-available/tls
/etc/raddb/sites-available/virtual.example.com
/etc/raddb/sites-available/vmps
/etc/raddb/sites-enabled
/etc/raddb/sites-enabled/default
/etc/raddb/sites-enabled/inner-tunnel
/etc/raddb/templates.conf
/etc/raddb/trigger.conf
/etc/raddb/users
/usr/lib/systemd/system/radiusd.service
/usr/lib/tmpfiles.d/radiusd.conf
/usr/lib64/freeradius
/usr/lib64/freeradius/libfreeradius-dhcp.so
/usr/lib64/freeradius/libfreeradius-eap.so
/usr/lib64/freeradius/libfreeradius-radius.so
/usr/lib64/freeradius/libfreeradius-server.so
/usr/lib64/freeradius/proto_dhcp.so
/usr/lib64/freeradius/proto_vmps.so
/usr/lib64/freeradius/rlm_always.so
/usr/lib64/freeradius/rlm_attr_filter.so
/usr/lib64/freeradius/rlm_cache.so
/usr/lib64/freeradius/rlm_cache_rbtree.so
/usr/lib64/freeradius/rlm_chap.so
/usr/lib64/freeradius/rlm_counter.so
/usr/lib64/freeradius/rlm_cram.so
/usr/lib64/freeradius/rlm_date.so
/usr/lib64/freeradius/rlm_detail.so
/usr/lib64/freeradius/rlm_dhcp.so
/usr/lib64/freeradius/rlm_digest.so
/usr/lib64/freeradius/rlm_dynamic_clients.so
/usr/lib64/freeradius/rlm_eap.so
/usr/lib64/freeradius/rlm_eap_fast.so
/usr/lib64/freeradius/rlm_eap_gtc.so
/usr/lib64/freeradius/rlm_eap_leap.so
/usr/lib64/freeradius/rlm_eap_md5.so
/usr/lib64/freeradius/rlm_eap_mschapv2.so
/usr/lib64/freeradius/rlm_eap_peap.so
/usr/lib64/freeradius/rlm_eap_pwd.so
/usr/lib64/freeradius/rlm_eap_sim.so
/usr/lib64/freeradius/rlm_eap_tls.so
/usr/lib64/freeradius/rlm_eap_tnc.so
/usr/lib64/freeradius/rlm_eap_ttls.so
/usr/lib64/freeradius/rlm_exec.so
/usr/lib64/freeradius/rlm_expiration.so
/usr/lib64/freeradius/rlm_expr.so
/usr/lib64/freeradius/rlm_files.so
/usr/lib64/freeradius/rlm_ippool.so
/usr/lib64/freeradius/rlm_linelog.so
/usr/lib64/freeradius/rlm_logintime.so
/usr/lib64/freeradius/rlm_mschap.so
/usr/lib64/freeradius/rlm_otp.so
/usr/lib64/freeradius/rlm_pam.so
/usr/lib64/freeradius/rlm_pap.so
/usr/lib64/freeradius/rlm_passwd.so
/usr/lib64/freeradius/rlm_preprocess.so
/usr/lib64/freeradius/rlm_radutmp.so
/usr/lib64/freeradius/rlm_realm.so
/usr/lib64/freeradius/rlm_replicate.so
/usr/lib64/freeradius/rlm_soh.so
/usr/lib64/freeradius/rlm_sometimes.so
/usr/lib64/freeradius/rlm_sql.so
/usr/lib64/freeradius/rlm_sql_null.so
/usr/lib64/freeradius/rlm_sqlcounter.so
/usr/lib64/freeradius/rlm_sqlippool.so
/usr/lib64/freeradius/rlm_unix.so
/usr/lib64/freeradius/rlm_unpack.so
/usr/lib64/freeradius/rlm_utf8.so
/usr/lib64/freeradius/rlm_wimax.so
/usr/lib64/freeradius/rlm_yubikey.so
/usr/sbin/checkrad
/usr/sbin/raddebug
/usr/sbin/radiusd
/usr/sbin/radmin
/usr/share/doc/freeradius-3.0.13/LICENSE.gpl
/usr/share/doc/freeradius-3.0.13/LICENSE.lgpl
/usr/share/doc/freeradius-3.0.13/LICENSE.openssl
/usr/share/doc/freeradius-3.0.13/REDHAT
/usr/share/freeradius
/usr/share/freeradius/dictionary
/usr/share/freeradius/dictionary.3com
/usr/share/freeradius/dictionary.3gpp
/usr/share/freeradius/dictionary.3gpp2
/usr/share/freeradius/dictionary.acc
/usr/share/freeradius/dictionary.acme
/usr/share/freeradius/dictionary.actelis
/usr/share/freeradius/dictionary.adtran
/usr/share/freeradius/dictionary.aerohive
/usr/share/freeradius/dictionary.airespace
/usr/share/freeradius/dictionary.alcatel
/usr/share/freeradius/dictionary.alcatel-lucent.aaa
/usr/share/freeradius/dictionary.alcatel.esam
/usr/share/freeradius/dictionary.alcatel.sr
/usr/share/freeradius/dictionary.alteon
/usr/share/freeradius/dictionary.altiga
/usr/share/freeradius/dictionary.alvarion
/usr/share/freeradius/dictionary.alvarion.wimax.v2_2
/usr/share/freeradius/dictionary.apc
/usr/share/freeradius/dictionary.aptilo
/usr/share/freeradius/dictionary.aptis
/usr/share/freeradius/dictionary.arbor
/usr/share/freeradius/dictionary.arista
/usr/share/freeradius/dictionary.aruba
/usr/share/freeradius/dictionary.ascend
/usr/share/freeradius/dictionary.ascend.illegal
/usr/share/freeradius/dictionary.asn
/usr/share/freeradius/dictionary.audiocodes
/usr/share/freeradius/dictionary.avaya
/usr/share/freeradius/dictionary.azaire
/usr/share/freeradius/dictionary.bay
/usr/share/freeradius/dictionary.bintec
/usr/share/freeradius/dictionary.bluecoat
/usr/share/freeradius/dictionary.boingo
/usr/share/freeradius/dictionary.bristol
/usr/share/freeradius/dictionary.broadsoft
/usr/share/freeradius/dictionary.brocade
/usr/share/freeradius/dictionary.bskyb
/usr/share/freeradius/dictionary.bt
/usr/share/freeradius/dictionary.cablelabs
/usr/share/freeradius/dictionary.cabletron
/usr/share/freeradius/dictionary.camiant
/usr/share/freeradius/dictionary.checkpoint
/usr/share/freeradius/dictionary.chillispot
/usr/share/freeradius/dictionary.cisco
/usr/share/freeradius/dictionary.cisco.asa
/usr/share/freeradius/dictionary.cisco.bbsm
/usr/share/freeradius/dictionary.cisco.vpn3000
/usr/share/freeradius/dictionary.cisco.vpn5000
/usr/share/freeradius/dictionary.citrix
/usr/share/freeradius/dictionary.clavister
/usr/share/freeradius/dictionary.cnergee
/usr/share/freeradius/dictionary.colubris
/usr/share/freeradius/dictionary.columbia_university
/usr/share/freeradius/dictionary.compat
/usr/share/freeradius/dictionary.compatible
/usr/share/freeradius/dictionary.cosine
/usr/share/freeradius/dictionary.dante
/usr/share/freeradius/dictionary.dhcp
/usr/share/freeradius/dictionary.digium
/usr/share/freeradius/dictionary.dlink
/usr/share/freeradius/dictionary.dragonwave
/usr/share/freeradius/dictionary.efficientip
/usr/share/freeradius/dictionary.eltex
/usr/share/freeradius/dictionary.epygi
/usr/share/freeradius/dictionary.equallogic
/usr/share/freeradius/dictionary.ericsson
/usr/share/freeradius/dictionary.ericsson.ab
/usr/share/freeradius/dictionary.ericsson.packet.core.networks
/usr/share/freeradius/dictionary.erx
/usr/share/freeradius/dictionary.extreme
/usr/share/freeradius/dictionary.f5
/usr/share/freeradius/dictionary.fdxtended
/usr/share/freeradius/dictionary.fortinet
/usr/share/freeradius/dictionary.foundry
/usr/share/freeradius/dictionary.freedhcp
/usr/share/freeradius/dictionary.freeradius
/usr/share/freeradius/dictionary.freeradius.internal
/usr/share/freeradius/dictionary.freeswitch
/usr/share/freeradius/dictionary.gandalf
/usr/share/freeradius/dictionary.garderos
/usr/share/freeradius/dictionary.gemtek
/usr/share/freeradius/dictionary.h3c
/usr/share/freeradius/dictionary.hillstone
/usr/share/freeradius/dictionary.hp
/usr/share/freeradius/dictionary.huawei
/usr/share/freeradius/dictionary.iana
/usr/share/freeradius/dictionary.iea
/usr/share/freeradius/dictionary.infoblox
/usr/share/freeradius/dictionary.infonet
/usr/share/freeradius/dictionary.ipunplugged
/usr/share/freeradius/dictionary.issanni
/usr/share/freeradius/dictionary.itk
/usr/share/freeradius/dictionary.juniper
/usr/share/freeradius/dictionary.karlnet
/usr/share/freeradius/dictionary.kineto
/usr/share/freeradius/dictionary.lancom
/usr/share/freeradius/dictionary.lantronix
/usr/share/freeradius/dictionary.livingston
/usr/share/freeradius/dictionary.localweb
/usr/share/freeradius/dictionary.lucent
/usr/share/freeradius/dictionary.manzara
/usr/share/freeradius/dictionary.meinberg
/usr/share/freeradius/dictionary.meraki
/usr/share/freeradius/dictionary.merit
/usr/share/freeradius/dictionary.meru
/usr/share/freeradius/dictionary.microsemi
/usr/share/freeradius/dictionary.microsoft
/usr/share/freeradius/dictionary.mikrotik
/usr/share/freeradius/dictionary.motorola
/usr/share/freeradius/dictionary.motorola.illegal
/usr/share/freeradius/dictionary.motorola.wimax
/usr/share/freeradius/dictionary.navini
/usr/share/freeradius/dictionary.netscreen
/usr/share/freeradius/dictionary.networkphysics
/usr/share/freeradius/dictionary.nexans
/usr/share/freeradius/dictionary.nokia
/usr/share/freeradius/dictionary.nokia.conflict
/usr/share/freeradius/dictionary.nomadix
/usr/share/freeradius/dictionary.nortel
/usr/share/freeradius/dictionary.ntua
/usr/share/freeradius/dictionary.openser
/usr/share/freeradius/dictionary.packeteer
/usr/share/freeradius/dictionary.paloalto
/usr/share/freeradius/dictionary.patton
/usr/share/freeradius/dictionary.perle
/usr/share/freeradius/dictionary.propel
/usr/share/freeradius/dictionary.prosoft
/usr/share/freeradius/dictionary.proxim
/usr/share/freeradius/dictionary.purewave
/usr/share/freeradius/dictionary.quiconnect
/usr/share/freeradius/dictionary.quintum
/usr/share/freeradius/dictionary.redcreek
/usr/share/freeradius/dictionary.rfc2865
/usr/share/freeradius/dictionary.rfc2866
/usr/share/freeradius/dictionary.rfc2867
/usr/share/freeradius/dictionary.rfc2868
/usr/share/freeradius/dictionary.rfc2869
/usr/share/freeradius/dictionary.rfc3162
/usr/share/freeradius/dictionary.rfc3576
/usr/share/freeradius/dictionary.rfc3580
/usr/share/freeradius/dictionary.rfc4072
/usr/share/freeradius/dictionary.rfc4372
/usr/share/freeradius/dictionary.rfc4603
/usr/share/freeradius/dictionary.rfc4675
/usr/share/freeradius/dictionary.rfc4679
/usr/share/freeradius/dictionary.rfc4818
/usr/share/freeradius/dictionary.rfc4849
/usr/share/freeradius/dictionary.rfc5090
/usr/share/freeradius/dictionary.rfc5176
/usr/share/freeradius/dictionary.rfc5447
/usr/share/freeradius/dictionary.rfc5580
/usr/share/freeradius/dictionary.rfc5607
/usr/share/freeradius/dictionary.rfc5904
/usr/share/freeradius/dictionary.rfc6519
/usr/share/freeradius/dictionary.rfc6572
/usr/share/freeradius/dictionary.rfc6677
/usr/share/freeradius/dictionary.rfc6911
/usr/share/freeradius/dictionary.rfc6929
/usr/share/freeradius/dictionary.rfc6930
/usr/share/freeradius/dictionary.rfc7055
/usr/share/freeradius/dictionary.rfc7155
/usr/share/freeradius/dictionary.rfc7268
/usr/share/freeradius/dictionary.rfc7499
/usr/share/freeradius/dictionary.rfc7930
/usr/share/freeradius/dictionary.riverbed
/usr/share/freeradius/dictionary.riverstone
/usr/share/freeradius/dictionary.roaringpenguin
/usr/share/freeradius/dictionary.ruckus
/usr/share/freeradius/dictionary.ruggedcom
/usr/share/freeradius/dictionary.sangoma
/usr/share/freeradius/dictionary.sg
/usr/share/freeradius/dictionary.shasta
/usr/share/freeradius/dictionary.shiva
/usr/share/freeradius/dictionary.siemens
/usr/share/freeradius/dictionary.slipstream
/usr/share/freeradius/dictionary.sofaware
/usr/share/freeradius/dictionary.sonicwall
/usr/share/freeradius/dictionary.springtide
/usr/share/freeradius/dictionary.starent
/usr/share/freeradius/dictionary.starent.vsa1
/usr/share/freeradius/dictionary.surfnet
/usr/share/freeradius/dictionary.symbol
/usr/share/freeradius/dictionary.t_systems_nova
/usr/share/freeradius/dictionary.telebit
/usr/share/freeradius/dictionary.telkom
/usr/share/freeradius/dictionary.terena
/usr/share/freeradius/dictionary.trapeze
/usr/share/freeradius/dictionary.travelping
/usr/share/freeradius/dictionary.tropos
/usr/share/freeradius/dictionary.ukerna
/usr/share/freeradius/dictionary.unix
/usr/share/freeradius/dictionary.usr
/usr/share/freeradius/dictionary.usr.illegal
/usr/share/freeradius/dictionary.utstarcom
/usr/share/freeradius/dictionary.valemount
/usr/share/freeradius/dictionary.versanet
/usr/share/freeradius/dictionary.vqp
/usr/share/freeradius/dictionary.walabi
/usr/share/freeradius/dictionary.waverider
/usr/share/freeradius/dictionary.wichorus
/usr/share/freeradius/dictionary.wifialliance
/usr/share/freeradius/dictionary.wimax
/usr/share/freeradius/dictionary.wimax.alvarion
/usr/share/freeradius/dictionary.wimax.wichorus
/usr/share/freeradius/dictionary.wispr
/usr/share/freeradius/dictionary.xedia
/usr/share/freeradius/dictionary.xylan
/usr/share/freeradius/dictionary.yubico
/usr/share/freeradius/dictionary.zeus
/usr/share/freeradius/dictionary.zte
/usr/share/freeradius/dictionary.zyxel
/usr/share/man/man5/clients.conf.5.gz
/usr/share/man/man5/dictionary.5.gz
/usr/share/man/man5/radiusd.conf.5.gz
/usr/share/man/man5/radrelay.conf.5.gz
/usr/share/man/man5/rlm_always.5.gz
/usr/share/man/man5/rlm_attr_filter.5.gz
/usr/share/man/man5/rlm_chap.5.gz
/usr/share/man/man5/rlm_counter.5.gz
/usr/share/man/man5/rlm_detail.5.gz
/usr/share/man/man5/rlm_digest.5.gz
/usr/share/man/man5/rlm_expr.5.gz
/usr/share/man/man5/rlm_files.5.gz
/usr/share/man/man5/rlm_idn.5.gz
/usr/share/man/man5/rlm_mschap.5.gz
/usr/share/man/man5/rlm_pap.5.gz
/usr/share/man/man5/rlm_passwd.5.gz
/usr/share/man/man5/rlm_realm.5.gz
/usr/share/man/man5/rlm_sql.5.gz
/usr/share/man/man5/rlm_unix.5.gz
/usr/share/man/man5/unlang.5.gz
/usr/share/man/man5/users.5.gz
/usr/share/man/man8/raddebug.8.gz
/usr/share/man/man8/radiusd.8.gz
/usr/share/man/man8/radmin.8.gz
/usr/share/man/man8/radrelay.8.gz
/usr/share/snmp/mibs/FREERADIUS-MGMT-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-NOTIFICATION-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-PRODUCT-RADIUSD-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-SMI.mib
/usr/share/snmp/mibs/RADIUS-ACC-CLIENT-MIB.mib
/usr/share/snmp/mibs/RADIUS-ACC-SERVER-MIB.mib
/usr/share/snmp/mibs/RADIUS-AUTH-CLIENT-MIB.mib
/usr/share/snmp/mibs/RADIUS-AUTH-SERVER-MIB.mib
/usr/share/snmp/mibs/RADIUS-STAT-MIB.mib
/var/lib/radiusd
/var/log/radius
/var/log/radius/radacct
/var/log/radius/radius.log
/var/log/radius/radutmp
/var/run/radiusd
/var/run/radiusd/tmp
[root@radius html]#

查看FreeRADIUS工具包安装路径

[root@radius html]# rpm -lq freeradius-utils
/usr/bin/dhcpclient
/usr/bin/map_unit
/usr/bin/rad_counter
/usr/bin/radattr
/usr/bin/radclient
/usr/bin/radcrypt
/usr/bin/radeapclient
/usr/bin/radlast
/usr/bin/radsniff
/usr/bin/radsqlrelay
/usr/bin/radtest
/usr/bin/radwho
/usr/bin/radzap
/usr/bin/rlm_ippool_tool
/usr/bin/smbencrypt
/usr/share/man/man1/dhcpclient.1.gz
/usr/share/man/man1/rad_counter.1.gz
/usr/share/man/man1/radclient.1.gz
/usr/share/man/man1/radeapclient.1.gz
/usr/share/man/man1/radlast.1.gz
/usr/share/man/man1/radtest.1.gz
/usr/share/man/man1/radwho.1.gz
/usr/share/man/man1/radzap.1.gz
/usr/share/man/man1/smbencrypt.1.gz
/usr/share/man/man5/checkrad.5.gz
/usr/share/man/man8/radcrypt.8.gz
/usr/share/man/man8/radsniff.8.gz
/usr/share/man/man8/radsqlrelay.8.gz
/usr/share/man/man8/rlm_ippool_tool.8.gz
[root@radius html]#

查看FreeRADIUS MySQL数据库扩展包安装路

[root@radius html]# rpm -lq freeradius-mysql
/etc/raddb/mods-config/sql/counter/mysql
/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
/etc/raddb/mods-config/sql/cui/mysql
/etc/raddb/mods-config/sql/cui/mysql/queries.conf
/etc/raddb/mods-config/sql/cui/mysql/schema.sql
/etc/raddb/mods-config/sql/ippool-dhcp/mysql
/etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
/etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
/etc/raddb/mods-config/sql/ippool/mysql
/etc/raddb/mods-config/sql/ippool/mysql/queries.conf
/etc/raddb/mods-config/sql/ippool/mysql/schema.sql
/etc/raddb/mods-config/sql/main/mysql
/etc/raddb/mods-config/sql/main/mysql/extras
/etc/raddb/mods-config/sql/main/mysql/extras/wimax
/etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf
/etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql
/etc/raddb/mods-config/sql/main/mysql/queries.conf
/etc/raddb/mods-config/sql/main/mysql/schema.sql
/etc/raddb/mods-config/sql/main/mysql/setup.sql
/etc/raddb/mods-config/sql/main/ndb
/etc/raddb/mods-config/sql/main/ndb/README
/etc/raddb/mods-config/sql/main/ndb/schema.sql
/etc/raddb/mods-config/sql/main/ndb/setup.sql
/usr/lib64/freeradius/rlm_sql_mysql.so
[root@radius html]#

注册并启动服务

[root@radius ~]# systemctl enable radiusd
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.
[root@radius ~]# systemctl start radiusd
[root@radius ~]#

查看端口监听(UDP1812/UDP1813)

[root@radius ~]# netstat -ltun
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 127.0.0.1:323           0.0.0.0:*
udp        0      0 0.0.0.0:68              0.0.0.0:*
udp        0      0 127.0.0.1:18120         0.0.0.0:*
udp        0      0 0.0.0.0:56569           0.0.0.0:*
udp        0      0 0.0.0.0:1812            0.0.0.0:*
udp        0      0 0.0.0.0:1813            0.0.0.0:*
udp6       0      0 ::1:323                 :::*
udp6       0      0 :::54657                :::*
udp6       0      0 :::1812                 :::*
udp6       0      0 :::1813                 :::*
[root@radius ~]#

导入数据库

[root@radius ~]# mysql -uroot -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
Enter password:
[root@radius ~]#

启用数据库模块

[root@radius ~]# cd /etc/raddb/mods-enabled/
[root@radius mods-enabled]# ln -s ../mods-available/sql sql
[root@radius mods-enabled]#

修改数据库连接配置文件

[root@radius mods-enabled]# vi sql

driver = "rlm_sql_null"
driver = "rlm_sql_mysql"

dialect = "sqlite"
dialect = "mysql"

#       server = "localhost"
#       port = 3306
#       login = "radius"
#       password = "radpass"

        server = "localhost"
        port = 3306
        login = "radius"
        password = "radiuspassword"

#       read_clients = yes
        read_clients = yes

修改数据库连接配置文件属组

[root@radius mods-enabled]# ll sql
lrwxrwxrwx 1 root root 21 Feb 20 05:58 sql -> ../mods-available/sql
[root@radius mods-enabled]# chgrp -h radiusd sql
[root@radius mods-enabled]# ll sql
lrwxrwxrwx 1 root radiusd 21 Feb 20 05:58 sql -> ../mods-available/sql
[root@radius mods-enabled]#

下载daloRADIUS安装包并解压缩

[root@radius ~]# wget https://github.com/lirantal/daloradius/archive/master.zip
[root@radius ~]# cp -R daloradius-master/ /var/www/html/daloradius

导入数据库

[root@radius ~]# cd /var/www/html/
[root@radius html]# mysql -uroot -p radius < daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
Enter password:
[root@radius html]# mysql -uroot -p radius < daloradius/contrib/db/mysql-daloradius.sql
Enter password:
[root@radius html]#

修改目录及配置文件属性

[root@radius html]# chown -R apache.apache daloradius/
[root@radius html]# chmod 664 daloradius/library/daloradius.conf.php
[root@radius html]#

修改daloRADIUS配置文件

[root@radius html]# vi daloradius/library/daloradius.conf.php
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radiuspassword';
$configValues['CONFIG_DB_NAME'] = 'radius';

安装PEAR扩展

更新频道

[root@radius ~]# pear channel-update pear.php.net
Updating channel "pear.php.net"
Update of Channel "pear.php.net" succeeded
[root@radius ~]#

升级pear/PEAR版本

错误提示

[root@radius ~]# pear install DB
WARNING: "pear/DB" is deprecated in favor of "pear/MDB2"
pear/DB requires package "pear/PEAR" (version >= 1.10.0), installed version is 1.9.4
No valid packages found
install failed
[root@radius ~]#

升级操作

[root@radius ~]# pear install PEAR
WARNING: "pear/Console_Getopt" is deprecated in favor of "pear/Console_GetoptPlus"
downloading PEAR-1.10.10.tgz ...
Starting to download PEAR-1.10.10.tgz (293,388 bytes)
.............................................................done: 293,388 bytes
downloading Archive_Tar-1.4.9.tgz ...
Starting to download Archive_Tar-1.4.9.tgz (21,343 bytes)
...done: 21,343 bytes
downloading Structures_Graph-1.1.1.tgz ...
Starting to download Structures_Graph-1.1.1.tgz (12,579 bytes)
...done: 12,579 bytes
downloading Console_Getopt-1.4.3.tgz ...
Starting to download Console_Getopt-1.4.3.tgz (5,789 bytes)
...done: 5,789 bytes
downloading XML_Util-1.4.3.tgz ...
Starting to download XML_Util-1.4.3.tgz (18,842 bytes)
...done: 18,842 bytes
install ok: channel://pear.php.net/Archive_Tar-1.4.9
install ok: channel://pear.php.net/Structures_Graph-1.1.1
install ok: channel://pear.php.net/Console_Getopt-1.4.3
install ok: channel://pear.php.net/XML_Util-1.4.3
install ok: channel://pear.php.net/PEAR-1.10.10
PEAR: Optional feature webinstaller available (PEAR's web-based installer)
PEAR: Optional feature gtkinstaller available (PEAR's PHP-GTK-based installer)
PEAR: Optional feature gtk2installer available (PEAR's PHP-GTK2-based installer)
PEAR: To install optional features use "pear install pear/PEAR#featurename"
[root@radius ~]#

安装pear/DB扩展

[root@radius ~]# pear install DB
WARNING: "pear/DB" is deprecated in favor of "pear/MDB2"
downloading DB-1.9.3.tgz ...
Starting to download DB-1.9.3.tgz (132,290 bytes)
.............................done: 132,290 bytes
install ok: channel://pear.php.net/DB-1.9.3
[root@radius ~]#

安装pear/MDB2扩展

[root@radius ~]# pear install MDB2
downloading MDB2-2.4.1.tgz ...
Starting to download MDB2-2.4.1.tgz (121,557 bytes)
..........................done: 121,557 bytes
install ok: channel://pear.php.net/MDB2-2.4.1
MDB2: Optional feature fbsql available (Frontbase SQL driver for MDB2)
MDB2: Optional feature ibase available (Interbase/Firebird driver for MDB2)
MDB2: Optional feature mysql available (MySQL driver for MDB2)
MDB2: Optional feature mysqli available (MySQLi driver for MDB2)
MDB2: Optional feature mssql available (MS SQL Server driver for MDB2)
MDB2: Optional feature oci8 available (Oracle driver for MDB2)
MDB2: Optional feature pgsql available (PostgreSQL driver for MDB2)
MDB2: Optional feature querysim available (Querysim driver for MDB2)
MDB2: Optional feature sqlite available (SQLite2 driver for MDB2)
MDB2: To install optional features use "pear install pear/MDB2#featurename"
[root@radius ~]#

重启服务

[root@radius ~]# systemctl restart radiusd

使用浏览器访问daloRADIUS控制台

2月 012020
 

自签根证书导入客户端计算机

正确的自签CA证书导入路径(证书-本地计算机-受信任的根证书颁发机构)

查看已导入的CA证书详情

错误的自签CA证书导入路径(证书-当前用户-受信任的根证书颁发机构)

证书导入位置错误时的连接错误提示:IKE身份验证凭证不可接受

拨号连接属性设置详情

常规选项卡

安全选项卡

网络选项卡

建立连接后的状态信息

2月 012020
 

安装EPEL仓库源

[root@host1 ~]# yum -y install epel-release

更新缓存并安装StrongSwan及net-tools工具

[root@host1 ~]# yum makecache
[root@host1 ~]# yum -y install strongswan net-tools

查看StrongSwan版本信息

[root@host1 ~]# yum info strongswan
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: repos-lax.psychz.net
 * epel: mirror.lax.genesisadaptive.com
 * extras: mirror.hostduplex.com
 * updates: repos-lax.psychz.net
Installed Packages
Name        : strongswan
Arch        : x86_64
Version     : 5.7.2
Release     : 1.el7
Size        : 4.0 M
Repo        : installed
From repo   : epel
Summary     : An OpenSource IPsec-based VPN and TNC solution
URL         : http://www.strongswan.org/
License     : GPLv2+
Description : The strongSwan IPsec implementation supports both the IKEv1 and
            : IKEv2 key exchange protocols in conjunction with the native NETKEY
            : IPsec stack of the Linux kernel.

[root@host1 ~]#

准备证书生成脚本

服务器证书脚本

[root@host1 ipsec.d]# cat server_key.sh
#!/bin/bash
if [ $1 ];      then
        CN=$1
        echo "generating keys for $CN ..."
else
        echo -e "usage:\n sh server_key.sh YOUR EXACT HOST NAME or SERVER IP\n Run this script in directory to store your keys"
        exit 1
fi

mkdir -p private && mkdir -p cacerts && mkdir -p certs

strongswan pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
strongswan pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" --outform pem > cacerts/strongswanCert.pem
echo 'CA certs at cacerts/strongswanCert.pem'
strongswan pki --print --in cacerts/strongswanCert.pem

sleep 1
echo "generating server keys ..."
strongswan pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
strongswan pki --pub --in private/vpnHostKey.pem --type rsa | \
        strongswan pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" \
        --san $CN \
        --flag serverAuth --flag ikeIntermediate \
        --outform pem > certs/vpnHostCert.pem
echo "vpn server cert at certs/vpnHostCert.pem"
strongswan pki --print --in certs/vpnHostCert.pem
[root@host1 ipsec.d]#

客户端证书脚本

[root@host1 ipsec.d]# cat client_key.sh
#!/bin/bash
info="usage:\n sh client_key.sh USER_NAME EMAIL \n Run this script in directory to store your keys"

if [ $1 ];      then
        if [ $2 ]; then
                NAME=$1
                MAIL=$2
                echo "generating keys for $NAME $MAIL ..."
        else
                echo -e $info
                exit 1
        fi
else
        echo -e $info
        exit 1
fi

mkdir -p private && mkdir -p cacerts && mkdir -p certs

keyfile="private/"$NAME"Key.pem"

certfile="certs/"$NAME"Cert.pem"

p12file=$NAME".p12"

strongswan pki --gen --type rsa --size 2048 \
        --outform pem \
        > $keyfile

strongswan pki --pub --in $keyfile --type rsa | \
        strongswan pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=HK, O=LINUXCACHE.COM, CN=$MAIL" \
        --san $MAIL \
        --outform pem > $certfile

strongswan pki --print --in $certfile

echo "Enter password to protect p12 cert for $NAME"
openssl pkcs12 -export -inkey $keyfile \
        -in $certfile -name "$NAME's VPN Certificate" \
        -certfile cacerts/strongswanCert.pem \
        -caname "strongSwan Root CA" \
        -out $p12file

if [ $? -eq 0 ]; then
        echo "cert for $NAME at $p12file"
fi
[root@host1 ipsec.d]#

生成服务器证书

[root@host1 ipsec.d]# ./server_key.sh 144.202.116.133
generating keys for 144.202.116.133 ...
CA certs at cacerts/strongswanCert.pem
  subject:  "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:02:11 2020, ok
             not after  Jan 29 02:02:11 2030, ok (expires in 3650 days)
  serial:    1d:40:6a:e0:af:56:64:33
  flags:     CA CRLSign self-signed
  subjkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  pubkey:    RSA 4096 bits
  keyid:     7e:1e:66:62:f0:cc:d9:51:9e:ea:c0:97:37:d5:84:1c:b9:27:97:c2
  subjkey:   91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
generating server keys ...
vpn server cert at certs/vpnHostCert.pem
  subject:  "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:02:13 2020, ok
             not after  Jan 31 02:02:13 2022, ok (expires in 730 days)
  serial:    1d:ff:d1:51:97:c9:46:72
  altNames:  144.202.116.133
  flags:     serverAuth ikeIntermediate
  authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  subjkeyId: c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe
  pubkey:    RSA 2048 bits
  keyid:     15:7d:c7:47:3e:07:7b:66:92:d0:2e:75:8e:78:0e:6b:72:8e:5e:b2
  subjkey:   c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe
[root@host1 ipsec.d]#

生成客户端证书并为密钥对设置密码

[root@host1 ipsec.d]# ./client_key.sh harveymei harvey.mei@msn.com
generating keys for harveymei harvey.mei@msn.com ...
  subject:  "C=HK, O=LINUXCACHE.COM, CN=harvey.mei@msn.com"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:03:46 2020, ok
             not after  Jan 31 02:03:46 2022, ok (expires in 730 days)
  serial:    60:f7:02:c5:33:21:3a:13
  altNames:  harvey.mei@msn.com
  flags:
  authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  subjkeyId: ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40
  pubkey:    RSA 2048 bits
  keyid:     1a:8d:12:09:54:a6:a6:d4:f9:d4:7a:6c:75:0a:85:6d:90:b6:0d:fe
  subjkey:   ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40
Enter password to protect p12 cert for harveymei
Enter Export Password:
Verifying - Enter Export Password:
cert for harveymei at harveymei.p12
[root@host1 ipsec.d]#

复制客户端需要用到的证书

修改配置文件

修改ipsec.conf配置文件

初始配置文件

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=HK, O=Linux strongSwan CN=peer name"
#      auto=start

修改为

config setup
    uniqueids=never
    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightsourceip=172.16.1.100/16

conn CiscoIPSec
    keyexchange=ikev1
    fragmentation=yes
    rightauth=pubkey
    rightauth2=xauth
    leftsendcert=always
    rekey=no
    auto=add

conn XauthPsk
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add

conn IpsecIKEv2
    keyexchange=ikev2
    leftauth=pubkey
    rightauth=pubkey
    leftsendcert=always
    auto=add

conn IpsecIKEv2-EAP
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    leftauth=pubkey
    leftsendcert=always
    rightauth=eap-mschapv2
    eap_identity=%any
    auto=add

修改strongswan.conf配置文件

初始配置文件

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

修改为

charon {
    load_modular = yes
    duplicheck.enable = no
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

语法变化/错误的处理

Feb 01 02:41:00 host1 strongswan[4598]: /etc/strongswan/strongswan.conf:3: syntax error, unexpected ., expecting : or '{' or '=' [.]
charon {
    load_modular = yes
    duplicheck{
	enable = no
	}
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

修改ipsec.secrets配置文件(账号密码)

初始配置文件

# ipsec.secrets - strongSwan IPsec secrets file

修改为

# ipsec.secrets - strongSwan IPsec secrets file
: RSA vpnHostKey.pem
: PSK "PSK_KEY"
harveymei %any : EAP "harvey#pwd2020"
harveymei %any : XAUTH "harvey#pwd2020"

开启内核及防火墙包转发设置

内核

[root@host1 strongswan]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@host1 strongswan]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@host1 strongswan]#

防火墙

[root@host1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@host1 ~]# firewall-cmd --permanent --add-service=ipsec
success
[root@host1 ~]# firewall-cmd --permanent --add-port=4500/udp
success
[root@host1 ~]# firewall-cmd --permanent --add-masquerade
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ipsec ssh
ports: 4500/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@host1 ~]#

启动服务

[root@host1 ~]# systemctl enable strongswan
Created symlink from /etc/systemd/system/multi-user.target.wants/strongswan.service to /usr/lib/systemd/system/strongswan.service.
[root@host1 ~]# systemctl start strongswan

查看端口监听

1月 312020
 

n2n两种节点类型的命令参数参考

[root@host1 ~]# /usr/local/n2n/sbin/supernode --help
Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu
Built on Jan 31 2020 06:48:19
Copyright 2007-19 - ntop.org and contributors

supernode <config file> (see supernode.conf)
or
supernode -l <lport> -c <path> [-v]

-l <lport> Set UDP main listen port to <lport>
-c <path> File containing the allowed communities.
-v Increase verbosity. Can be used multiple times.
-h This help message.

[root@host1 ~]#

 

[root@host1 ~]# /usr/local/n2n/sbin/edge --help
Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu
Built on Jan 31 2020 06:48:19
Copyright 2007-19 - ntop.org and contributors

edge <config file> (see edge.conf)
or
edge -d <tun device> -a [static:|dhcp:]<tun IP address> -c <community> [-k <encrypt key>]
[-s <netmask>] [-u <uid> -g <gid>][-f][-T <tos>][-m <MAC address>] -l <supernode host:port>
[-p <local port>] [-M <mtu>] [-D] [-r] [-E] [-v] [-i <reg_interval>] [-L <reg_ttl>] [-t <mgmt port>] [-A] [-h]

-d <tun device> | tun device name
-a <mode:address> | Set interface address. For DHCP use '-r -a dhcp:0.0.0.0'
-c <community> | n2n community name the edge belongs to.
-k <encrypt key> | Encryption key (ASCII) - also N2N_KEY=<encrypt key>.
-s <netmask> | Edge interface netmask in dotted decimal notation (255.255.255.0).
-l <supernode host:port> | Supernode IP:port
-i <reg_interval> | Registration interval, for NAT hole punching (default 20 seconds)
-L <reg_ttl> | TTL for registration packet when UDP NAT hole punching through supernode (default 0 for not set )
-p <local port> | Fixed local UDP port.
-u <UID> | User ID (numeric) to use when privileges are dropped.
-g <GID> | Group ID (numeric) to use when privileges are dropped.
-f | Do not fork and run as a daemon; rather run in foreground.
-m <MAC address> | Fix MAC address for the TAP interface (otherwise it may be random)
| eg. -m 01:02:03:04:05:06
-M <mtu> | Specify n2n MTU of edge interface (default 1290).
-D | Enable PMTU discovery. PMTU discovery can reduce fragmentation but
| causes connections stall when not properly supported.
-r | Enable packet forwarding through n2n community.
-E | Accept multicast MAC addresses (default=drop).
-S | Do not connect P2P. Always use the supernode.
-T <tos> | TOS for packets (e.g. 0x48 for SSH like priority)
-v | Make more verbose. Repeat as required.
-t <port> | Management UDP Port (for multiple edges on a machine).

Environment variables:
N2N_KEY | Encryption key (ASCII). Not with -k.
[root@host1 ~]#
1月 312020
 

在三台主机上分别安装n2n并进行配置

host1:supernode/edge(192.168.172.1)
host2:edge(192.168.172.2)
host3:edge(192.168.172.3)
Community:linuxcache
Pre-Shared Key:5tgb6yhn7ujm

禁用防火墙

[root@host1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
[root@host1 ~]# systemctl stop firewalld
[root@host1 ~]#

安装工具

[root@host1 ~]# yum -y install git gcc automake

下载源代码

https://github.com/ntop/n2n.git

[root@host1 ~]# git clone https://github.com/ntop/n2n.git
Cloning into 'n2n'...
remote: Enumerating objects: 1572, done.
remote: Total 1572 (delta 0), reused 0 (delta 0), pack-reused 1572
Receiving objects: 100% (1572/1572), 970.16 KiB | 0 bytes/s, done.
Resolving deltas: 100% (858/858), done.
[root@host1 ~]#

编译安装

[root@host1 ~]# cd n2n/
[root@host1 n2n]# ./autogen.sh
[root@host1 n2n]# ./configure
[root@host1 n2n]# make
[root@host1 n2n]# make PREFIX=/usr/local/n2n/ install

配置host1节点supernode服务脚本

[root@host1 ~]# vi /usr/lib/systemd/system/n2n_supernode.service
[Unit]
Description=n2n supernode
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/supernode -l 1200

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host1 ~]# systemctl enable n2n_supernode
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_supernode.service to /usr/lib/systemd/system/n2n_supernode.service.
[root@host1 ~]# systemctl start n2n_supernode
[root@host1 ~]#

配置host1节点edge服务脚本

[root@host1 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target n2n_supernode.service

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l localhost:1200 -c linuxcache -a 192.168.172.1 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host1 ~]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host1 ~]# systemctl start n2n_edge
[root@host1 ~]#

查看host1接口信息

[root@host1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:72:1e brd ff:ff:ff:ff:ff:ff
inet 144.202.116.133/23 brd 144.202.117.255 scope global dynamic eth0
valid_lft 84884sec preferred_lft 84884sec
inet6 fe80::5400:2ff:fe83:721e/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether de:23:7d:c9:85:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.172.1/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::dc23:7dff:fec9:85e0/64 scope link
valid_lft forever preferred_lft forever
[root@host1 ~]#

配置host2节点edge服务脚本

[root@host2 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.2 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host2 ~]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host2 ~]# systemctl start n2n_edge
[root@host2 ~]#

查看host2接口信息

[root@host2 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:72:1f brd ff:ff:ff:ff:ff:ff
inet 149.28.93.246/23 brd 149.28.93.255 scope global dynamic eth0
valid_lft 78885sec preferred_lft 78885sec
inet6 fe80::5400:2ff:fe83:721f/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether ae:04:8c:77:da:be brd ff:ff:ff:ff:ff:ff
inet 192.168.172.2/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::ac04:8cff:fe77:dabe/64 scope link
valid_lft forever preferred_lft forever
[root@host2 ~]#

检测节点连通性(在host2主机上)

[root@host2 ~]# ping -c 4 192.168.172.1
PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data.
64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=0.877 ms
64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=0.733 ms
64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=0.844 ms
64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=0.958 ms

--- 192.168.172.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.733/0.853/0.958/0.080 ms
[root@host2 ~]#

配置host3节点edge服务脚本

[root@host3 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.3 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host3 n2n]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host3 n2n]# systemctl start n2n_edge
[root@host3 n2n]#

查看host3接口信息

[root@host3 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:80:03 brd ff:ff:ff:ff:ff:ff
inet 45.32.224.80/22 brd 45.32.227.255 scope global dynamic eth0
valid_lft 78416sec preferred_lft 78416sec
inet6 fe80::5400:2ff:fe83:8003/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether d2:31:7d:96:46:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.172.3/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::d031:7dff:fe96:4641/64 scope link
valid_lft forever preferred_lft forever
[root@host3 ~]#

检测节点连通性(在host3主机上)

[root@host3 ~]# ping -c 4 192.168.172.1
PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data.
64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=59.0 ms
64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=25.9 ms
64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=26.0 ms
64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=27.2 ms

--- 192.168.172.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 25.963/34.564/59.058/14.150 ms
[root@host3 ~]# ping -c 4 192.168.172.2
PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data.
64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=52.1 ms
64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=26.0 ms
64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=26.0 ms
64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=25.9 ms

--- 192.168.172.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 25.963/32.542/52.115/11.301 ms
[root@host3 ~]#

检测节点连通性(在host1主机上)

[root@host1 ~]# ping -c 4 192.168.172.2
PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data.
64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=1.43 ms
64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=0.666 ms
64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=0.840 ms
64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=0.921 ms

--- 192.168.172.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.666/0.964/1.432/0.287 ms
[root@host1 ~]# ping -c 4 192.168.172.3
PING 192.168.172.3 (192.168.172.3) 56(84) bytes of data.
64 bytes from 192.168.172.3: icmp_seq=1 ttl=64 time=33.4 ms
64 bytes from 192.168.172.3: icmp_seq=2 ttl=64 time=26.0 ms
64 bytes from 192.168.172.3: icmp_seq=3 ttl=64 time=26.3 ms
64 bytes from 192.168.172.3: icmp_seq=4 ttl=64 time=25.8 ms

--- 192.168.172.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 25.859/27.923/33.456/3.202 ms
[root@host1 ~]#
1月 302020
 

安装Cisco AnyConnect Secure Mobility Client客户端程序

准备导入由自签CA签发的用户证书(含私钥)文件

证书导入向导(存储位置:当前用户)

确认导入证书文件的文件路径

输入为证书文件设置的密码

使用默认的证书存储位置

确认证书导入信息,并点击完成

证书导入成功

在证书管理(用户证书)中查看已导入的用户证书信息

在打开的AnyConnect客户端中输入服务器地址,并点击连接按钮

正在建立连接的状态

连接建立成功,系统提示已连接至服务器端

客户端处于连接状态

1月 292020
 

基于OpenVPN使用预共享密钥加密的点到点VPN解决方案

安装依赖库EPEL及net-tools工具

[root@host1 ~]# yum -y install epel-release.noarch net-tools

[root@host2 ~]# yum -y install epel-release.noarch net-tools

安装openvpn软件包

[root@host1 ~]# yum -y install openvpn

[root@host2 ~]# yum -y install openvpn

配置防火墙,在两台主机开放UDP8443端口作为专用通信端口

[root@host1 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]#

[root@host2 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host2 ~]# firewall-cmd --reload
success
[root@host2 ~]#

生成host1配置文件

[root@host1 ~]# vi /etc/openvpn/host1.conf
proto udp
mode p2p
remote 149.28.93.246
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.1 172.16.100.2
secret /etc/openvpn/p2p.key

生成预共享密钥文件并复制到host2主机相应目录

[root@host1 ~]# openvpn --genkey --secret /etc/openvpn/p2p.key
[root@host1 ~]# cat /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----
[root@host1 ~]#

生成host2配置文件

[root@host2 ~]# vi /etc/openvpn/hosts2.conf
proto udp
mode p2p
remote 144.202.116.133
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.2 172.16.100.1
secret /etc/openvpn/p2p.key

[root@host2 ~]# vi /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----

启动host1上的OpenVPN服务并加载指定配置文件

[root@host1 ~]# nohup openvpn --config /etc/openvpn/host1.conf &
[1] 1913
[root@host1 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host1 ~]# cat nohup.out
Fri Jan 31 03:25:47 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:25:47 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:25:47 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:25:47 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:25:47 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:25:47 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:25:47 2020 /sbin/ip addr add dev tun0 local 172.16.100.1 peer 172.16.100.2
Fri Jan 31 03:25:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]149.28.93.246:8443
Fri Jan 31 03:25:47 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:25:47 2020 UDP link remote: [AF_INET]149.28.93.246:8443
[root@host1 ~]#

查看host1接口信息及端口监听信息

启动host2上的OpenVPN服务并加载指定配置文件

[root@host2 ~]# nohup openvpn --config /etc/openvpn/hosts2.conf &
[1] 1741
[root@host2 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host2 ~]# cat nohup.out
Fri Jan 31 03:28:03 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:28:03 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:28:03 2020 WARNING: file '/etc/openvpn/p2p.key' is group or others accessible
Fri Jan 31 03:28:03 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:28:03 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:28:03 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:28:03 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:28:03 2020 /sbin/ip addr add dev tun0 local 172.16.100.2 peer 172.16.100.1
Fri Jan 31 03:28:03 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]144.202.116.133:8443
Fri Jan 31 03:28:03 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:28:03 2020 UDP link remote: [AF_INET]144.202.116.133:8443
[root@host2 ~]#

查看host2接口信息及端口监听信息


在两台主机上分别ping对端隧道IP地址