Skip to content

Instantly share code, notes, and snippets.

  • Star 31 You must be signed in to star a gist
  • Fork 11 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save aguegu/f4a86d7e9992d4296e93 to your computer and use it in GitHub Desktop.
# Basic Strongswan ikev2 server setup
* paltform: atlantic.net ubuntu 14.04 x64
* the commands below are run with root account
## Strongswan
```
apt-get install strongswan
apt-get install iptables iptables-persistent
```
## ca
### root ca
```
cd ~
mkdir swan
cd swan
ipsec pki --gen --outform pem > ca_key.pem
ipsec pki --self --in caKey.pem --dn "C=CN, O=strongswan, CN=strongswan ca" --ca --outform pem > ca_cert.pem
```
### server ca
```
ipsec pki --gen --outform pem > server_key.pem
ipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongswan, CN=vpn.strong.com" --san="vpn.strong.com" --outform pem > server_cert.pem
```
### client ca
```
ipsec pki --gen --outform pem > client_key.pem
ipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
```
### implement ca
```
cp ca_cert.pem /etc/ipsec.d/cacerts/
cp server_cert.pem /etc/ipsec.d/certs/
cp server_key.pem /etc/ipsec.d/private/
```
## conf
* /etc/ipsec.conf
```
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
leftcert=server_cert.pem
auto=add
dpdaction=clear
dpddelay=300s
dpdtimeout=1h
conn rw
leftfirewall=yes
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=10.0.0.0/24
```
* /etc/ipsec.secerts
```
: RSA server_key.pem
```
* /etc/strongswan.conf
```
charon {
load_modular = yes
install_virtual_ip = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
# use the dns provided by vps
plugins {
include strongswan.d/charon/*.conf
}
}
```
## system conf
* [/etc/sysctl.conf][1]
```
net.ipv4.ip_forward = 1
```
* [/etc/iptables/rules.v4][2]
```
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 22 14:53:31 2013
# Generated by iptables-save v1.4.18 on Mon Jul 22 14:53:31 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [432:67301]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
```
## client settings
* ss_cert.pem
* client_key.pem
* client_cert.pem
Download these files to client, with scp or ftp. Use them for Strongswan vpn connection.
## Referenece
* [linux上用strongswan搭建ikev2协议vpn.md][3]
* [How to save rules of the iptables?][4]
* [How To Set Up a Firewall Using IPTables on Ubuntu 14.04][5]
* [How to make IP forwarding permanent?][6]
* [IPsec-based VPN Server (简体中文)][7]
* [strongSwan Configuration][8]
[1]: http://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent
[2]: https://wiki.archlinux.org/index.php/IPsec-based_VPN_Server_%28%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%29
[3]: https://gist.github.com/losisli/11081793
[4]: http://askubuntu.com/questions/119393/how-to-save-rules-of-the-iptables
[5]: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04
[6]: http://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent
[7]: https://wiki.archlinux.org/index.php/IPsec-based_VPN_Server_%28%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%29
[8]: https://github.com/strongswan/strongswan
@MilitaryRiotLab
Copy link

I am sorry but where is the ss_cert.pem?

client settings

  • ss_cert.pem

@tuxite
Copy link

tuxite commented Jan 5, 2016

If think ss_cert.pem is server_cert.pem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment