Forked from losisli/linux上用strongswan搭建ikev2协议vpn.md
Last active
July 5, 2020 08:12
-
-
Save aguegu/f4a86d7e9992d4296e93 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Basic Strongswan ikev2 server setup | |
* paltform: atlantic.net ubuntu 14.04 x64 | |
* the commands below are run with root account | |
## Strongswan | |
``` | |
apt-get install strongswan | |
apt-get install iptables iptables-persistent | |
``` | |
## ca | |
### root ca | |
``` | |
cd ~ | |
mkdir swan | |
cd swan | |
ipsec pki --gen --outform pem > ca_key.pem | |
ipsec pki --self --in caKey.pem --dn "C=CN, O=strongswan, CN=strongswan ca" --ca --outform pem > ca_cert.pem | |
``` | |
### server ca | |
``` | |
ipsec pki --gen --outform pem > server_key.pem | |
ipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongswan, CN=vpn.strong.com" --san="vpn.strong.com" --outform pem > server_cert.pem | |
``` | |
### client ca | |
``` | |
ipsec pki --gen --outform pem > client_key.pem | |
ipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem | |
``` | |
### implement ca | |
``` | |
cp ca_cert.pem /etc/ipsec.d/cacerts/ | |
cp server_cert.pem /etc/ipsec.d/certs/ | |
cp server_key.pem /etc/ipsec.d/private/ | |
``` | |
## conf | |
* /etc/ipsec.conf | |
``` | |
config setup | |
# strictcrlpolicy=yes | |
# uniqueids = no | |
conn %default | |
leftcert=server_cert.pem | |
auto=add | |
dpdaction=clear | |
dpddelay=300s | |
dpdtimeout=1h | |
conn rw | |
leftfirewall=yes | |
leftsubnet=0.0.0.0/0 | |
right=%any | |
rightsourceip=10.0.0.0/24 | |
``` | |
* /etc/ipsec.secerts | |
``` | |
: RSA server_key.pem | |
``` | |
* /etc/strongswan.conf | |
``` | |
charon { | |
load_modular = yes | |
install_virtual_ip = yes | |
dns1 = 8.8.8.8 | |
dns2 = 8.8.4.4 | |
# use the dns provided by vps | |
plugins { | |
include strongswan.d/charon/*.conf | |
} | |
} | |
``` | |
## system conf | |
* [/etc/sysctl.conf][1] | |
``` | |
net.ipv4.ip_forward = 1 | |
``` | |
* [/etc/iptables/rules.v4][2] | |
``` | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE | |
COMMIT | |
# Completed on Mon Jul 22 14:53:31 2013 | |
# Generated by iptables-save v1.4.18 on Mon Jul 22 14:53:31 2013 | |
*filter | |
:INPUT DROP [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [432:67301] | |
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
-A INPUT -p udp -m udp --dport 500 -j ACCEPT | |
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT | |
-A INPUT -p icmp -j ACCEPT | |
-A INPUT -p esp -j ACCEPT | |
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT | |
-A INPUT -p tcp -j REJECT --reject-with tcp-reset | |
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
-A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
COMMIT | |
``` | |
## client settings | |
* ss_cert.pem | |
* client_key.pem | |
* client_cert.pem | |
Download these files to client, with scp or ftp. Use them for Strongswan vpn connection. | |
## Referenece | |
* [linux上用strongswan搭建ikev2协议vpn.md][3] | |
* [How to save rules of the iptables?][4] | |
* [How To Set Up a Firewall Using IPTables on Ubuntu 14.04][5] | |
* [How to make IP forwarding permanent?][6] | |
* [IPsec-based VPN Server (简体中文)][7] | |
* [strongSwan Configuration][8] | |
[1]: http://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent | |
[2]: https://wiki.archlinux.org/index.php/IPsec-based_VPN_Server_%28%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%29 | |
[3]: https://gist.github.com/losisli/11081793 | |
[4]: http://askubuntu.com/questions/119393/how-to-save-rules-of-the-iptables | |
[5]: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04 | |
[6]: http://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent | |
[7]: https://wiki.archlinux.org/index.php/IPsec-based_VPN_Server_%28%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%29 | |
[8]: https://github.com/strongswan/strongswan |
If think ss_cert.pem
is server_cert.pem
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am sorry but where is the ss_cert.pem?