Skip to content

Instantly share code, notes, and snippets.

@dzcpy

dzcpy/install-ikev2.sh

Last active June 2, 2023 07:11
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save dzcpy/6fd524a09a985bfa602944180ab443b4 to your computer and use it in GitHub Desktop.
Save dzcpy/6fd524a09a985bfa602944180ab443b4 to your computer and use it in GitHub Desktop.
Download ZIP
Setup Strongswan IKEv2 VPN server on Debian 10 with Let's Encrypt
Raw
install-ikev2.sh
#!/bin/bash
apt update && apt upgrade -y
apt install strongswan strongswan-pki libcharon-extra-plugins net-tools wget certbot -y
DEBIAN_FRONTEND=noninteractive apt-get -y install iptables-persistent
HOST_NAME="vpn.example.com"
read -e -i "$HOST_NAME" -p "VPN host name: " HOST_NAME
HOST_NAME="${input:-$HOST_NAME}"
LOCAL_SUBNET="172.19.240.0/20"
read -e -i "$LOCAL_SUBNET" -p "NAT subnet info for clients of this VPN: " LOCAL_SUBNET
LOCAL_SUBNET="${input:-$LOCAL_SUBNET}"
VPN_USER="VPN"
read -e -i "$VPN_USER" -p "VPN user name: " VPN_USER
VPN_USER="${input:-$VPN_USER}"
VPN_PASS="PASSWORD"
read -e -i "$VPN_PASS" -p "VPN password: " VPN_PASS
VPN_PASS="${input:-$VPN_PASS}"
DEFAULT_IP="$(ip -o route get to 1.1.1.1 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')"
DEFAULT_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')"
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
certbot certonly --standalone -d ${HOST_NAME} --rsa-key-size 2048 --staple-ocsp --agree-tos --register-unsafely-without-email
chmod 755 -R /etc/letsencrypt
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/cert.pem /etc/ipsec.d/certs
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/chain.pem /etc/ipsec.d/cacerts
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/privkey.pem /etc/ipsec.d/private
cat > /etc/ipsec.secrets<<-EOF
${HOST_NAME} : RSA privkey.pem
${VPN_USER} %any : EAP "${VPN_PASS}"
EOF
cat > /etc/ipsec.conf<<-EOF
config setup
uniqueids=never
strictcrlpolicy=no
conn vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@${HOST_NAME}
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=1.1.1.1,8.8.8.8
rightsourceip=${LOCAL_SUBNET}
rightsendcert=never
eap_identity=%identity
EOF
cat > /etc/sysctl.d/ipsec.conf<<-EOF
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.ip_no_pmtu_disc=1
net.ipv4.conf.all.rp_filter=1
EOF
sysctl -p /etc/sysctl.d/ipsec.conf
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s ${LOCAL_SUBNET} -j ACCEPT
iptables -A INPUT -i ${DEFAULT_IFACE} -p esp -j ACCEPT
#iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 500 -j ACCEPT
#iptables -A INPUT -i ${DEFAULT_IFACE} -p tcp --dport 500 -j ACCEPT
#iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j SNAT --to-source ${DEFAULT_IP}
iptables-save > /etc/iptables/rules.v4
ipsec restart
@dzcpy
Copy link
Author

dzcpy commented Jun 22, 2021
edited

一、服务器:

  1. 上传install-ikev2.sh脚本到服务器目录,比如/root/my_certs,这个目录安装完毕后会保存下安装过程中生成的各类证书。在安装前可以先编辑下这个脚本的前几行,里面有客户机本地ip地址范围,用户名密码几个变量
  2. 安装完后下载此目录下的client.cert.pem证书,这个是客户端的证书,请求连接的时候需要用到
  3. 诊断
    ipsec stop
    ipsec start --nofork --debug-more

二、Linux客户端(debian stretch):

  1. 安装软件包
    sudo apt update && sudo apt upgrade -y
    sudo apt install strongswan libcharon-extra-plugins
  2. 装好后编辑用户密码文件
    sudo nano /etc/ipsec.secrets
    和服务器上的用户密码保持一致,格式:
    {USER_NAME} : %any : EAP "{PASSWORD}"
  3. 安装证书
    将之前在安装服务器时生成的证书ca.cert.pem上传到客户端的
    /etc/ipsec.d/cacerts/ca.cert.pem
  4. 修改配置
    sudo nano /etc/ipsec.conf
    加入下面几行:
conn vpn
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        eap_identity="${USER_NAME}"
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=${SERVER}
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=%${SERVER}
        rightca=/etc/ipsec.d/cacerts/ca.cert.pem
        type=tunnel
        auto=add

${USER_NAME} 替换为之前安装服务器时设置的用户名变量
${SERVER} 是服务器的域名或IP
5. 重启 ipsec
sudo ipsec restart
ipsec up vpn

三、Windows客户端

https://jingyan.baidu.com/album/fea4511ac122abf7bb91252d.html
如显示策略不匹配错误,则修改
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 ,类型DWORD,设置为 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule,类型DWORD,设置为2`

@dzcpy
Copy link
Author

dzcpy commented Jun 23, 2021
edited

Windows 客户端添加 VPN

Add-VpnConnection -Name "My VPN" -ServerAddress vpn.example.com -TunnelType IKEv2 -AuthenticationMethod EAP -EncryptionLevel Maximum -RememberCredential:$True -SplitTunnel:$False -PassThru
Set-VpnConnectionIPsecConfiguration -ConnectionName "My VPN" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup Pfs2048 -PassThru -Force

Win 10 VPN连接上了IP未变的解决办法

  1. 打开虚拟专用网络;
  2. 右键VPN拨号,选择”属性”;
  3. 在”网络”标签下,选择”Internet 协议(TCP/IP)”,单击”属性”;
  4. 单击”高级”按钮;
  5. 勾选“在远程网络上使用默认网关”,即可;

@dzcpy
Copy link
Author

dzcpy commented Jun 24, 2021

参考:
https://serverfault.com/questions/956674/strongswan-with-letsencrypt-certificates-ikev2-eap
https://taczanowski.net/ikev2-with-lets-encrypt-robust-ipsec-vpn-solution-for-windows-android-linux-macos-and-ios-clients/
https://github.com/jawj/IKEv2-setup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment