Skip to content

Instantly share code, notes, and snippets.

@izhaomin

izhaomin/ipsec.sh

Last active July 26, 2023 03:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save izhaomin/d7e531a0bcae79bd48a0 to your computer and use it in GitHub Desktop.
Save izhaomin/d7e531a0bcae79bd48a0 to your computer and use it in GitHub Desktop.
Download ZIP
Config for Strongswan IPSec VPN
Raw
ipsec.sh
#!/bin/bash
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=DEMO, O=DEMO, CN=DEMO" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=DEMO, O=DEMO, CN=domain.name" --san="domain.name" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=DEMO, O=DEMO, CN=DEMO" --outform pem > client.cert.pem
mv ca.cert.pem /etc/ipsec.d/cacerts/
mv server.cert.pem /etc/ipsec.d/certs/
mv server.pem /etc/ipsec.d/private/
mv client.cert.pem /etc/ipsec.d/certs/
mv client.pem /etc/ipsec.d/private/
# cat ipsec.conf > /etc/ipsec.conf
# cat strongswan.conf > /etc/strongswan.conf
echo ": RSA server.pem" > /etc/ipsec.secrets
echo ": PSK "ipsecpsk"" >> /etc/ipsec.secrets
echo ": XAUTH "ipsecpsk"" >> /etc/ipsec.secrets
echo "username %any : EAP "password"" >> /usr/local/etc/ipsec.secrets
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.1.0.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment