Skip to content

Instantly share code, notes, and snippets.

@leolovenet
Created July 6, 2016 08:50
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save leolovenet/5fcc45a7baf1085866acdde820c089c7 to your computer and use it in GitHub Desktop.
Save leolovenet/5fcc45a7baf1085866acdde820c089c7 to your computer and use it in GitHub Desktop.
IPSEC VPN on Centos6 with StrongSwan for iOS9
#!/bin/bash
## Main reference https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
yum -y install epel-release
yum -y install haveged strongswan
/etc/init.d/haveged start
chkconfig haveged on
cd /etc/strongswan || exit
cat > strongswan.conf <<'EOF'
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
#duplicheck.enable = no
#install_virtual_ip = yes
#dns1 = 8.8.8.8
#dns2 = 8.8.4.4
plugins {
include strongswan.d/charon/*.conf
openssl {
fips_mode = 0
}
}
}
pki {
plugins {
openssl {
fips_mode = 0
}
}
}
include strongswan.d/*.conf
EOF
cat > ipsec.conf <<'EOF'
# ipsec.conf - strongSwan IPsec configuration file
#https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
config setup
#charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
#uniqueids=never
#https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
conn %default
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.der
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.86.86.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
leftsendcert=always
leftid=@vpn.example.com
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
forceencaps=yes
authby=xauthrsasig
xauth=server
auto=add
EOF
cat > ipsec.secrets <<'EOF'
: RSA vpnHostKey.der
example : EAP "1234"
EOF
cat > strongswan.d/charon-logging.conf <<'EOF'
charon {
# Section to define file loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
filelog {
/var/log/charon.log {
#flush_line = yes
#job = -1
#enc = 1
#asn = 2
#net = 2
#ike = 2
#default = 2
default = 1
time_format = %Y%m%d%H%M%S
}
}
}
EOF
strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/strongswanKey.der
chmod 600 ipsec.d/private/strongswanKey.der
strongswan pki --self --ca --lifetime 3650 --in ipsec.d/private/strongswanKey.der --type rsa --dn "C=CN, O=Leo Company, CN=Leo Root CA" --outform der > ipsec.d/cacerts/strongswanCert.der
openssl x509 -inform DER -in ipsec.d/cacerts/strongswanCert.der -out ipsec.d/cacerts/strongswanCert.pem -outform PEM
#strongswan pki --print --in ipsec.d/cacerts/strongswanCert.der
strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/vpnHostKey.der
chmod 600 ipsec.d/private/vpnHostKey.der
CN_NAME="vpn.example.com"
CN_IP="192.168.199.131"
strongswan pki --pub --in ipsec.d/private/vpnHostKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/strongswanCert.der --cakey ipsec.d/private/strongswanKey.der --dn "C=CN, O=Leo Company, CN=${CN_NAME}" --san ${CN_NAME} --san ${CN_IP} --san @${CN_IP} --flag serverAuth --flag ikeIntermediate --outform der > ipsec.d/certs/vpnHostCert.der
#strongswan pki --print --in ipsec.d/certs/vpnHostCert.der
#openssl x509 -inform DER -in ipsec.d/certs/vpnHostCert.der -noout -text
/etc/init.d/strongswan start
chkconfig strongswan on
cat >> /etc/sysctl.conf <<'EOF'
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF
sysctl -p
iptables -t nat -A POSTROUTING -s 10.86.86.0/24 ! -d 10.86.86.0/24 -o eth0 -j MASQUERADE
/etc/init.d/iptables save
#copy /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your iPhone, an install.
#and Settings --> General --> VPN --> Add VPN Configuration...
# Description: myVPN (whatever)
# Server: your_CentOS_server_IP
# Remote ID: vpn.example.com (in ipsec.conf, option leftid's value)
# User Authentication: Username
# Username: example (in ipsec.secrets)
# Password: 1234 (in ipsec.secrets)
####################
#### For Users
####################
strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/LeoKey.der
chmod 600 ipsec.d/private/LeoKey.der
strongswan pki --pub --in ipsec.d/private/LeoKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/strongswanCert.der --cakey ipsec.d/private/strongswanKey.der --dn "C=CN, O=Leo Company, CN=leolovenet@gmail.com" --san "leolovenet@gmail.com" --outform der > ipsec.d/certs/LeoCert.der
openssl rsa -inform DER -in ipsec.d/private/LeoKey.der -out ipsec.d/private/LeoKey.pem -outform PEM
openssl x509 -inform DER -in ipsec.d/certs/LeoCert.der -out ipsec.d/certs/LeoCert.pem -outform PEM
openssl pkcs12 -export -inkey ipsec.d/private/LeoKey.pem -in ipsec.d/certs/LeoCert.pem -name "Leo's VPN Certificate" -certfile ipsec.d/cacerts/strongswanCert.pem -caname "Leo Root CA" -out Leo.p12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment