Created
April 17, 2016 02:38
-
-
Save ramann/edf9b78629af17946d6951b2013a69a0 to your computer and use it in GitHub Desktop.
strongswan notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| conn base | |
| keyexchange=ikev2 | |
| ike=aes256gcm128-sha512-modp8192! | |
| esp=aes256gcm128-sha512-modp8192! | |
| rightcert=peerCertServer.pem | |
| leftsourceip=%modecfg | |
| rightsubnet=0.0.0.0/0 | |
| leftcert=peerCertClient.pem | |
| #leftid="C=CH, O=strongSwan, CN=peerClient" | |
| conn max1 | |
| also=base | |
| auto=add | |
| right=123.123.123.123 #server ip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| : RSA peerKeyClient.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #CA | |
| ipsec pki --gen --outform pem > caKey.pem | |
| ipsec pki --self --in caKey.pem --outform pem --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.pem | |
| #Client | |
| ipsec pki --gen --outform pem > peerKeyClient.pem | |
| ipsec pki --pub --in peerKeyClient.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --outform pem --dn "C=CH, O=strongSwan, CN=peerClient" > peerCertClient.pem | |
| #Server | |
| ipsec pki --gen --outform pem > peerKeyServer.pem | |
| ipsec pki --pub --in peerKeyServer.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --outform pem --dn "C=CH, O=strongSwan, CN=peerServer" > peerCertServer.pem | |
| sudo cp caCert.pem /etc/ipsec.d/cacerts | |
| sudo cp peerCertClient.pem /etc/ipsec.d/certs | |
| sudo cp peerCertServer.pem /etc/ipsec.d/certs | |
| sudo cp peerKeyClient.pem /etc/ipsec.d/private | |
| scp caCert.pem root@someserver:/etc/ipsec.d/cacerts | |
| scp peerCertClient.pem root@someserver:/etc/ipsec.d/certs | |
| scp peerCertServer.pem root@someserver:/etc/ipsec.d/certs | |
| scp peerKeyServer.pem root@someserver:/etc/ipsec.d/private |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| config setup | |
| charondebug="ike 2, cfg 2" | |
| # strictcrlpolicy=yes | |
| # uniqueids = no | |
| conn %default | |
| leftcert=peerCertServer.pem | |
| auto=add | |
| dpdaction=clear | |
| dpddelay=300s | |
| dpdtimeout=1h | |
| conn rw | |
| leftfirewall=yes | |
| leftsubnet=0.0.0.0/0 | |
| right=%any | |
| rightcert=peerCertClient.pem | |
| rightsourceip=10.11.12.13 | |
| ike = aes256gcm128-sha512-modp8192! | |
| esp = aes256gcm128-sha512-modp8192! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| : RSA peerKeyServer.pem |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment