-
-
Save tracyhatemice/e1274e74124621c000f9 to your computer and use it in GitHub Desktop.
Deploy Strongswan IPSec VPN on Debian/Ubuntu (Experimental)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# for KVM and XEN, modification required for OpenVZ | |
apt-get -y update | |
apt-get -y upgrade | |
apt-get -y install libpam0g-dev libssl-dev make gcc | |
wget http://download.strongswan.org/strongswan-5.3.0.tar.gz | |
tar zxvf strongswan-5.3.0.tar.gz | |
cd strongswan-5.3.0 | |
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp | |
make | |
make install | |
ipsec pki --gen --outform pem > ca.pem | |
ipsec pki --self --in ca.pem --dn "C=DEMO, O=DEMO, CN=DEMO" --ca --outform pem >ca.cert.pem | |
ipsec pki --gen --outform pem > server.pem | |
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=DEMO, O=DEMO, CN=domain.name" --san="domain.name" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem | |
ipsec pki --gen --outform pem > client.pem | |
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=DEMO, O=DEMO, CN=DEMO" --outform pem > client.cert.pem | |
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/ | |
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/ | |
cp -r server.pem /usr/local/etc/ipsec.d/private/ | |
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/ | |
cp -r client.pem /usr/local/etc/ipsec.d/private/ | |
rm ca.cert.pem | |
rm server.cert.pem | |
rm server.pem | |
rm client.cert.pem | |
rm client.pem | |
curl https://gist.githubusercontent.com/izhaomin/005aa59ef1b6bf5d8037/raw/127e1074b5cce36de5f2939749c9fc934c17f799/ipsec.conf > /usr/local/etc/ipsec.conf | |
curl https://gist.githubusercontent.com/izhaomin/379374909745713842b0/raw/86b2be27e5cda7e5d6109955b391e1ba34d197e5/strongswan.conf > /usr/local/etc/strongswan.conf | |
echo ": RSA server.pem" > /usr/local/etc/ipsec.secrets | |
echo ": PSK "ipsecpsk"" >> /usr/local/etc/ipsec.secrets | |
echo ": XAUTH "ipsecpsk"" >> /usr/local/etc/ipsec.secrets | |
echo "username %any : EAP "password"" >> /usr/local/etc/ipsec.secrets | |
sysctl -w net.ipv4.ip_forward=1 | |
sysctl -p | |
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A FORWARD -s 10.1.0.0/24 -j ACCEPT | |
iptables -A INPUT -i eth0 -p esp -j ACCEPT | |
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT | |
iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT | |
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT | |
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE | |
#sed -i '$i\/usr/sbin/ipsec start' /etc/rc.local | |
apt-get install iptables-persistent |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment