tracyhatemice/ipsec.sh

## ipsec.sh
#!/bin/bash
# for KVM and XEN, modification required for OpenVZ
apt-get -y update
apt-get -y upgrade
apt-get -y install libpam0g-dev libssl-dev make gcc
wget http://download.strongswan.org/strongswan-5.3.0.tar.gz
tar zxvf strongswan-5.3.0.tar.gz
cd strongswan-5.3.0
./configure  --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
make
make install
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=DEMO, O=DEMO, CN=DEMO" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=DEMO, O=DEMO, CN=domain.name" --san="domain.name" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=DEMO, O=DEMO, CN=DEMO" --outform pem > client.cert.pem
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r server.pem /usr/local/etc/ipsec.d/private/
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r client.pem  /usr/local/etc/ipsec.d/private/
rm ca.cert.pem
rm server.cert.pem
rm server.pem
rm client.cert.pem
rm client.pem
curl https://gist.githubusercontent.com/izhaomin/005aa59ef1b6bf5d8037/raw/127e1074b5cce36de5f2939749c9fc934c17f799/ipsec.conf > /usr/local/etc/ipsec.conf
curl https://gist.githubusercontent.com/izhaomin/379374909745713842b0/raw/86b2be27e5cda7e5d6109955b391e1ba34d197e5/strongswan.conf > /usr/local/etc/strongswan.conf
echo ": RSA server.pem" > /usr/local/etc/ipsec.secrets
echo ": PSK "ipsecpsk"" >> /usr/local/etc/ipsec.secrets
echo ": XAUTH "ipsecpsk"" >> /usr/local/etc/ipsec.secrets
echo "username %any : EAP "password"" >> /usr/local/etc/ipsec.secrets
sysctl -w net.ipv4.ip_forward=1
sysctl -p
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.1.0.0/24  -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
#sed -i '$i\/usr/sbin/ipsec start' /etc/rc.local
apt-get install iptables-persistent
	#!/bin/bash
	# for KVM and XEN, modification required for OpenVZ
	apt-get -y update
	apt-get -y upgrade
	apt-get -y install libpam0g-dev libssl-dev make gcc
	wget http://download.strongswan.org/strongswan-5.3.0.tar.gz
	tar zxvf strongswan-5.3.0.tar.gz
	cd strongswan-5.3.0
	./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
	make
	make install
	ipsec pki --gen --outform pem > ca.pem
	ipsec pki --self --in ca.pem --dn "C=DEMO, O=DEMO, CN=DEMO" --ca --outform pem >ca.cert.pem
	ipsec pki --gen --outform pem > server.pem
	ipsec pki --pub --in server.pem \| ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=DEMO, O=DEMO, CN=domain.name" --san="domain.name" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
	ipsec pki --gen --outform pem > client.pem
	ipsec pki --pub --in client.pem \| ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=DEMO, O=DEMO, CN=DEMO" --outform pem > client.cert.pem
	cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
	cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
	cp -r server.pem /usr/local/etc/ipsec.d/private/
	cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
	cp -r client.pem /usr/local/etc/ipsec.d/private/
	rm ca.cert.pem
	rm server.cert.pem
	rm server.pem
	rm client.cert.pem
	rm client.pem
	curl https://gist.githubusercontent.com/izhaomin/005aa59ef1b6bf5d8037/raw/127e1074b5cce36de5f2939749c9fc934c17f799/ipsec.conf > /usr/local/etc/ipsec.conf
	curl https://gist.githubusercontent.com/izhaomin/379374909745713842b0/raw/86b2be27e5cda7e5d6109955b391e1ba34d197e5/strongswan.conf > /usr/local/etc/strongswan.conf
	echo ": RSA server.pem" > /usr/local/etc/ipsec.secrets
	echo ": PSK "ipsecpsk"" >> /usr/local/etc/ipsec.secrets
	echo ": XAUTH "ipsecpsk"" >> /usr/local/etc/ipsec.secrets
	echo "username %any : EAP "password"" >> /usr/local/etc/ipsec.secrets
	sysctl -w net.ipv4.ip_forward=1
	sysctl -p
	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -s 10.1.0.0/24 -j ACCEPT
	iptables -A INPUT -i eth0 -p esp -j ACCEPT
	iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
	iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
	iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
	iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
	#sed -i '$i\/usr/sbin/ipsec start' /etc/rc.local
	apt-get install iptables-persistent