Skip to content

Instantly share code, notes, and snippets.

@0xc010d

0xc010d/strongswan ikev2 server on ubuntu 14.04

Forked from aguegu/strongswan ikev2 server on ubuntu 14.04
Created April 18, 2016 22:16
Show Gist options
  • Save 0xc010d/2c6022f5515f8c998d051567e39648cd to your computer and use it in GitHub Desktop.
Save 0xc010d/2c6022f5515f8c998d051567e39648cd to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @aguegu aguegu revised this gist Oct 1, 2014. 1 changed file with 131 additions and 21 deletions.
    152 changes: 131 additions & 21 deletions strongswan ikev2 server on ubuntu 14.04
    View file
    Original file line number Diff line number Diff line change
    @@ -1,34 +1,144 @@
    **平台**: atlantic.net ubuntu 14.04 x64

    # strongswan

    # Basic Strongswan ikev2 server setup
    * paltform: atlantic.net ubuntu 14.04 x64
    * the commands below are run with root account

    ## Strongswan
    ```
    apt-get install build-essential
    apt-get install strongswan
    apt-get install iptables iptables-persistent
    ```

    ## ca
    ### root ca
    ```
    cd ~
    mkdir swan
    cd swan
    ipsec pki --gen --outform pem > ca_key.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongswan, CN=strongswan ca" --ca --outform pem > ca_cert.pem
    ```

    ### server ca
    ```
    ipsec pki --gen --outform pem > server_key.pem
    ipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongswan, CN=vpn.strong.com" --san="vpn.strong.com" --outform pem > server_cert.pem
    ```

    ### client ca
    ```
    ipsec pki --gen --outform pem > client_key.pem
    ipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    ```

    ### implement ca
    ```
    cp ca_cert.pem /etc/ipsec.d/cacerts/
    cp server_cert.pem /etc/ipsec.d/certs/
    cp server_key.pem /etc/ipsec.d/private/
    ```

    ## conf

    * /etc/ipsec.conf
    ```
    config setup
    # strictcrlpolicy=yes
    # uniqueids = no

    conn %default
    leftcert=server_cert.pem
    auto=add
    dpdaction=clear
    dpddelay=300s
    dpdtimeout=1h

    conn rw
    leftfirewall=yes
    leftsubnet=0.0.0.0/0
    right=%any
    rightsourceip=10.0.0.0/24
    ```

    * /etc/ipsec.secerts
    ```
    : RSA server_key.pem
    ```

    * /etc/strongswan.conf
    ```
    charon {
    load_modular = yes
    install_virtual_ip = yes

    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    # use the dns provided by vps

    plugins {
    include strongswan.d/charon/*.conf
    }
    }
    ```

    ## system conf

    * [/etc/sysctl.conf][1]
    ```
    net.ipv4.ip_forward = 1
    ```

    * [/etc/iptables/rules.v4][2]
    ```
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Mon Jul 22 14:53:31 2013
    # Generated by iptables-save v1.4.18 on Mon Jul 22 14:53:31 2013
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [432:67301]
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p udp -m udp --dport 500 -j ACCEPT
    -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -p esp -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT
    -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -j REJECT --reject-with icmp-proto-unreachable
    COMMIT
    ```

    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    2:然后是服务器端的证书
    ## client settings

    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    3:客户端的证书
    * ss_cert.pem
    * client_key.pem
    * client_cert.pem

    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    生成的客户端证书 clientCert.pem 不能直接导入到win7或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。
    Download these files to client, with scp or ftp. Use them for Strongswan vpn connection.

    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4:安装证书
    ## Referenece

    * [linux上用strongswan搭建ikev2协议vpn.md][3]
    * [How to save rules of the iptables?][4]
    * [How To Set Up a Firewall Using IPTables on Ubuntu 14.04][5]
    * [How to make IP forwarding permanent?][6]
    * [IPsec-based VPN Server (简体中文)][7]
    * [strongSwan Configuration][8]

    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/
    客户端安装caCert.pem与clientCert.pem(clientCert.p12)

    ## 三:
    [1]: http://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent
    [2]: https://wiki.archlinux.org/index.php/IPsec-based_VPN_Server_%28%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%29
    [3]: https://gist.github.com/losisli/11081793
    [4]: http://askubuntu.com/questions/119393/how-to-save-rules-of-the-iptables
    [5]: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04
    [6]: http://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent
    [7]: https://wiki.archlinux.org/index.php/IPsec-based_VPN_Server_%28%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%29
    [8]: https://github.com/strongswan/strongswan
  2. @aguegu aguegu revised this gist Oct 1, 2014. 1 changed file with 5 additions and 67 deletions.
    72 changes: 5 additions & 67 deletions strongswan ikev2 server on ubuntu 14.04
    View file
    Original file line number Diff line number Diff line change
    @@ -1,10 +1,11 @@
    **平台**: atlantic.net ubuntu 14.04 x64

    ## strongswan
    # strongswan


    ```
    # apt-get install build-essential
    # apt-get install strongswan
    apt-get install build-essential
    apt-get install strongswan
    ```

    ## ca
    @@ -30,67 +31,4 @@
    cp serverKey.pem /etc/ipsec.d/private/
    客户端安装caCert.pem与clientCert.pem(clientCert.p12)

    ## 三:配置strongswan
    1: /etc/ipsec.conf

    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线

    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

    2: /etc/ipsec.secrets

    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)

    3: /etc/strongswan.conf

    #加入分配的dns
    charon {

    dns1 = 8.8.8.8
    dns2 = 208.67.222.222

    }

    ## 四:配置 Iptables 转发

    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    ## 最后,启动strongswan:

    ipsec start
    滚动日志:

    ipsec start --nofork

    ## 参考链接:
    * http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    * http://si-you.com/?p=1167
    * http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
    ## 三:
  3. @aguegu aguegu renamed this gist Oct 1, 2014. 1 changed file with 7 additions and 13 deletions.
    20 changes: 7 additions & 13 deletions linux上用strongswan搭建ikev2协议vpn.md → strongswan ikev2 server on ubuntu 14.04
    View file
    Original file line number Diff line number Diff line change
    @@ -1,20 +1,14 @@
    **平台**DigitalOcean VPS原生ubuntu14.04 x86, strongswan5.1.3
    **平台**: atlantic.net ubuntu 14.04 x64

    ## 一:安装strongswan
    ## strongswan

    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件
    ```
    # apt-get install build-essential
    # apt-get install strongswan
    ```

    **strongswan官网** http://www.strongswan.org/**5.2.0版本地址** http://download.strongswan.org/strongswan-5.2.0.tar.bz2
    ## ca

    wget http://download.strongswan.org/strongswan-5.2.0.tar.bz2
    tar -jxvf strongswan-5.2.0.tar.bz2
    cd strongswan-5.2.0
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

    ## 二:生成、安装证书
    1:win7和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书,先生成ca证书

    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
  4. @losisli losisli revised this gist Aug 26, 2014. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -5,11 +5,11 @@
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件

    **strongswan官网** http://www.strongswan.org/**5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    **strongswan官网** http://www.strongswan.org/**5.2.0版本地址** http://download.strongswan.org/strongswan-5.2.0.tar.bz2

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3
    wget http://download.strongswan.org/strongswan-5.2.0.tar.bz2
    tar -jxvf strongswan-5.2.0.tar.bz2
    cd strongswan-5.2.0
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

  5. losisli revised this gist May 27, 2014. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -5,7 +5,7 @@
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件

    **strongswan官网** http://www.strongswan.org/, **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    **strongswan官网** http://www.strongswan.org/ **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    @@ -34,6 +34,7 @@
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/
    客户端安装caCert.pem与clientCert.pem(clientCert.p12)

    ## 三:配置strongswan
    1: /etc/ipsec.conf
  6. losisli revised this gist Apr 23, 2014. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -9,7 +9,7 @@

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

  7. losisli revised this gist Apr 19, 2014. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    **平台**原生ubuntu14.04 x86 strongswan5.1.3
    **平台**DigitalOcean VPS原生ubuntu14.04 x86, strongswan5.1.3

    ## 一:安装strongswan

  8. losisli revised this gist Apr 19, 2014. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -84,9 +84,9 @@
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE //地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT //同上
    //为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    ## 最后,启动strongswan:

  9. losisli revised this gist Apr 19, 2014. 1 changed file with 3 additions and 6 deletions.
    9 changes: 3 additions & 6 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -2,13 +2,10 @@

    ## 一:安装strongswan

    apt-get install gcc make strongswan //strongswan版本可能较低
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    如编译出现错误“OpenSSL crypto library not found”,用一下命令解决(ubuntu14.04本身已安装openssl)
    apt-get install openssl-dev
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
    **官网** http://www.strongswan.org/, **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    **strongswan官网** http://www.strongswan.org/, **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
  10. losisli revised this gist Apr 19, 2014. 1 changed file with 3 additions and 2 deletions.
    5 changes: 3 additions & 2 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,9 +1,10 @@
    **平台**:原生ubuntu14.04 x86 strongswan5.1.3

    ## 一:安装strongswan

    apt-get install gcc make strongswan //strongswan版本可能较低
    //到**https://gmplib.org/** 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    //如编译出现错误“OpenSSL crypto library not found”,用一下命令解决(ubuntu14.04本身已安装openssl)
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    如编译出现错误“OpenSSL crypto library not found”,用一下命令解决(ubuntu14.04本身已安装openssl)
    apt-get install openssl-dev

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
  11. losisli revised this gist Apr 19, 2014. 1 changed file with 5 additions and 6 deletions.
    11 changes: 5 additions & 6 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -44,7 +44,6 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线


    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    @@ -74,7 +73,7 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载

    3: /etc/strongswan.conf

    //加入分配的dns
    #加入分配的dns
    charon {

    dns1 = 8.8.8.8
    @@ -91,14 +90,14 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT //同上
    //为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    最后,启动strongswan:
    ## 最后,启动strongswan:

    ipsec start
    滚动日志:

    ipsec start --nofork

    ## 参考链接:
    http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    http://si-you.com/?p=1167
    http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
    * http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    * http://si-you.com/?p=1167
    * http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
  12. losisli revised this gist Apr 19, 2014. 1 changed file with 17 additions and 6 deletions.
    23 changes: 17 additions & 6 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -7,7 +7,8 @@
    apt-get install openssl-dev

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
    **官网**http://www.strongswan.org/, 5.1.3版本地址 http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    **官网** http://www.strongswan.org/, **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    @@ -16,27 +17,34 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载

    ## 二:生成、安装证书
    1:win7和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书,先生成ca证书

    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    2:然后是服务器端的证书

    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    3:客户端的证书

    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    生成的客户端证书 clientCert.pem 不能直接导入到win7或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。

    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4:安装证书

    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/

    ## 三:配置strongswan
    1: /etc/ipsec.conf

    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线


    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    @@ -57,14 +65,16 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载
    auto=add

    2: /etc/ipsec.secrets

    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)

    3: /etc/strongswan.conf
    //加入分配的dns

    //加入分配的dns
    charon {

    dns1 = 8.8.8.8
    @@ -73,18 +83,19 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载
    }

    ## 四:配置 Iptables 转发

    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE //地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT //同上
    //为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    最后,启动strongswan:

    ipsec start
    滚动日志:

    ipsec start --nofork

    ## 参考链接:
  13. losisli revised this gist Apr 19, 2014. 1 changed file with 67 additions and 66 deletions.
    133 changes: 67 additions & 66 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,92 +1,93 @@
    平台:原生ubuntu14.04 x86 strongswan5.1.3
    **平台**:原生ubuntu14.04 x86 strongswan5.1.3

    一:安装strongswan
    apt-get install gcc make strongswan (strongswan版本可能较低)
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    如编译出现错误“OpenSSL crypto library not found”,用 apt-get install openssl-dev 命令解决(ubuntu14.04本身已安装openssl)
    ## 一:安装strongswan
    apt-get install gcc make strongswan //strongswan版本可能较低
    //到**https://gmplib.org/** 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    //如编译出现错误“OpenSSL crypto library not found”,用一下命令解决(ubuntu14.04本身已安装openssl)
    apt-get install openssl-dev

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
    官网http://www.strongswan.org/, 5.1.3地址 http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install
    **官网**http://www.strongswan.org/, 5.1.3版本地址 http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

    二:生成、安装证书
    ## 二:生成、安装证书
    1:win7和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书,先生成ca证书
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    2:然后是服务器端的证书
    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    3:客户端的证书
    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    生成的客户端证书 clientCert.pem 不能直接导入到win7或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4安装证书
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4:安装证书
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/

    三:配置strongswan
    1: #/etc/ipsec.conf
    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线
    ## 三:配置strongswan
    1: /etc/ipsec.conf
    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线

    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add
    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

    2: #/etc/ipsec.secrets
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    2: /etc/ipsec.secrets
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)

    3: #/etc/strongswan.conf
    #加入分配的dns
    charon {
    3: /etc/strongswan.conf
    //加入分配的dns
    charon {

    dns1 = 8.8.8.8
    dns2 = 208.67.222.222
    dns1 = 8.8.8.8
    dns2 = 208.67.222.222

    }
    }

    四:配置 Iptables 转发
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    ## 四:配置 Iptables 转发
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT

    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE //地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT //同上
    //为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    最后,启动strongswan:
    ipsec start
    ipsec start
    滚动日志:
    ipsec start --nofork
    ipsec start --nofork

    参考链接:
    ## 参考链接:
    http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    http://si-you.com/?p=1167
    http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
  14. losisli revised this gist Apr 19, 2014. No changes.
  15. losisli revised this gist Apr 19, 2014. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,5 @@
    平台:原生ubuntu14.04 x86 strongswan5.1.3

    一:安装strongswan
    apt-get install gcc make strongswan (strongswan版本可能较低)
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    @@ -78,6 +79,7 @@ echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    最后,启动strongswan:
    ipsec start
  16. losisli revised this gist Apr 19, 2014. 1 changed file with 90 additions and 1 deletion.
    91 changes: 90 additions & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1 +1,90 @@
    平台:ubuntu14.04 x86
    平台:原生ubuntu14.04 x86 strongswan5.1.3
    一:安装strongswan
    apt-get install gcc make strongswan (strongswan版本可能较低)
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    如编译出现错误“OpenSSL crypto library not found”,用 apt-get install openssl-dev 命令解决(ubuntu14.04本身已安装openssl)

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
    官网http://www.strongswan.org/, 5.1.3地址 http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

    二:生成、安装证书
    1:win7和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书,先生成ca证书
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    2:然后是服务器端的证书
    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    3:客户端的证书
    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    生成的客户端证书 clientCert.pem 不能直接导入到win7或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4安装证书
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/

    三:配置strongswan
    1: #/etc/ipsec.conf
    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线

    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

    2: #/etc/ipsec.secrets
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)

    3: #/etc/strongswan.conf
    #加入分配的dns
    charon {

    dns1 = 8.8.8.8
    dns2 = 208.67.222.222

    }

    四:配置 Iptables 转发
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上

    最后,启动strongswan:
    ipsec start
    滚动日志:
    ipsec start --nofork

    参考链接:
    http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    http://si-you.com/?p=1167
    http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
  17. losisli created this gist Apr 19, 2014.
    1 change: 1 addition & 0 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1 @@
    平台:ubuntu14.04 x86