#!/bin/bash ## Main reference https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html yum -y install epel-release yum -y install haveged strongswan /etc/init.d/haveged start chkconfig haveged on cd /etc/strongswan || exit cat > strongswan.conf <<'EOF' # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes #duplicheck.enable = no #install_virtual_ip = yes #dns1 = 8.8.8.8 #dns2 = 8.8.4.4 plugins { include strongswan.d/charon/*.conf openssl { fips_mode = 0 } } } pki { plugins { openssl { fips_mode = 0 } } } include strongswan.d/*.conf EOF cat > ipsec.conf <<'EOF' # ipsec.conf - strongSwan IPsec configuration file #https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection config setup #charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" #uniqueids=never #https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection conn %default keyexchange=ikev2 dpdaction=clear dpddelay=300s rekey=no left=%any leftsubnet=0.0.0.0/0 leftcert=vpnHostCert.der right=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.86.86.0/24 conn IPSec-IKEv2 keyexchange=ikev2 auto=add conn IPSec-IKEv2-EAP leftsendcert=always leftid=@vpn.example.com also="IPSec-IKEv2" rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any conn CiscoIPSec keyexchange=ikev1 forceencaps=yes authby=xauthrsasig xauth=server auto=add EOF cat > ipsec.secrets <<'EOF' : RSA vpnHostKey.der example : EAP "1234" EOF cat > strongswan.d/charon-logging.conf <<'EOF' charon { # Section to define file loggers, see LOGGER CONFIGURATION in # strongswan.conf(5). filelog { /var/log/charon.log { #flush_line = yes #job = -1 #enc = 1 #asn = 2 #net = 2 #ike = 2 #default = 2 default = 1 time_format = %Y%m%d%H%M%S } } } EOF strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/strongswanKey.der chmod 600 ipsec.d/private/strongswanKey.der strongswan pki --self --ca --lifetime 3650 --in ipsec.d/private/strongswanKey.der --type rsa --dn "C=CN, O=Leo Company, CN=Leo Root CA" --outform der > ipsec.d/cacerts/strongswanCert.der openssl x509 -inform DER -in ipsec.d/cacerts/strongswanCert.der -out ipsec.d/cacerts/strongswanCert.pem -outform PEM #strongswan pki --print --in ipsec.d/cacerts/strongswanCert.der strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/vpnHostKey.der chmod 600 ipsec.d/private/vpnHostKey.der CN_NAME="vpn.example.com" CN_IP="192.168.199.131" strongswan pki --pub --in ipsec.d/private/vpnHostKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/strongswanCert.der --cakey ipsec.d/private/strongswanKey.der --dn "C=CN, O=Leo Company, CN=${CN_NAME}" --san ${CN_NAME} --san ${CN_IP} --san @${CN_IP} --flag serverAuth --flag ikeIntermediate --outform der > ipsec.d/certs/vpnHostCert.der #strongswan pki --print --in ipsec.d/certs/vpnHostCert.der #openssl x509 -inform DER -in ipsec.d/certs/vpnHostCert.der -noout -text /etc/init.d/strongswan start chkconfig strongswan on cat >> /etc/sysctl.conf <<'EOF' net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 EOF sysctl -p iptables -t nat -A POSTROUTING -s 10.86.86.0/24 ! -d 10.86.86.0/24 -o eth0 -j MASQUERADE /etc/init.d/iptables save #copy /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your iPhone, an install. #and Settings --> General --> VPN --> Add VPN Configuration... # Description: myVPN (whatever) # Server: your_CentOS_server_IP # Remote ID: vpn.example.com (in ipsec.conf, option leftid's value) # User Authentication: Username # Username: example (in ipsec.secrets) # Password: 1234 (in ipsec.secrets) #################### #### For Users #################### strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/LeoKey.der chmod 600 ipsec.d/private/LeoKey.der strongswan pki --pub --in ipsec.d/private/LeoKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/strongswanCert.der --cakey ipsec.d/private/strongswanKey.der --dn "C=CN, O=Leo Company, CN=leolovenet@gmail.com" --san "leolovenet@gmail.com" --outform der > ipsec.d/certs/LeoCert.der openssl rsa -inform DER -in ipsec.d/private/LeoKey.der -out ipsec.d/private/LeoKey.pem -outform PEM openssl x509 -inform DER -in ipsec.d/certs/LeoCert.der -out ipsec.d/certs/LeoCert.pem -outform PEM openssl pkcs12 -export -inkey ipsec.d/private/LeoKey.pem -in ipsec.d/certs/LeoCert.pem -name "Leo's VPN Certificate" -certfile ipsec.d/cacerts/strongswanCert.pem -caname "Leo Root CA" -out Leo.p12