strongswan ikev2 server on ubuntu 14.04

2016/09/05 09:10
阅读数 257

https://quericy.me/blog/699/

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o venet0 -j MASQUERADE

Basic Strongswan ikev2 server setup

  • paltform: atlantic.net ubuntu 14.04 x64
  • the commands below are run with root account

Strongswan

apt-get install strongswan
apt-get install iptables iptables-persistent

ca

root ca

cd ~
mkdir swan
cd swan
ipsec pki --gen --outform pem > ca_key.pem
ipsec pki --self --in ca_key.pem --dn "C=CN, O=strongswan, CN=strongswan ca" --ca --outform pem > ca_cert.pem

server ca

ipsec pki --gen --outform pem > server_key.pem
ipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongswan, CN=vpn.strong.com" --san="vpn.strong.com" --outform pem > server_cert.pem

client ca

ipsec pki --gen --outform pem > client_key.pem
ipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > client_cert.pem

implement ca

cp ca_cert.pem /etc/ipsec.d/cacerts/
cp server_cert.pem /etc/ipsec.d/certs/
cp server_key.pem /etc/ipsec.d/private/

conf

  • /etc/ipsec.conf
config setup
	# strictcrlpolicy=yes
	# uniqueids = no

conn %default
        leftcert=server_cert.pem
        auto=add
        dpdaction=clear
        dpddelay=300s
        dpdtimeout=1h

conn rw
        leftfirewall=yes
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=10.0.0.0/24
  • /etc/ipsec.secerts
: RSA server_key.pem
  • /etc/strongswan.conf
charon {
	load_modular = yes
	install_virtual_ip = yes

	dns1 = 8.8.8.8
	dns2 = 8.8.4.4 
	# use the dns provided by vps

	plugins {
		include strongswan.d/charon/*.conf
	}
}

system conf

net.ipv4.ip_forward = 1
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 22 14:53:31 2013
# Generated by iptables-save v1.4.18 on Mon Jul 22 14:53:31 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [432:67301]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT

client settings

  • ss_cert.pem
  • client_key.pem
  • client_cert.pem

Download these files to client, with scp or ftp. Use them for Strongswan vpn connection.

Referenece

展开阅读全文
打赏
0
0 收藏
分享
加载中
更多评论
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部