Last active
September 30, 2022 06:51
-
-
Save bao3/13aaf2db660d1fe7a8bec2244486c66f to your computer and use it in GitHub Desktop.
iOS IKEv2 PSK Auth(No Need Certification) 无需证书 Stongswan
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Set your Server Name 设置成你的域名或者 IP | |
| # | |
| SERVER="SOMETHING.your.ServeName" | |
| VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 12)" | |
| #VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") | |
| UUID1=$(/usr/bin/uuidgen -r) | |
| UUID2=$(/usr/bin/uuidgen -r) | |
| UUID3=$(/usr/bin/uuidgen -r) | |
| sed -i.bak /$1/d /etc/ipsec.secrets | |
| echo "Password for user is: $VPN_PASSWORD" | |
| echo "${1} %any : EAP \"${VPN_PASSWORD}\"" >> /etc/ipsec.secrets | |
| #backup secrets,you could disable it 。这是我用来备份用得,你可以禁用 | |
| echo y| cp /etc/ipsec.secrets /srv/ikev2/ | |
| ipsec rereadsecrets | |
| # create the .mobileconfig for Apple user | |
| # 直接为苹果设备生成描述文件,直接导入设备就可以使用 | |
| cat > /srv/ikev2/${1}.mobileconfig <<_EOF_ | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>ConsentText</key> | |
| <dict> | |
| <key>default</key> | |
| <string>安装过程中需要你输入“你自己的手机密码”</string> | |
| </dict> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>DNS</key> | |
| <dict> | |
| <key>ServerAddresses</key> | |
| <array> | |
| <string>94.140.14.14</string> | |
| <string>8.8.8.8</string> | |
| <string>1.1.1.1</string> | |
| </array> | |
| <key>SupplementalMatchDomainsNoSearch</key> | |
| <integer>0</integer> | |
| </dict> | |
| <key>IKEv2</key> | |
| <dict> | |
| <key>AuthName</key> | |
| <string>${1}</string> | |
| <key>AuthPassword</key> | |
| <string>${VPN_PASSWORD}</string> | |
| <key>AuthenticationMethod</key> | |
| <string>SharedSecret</string> | |
| <key>ChildSecurityAssociationParameters</key> | |
| <dict> | |
| <key>DiffieHellmanGroup</key> | |
| <integer>14</integer> | |
| <key>EncryptionAlgorithm</key> | |
| <string>AES-128-GCM</string> | |
| <key>IntegrityAlgorithm</key> | |
| <string>SHA2-256</string> | |
| <key>LifeTimeInMinutes</key> | |
| <integer>1440</integer> | |
| </dict> | |
| <key>DeadPeerDetectionRate</key> | |
| <string>Medium</string> | |
| <key>DisableMOBIKE</key> | |
| <integer>0</integer> | |
| <key>DisableRedirect</key> | |
| <integer>0</integer> | |
| <key>DisconnectOnIdle</key> | |
| <integer>1</integer> | |
| <key>DisconnectOnIdleTimer</key> | |
| <integer>600</integer> | |
| <key>EnableCertificateRevocationCheck</key> | |
| <integer>0</integer> | |
| <key>EnableFallback</key> | |
| <false/> | |
| <key>EnablePFS</key> | |
| <integer>0</integer> | |
| <key>ExtendedAuthEnabled</key> | |
| <true/> | |
| <key>IKESecurityAssociationParameters</key> | |
| <dict> | |
| <key>DiffieHellmanGroup</key> | |
| <integer>14</integer> | |
| <key>EncryptionAlgorithm</key> | |
| <string>AES-128-GCM</string> | |
| <key>IntegrityAlgorithm</key> | |
| <string>SHA2-256</string> | |
| <key>LifeTimeInMinutes</key> | |
| <integer>1440</integer> | |
| </dict> | |
| <key>LocalIdentifier</key> | |
| <string>SOMETHING.client</string> | |
| <key>RemoteAddress</key> | |
| <string>${SERVER}</string> | |
| <key>RemoteIdentifier</key> | |
| <string>SOMETHING.server</string> | |
| <key>SharedSecret</key> | |
| <string>YOUR-PSK-KEY</string> | |
| <key>UseConfigurationAttributeInternalIPSubnet</key> | |
| <integer>0</integer> | |
| </dict> | |
| <key>OnDemandEnabled</key> | |
| <integer>1</integer> | |
| <key>OnDemandRules</key> | |
| <array> | |
| <dict> | |
| <key>Action</key> | |
| <string>EvaluateConnection</string> | |
| <key>ActionParameters</key> | |
| <array> | |
| <dict> | |
| <key>DomainAction</key> | |
| <string>ConnectIfNeeded</string> | |
| <key>Domains</key> | |
| <array> | |
| <string>youtube.com</string> | |
| <string>youtu.be</string> | |
| <string>twitter.com</string> | |
| <string>t.co</string> | |
| <string>google.com</string> | |
| <string>goo.gl</string> | |
| <string>google.cn</string> | |
| <string>instagram.com</string> | |
| <string>facebook.com</string> | |
| <string>fb.me</string> | |
| <string>tumblr.com</string> | |
| <string>t66y.com</string> | |
| </array> | |
| </dict> | |
| </array> | |
| </dict> | |
| <dict> | |
| <key>Action</key> | |
| <string>Disconnect</string> | |
| <key>InterfaceTypeMatch</key> | |
| <string>Cellular</string> | |
| </dict> | |
| <dict> | |
| <key>Action</key> | |
| <string>Disconnect</string> | |
| </dict> | |
| </array> | |
| <key>PayloadDescription</key> | |
| <string>[仅限 Apple 设备]自动配置 VPN 设置,Mac与 iOS 通用</string> | |
| <key>PayloadDisplayName</key> | |
| <string>公司 VPN</string> | |
| <key>PayloadIdentifier</key> | |
| <string>com.apple.vpn.managed.${UUID1}</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.vpn.managed</string> | |
| <key>PayloadUUID</key> | |
| <string>${UUID1}</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>Proxies</key> | |
| <dict> | |
| <key>HTTPEnable</key> | |
| <integer>0</integer> | |
| <key>HTTPSEnable</key> | |
| <integer>0</integer> | |
| </dict> | |
| <key>UserDefinedName</key> | |
| <string>${1} 的 VPN-PSK</string> | |
| <key>VPNType</key> | |
| <string>IKEv2</string> | |
| </dict> | |
| </array> | |
| <key>PayloadDescription</key> | |
| <string>安装过程中需要你输入“你自己的手机密码”</string> | |
| <key>PayloadDisplayName</key> | |
| <string>${1} 的 IKEv2-PSK</string> | |
| <key>PayloadIdentifier</key> | |
| <string>heibang.${UUID3}</string> | |
| <key>PayloadRemovalDisallowed</key> | |
| <false/> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadUUID</key> | |
| <string>${UUID2}</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| </dict> | |
| </plist> | |
| _EOF_ | |
| #接下来是自动打开 URL ,让你可以下载描述文件。用完请关闭哦。 | |
| # use the httpserver to download the file | |
| echo "Download Apple Configuration File(s) " | |
| echo "http://"`hostname -I | cut -d" " -f 1`":8000"/ikev2/${1}.mobileconfig | |
| python3 -m http.server |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| conn setup | |
| conn %default | |
| compress = yes | |
| keyexchange=ikev2 | |
| ike = aes128gcm16-sha1-modp2048 | |
| esp = aes128gcm16-sha1 | |
| leftsubnet=0.0.0.0/0 | |
| rightsourceip=10.1.0.0/24 | |
| leftdns=8.8.8.8,8.8.4.4 | |
| rightdns=8.8.8.8,8.8.4.4 | |
| auto=add | |
| conn ikev2 | |
| dpdaction=clear | |
| dpddelay=60s | |
| rekey=no | |
| fragmentation=yes | |
| eap_identity=%identity | |
| left=%any | |
| leftid=SOMETHING.server | |
| leftauth=psk | |
| leftfirewall=yes | |
| right=%any | |
| rightauth=eap-mschapv2 | |
| eap_identity=%identity | |
| rightid=SOMETHING.client |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This file holds shared secrets or RSA private keys for authentication. | |
| # RSA private key for this host, authenticating it to any other host | |
| # which knows the public part. | |
| : PSK YOUR-PSK-KEY | |
| # you could add user mannually to here | |
| # OR you could user my shell script "add.ipsec.user" to add it automantically | |
| # 可以手动在这里添加用户,或者使用我的那个自动脚本来生成用户(脚本自动去重) | |
| USER1 %any : EAP "MR27YwGTDkke" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 适用于 StongSwan 5.5+ 以上版本 | |
| 仅适配了 Apple (macOS/ iOS /iPadOS ),并不适用其他设备 | |
| 使用 PSK + 密码认证,摆脱了证书要求 | |
| 默认的 .mobileconfig 是带有 on-deamond 按需求自动连接功能。你可以自己关闭 | |
| 非常核心的一点:在 /etc/ipsec.conf 一定要有“leftfirewall=yes” ,这个是让 iptables 能转发数据,否则可以连接 VPN 但上不了网。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment