-
-
Save bidhanahdib/a1a1876150b2dd78d04fab6520fa9480 to your computer and use it in GitHub Desktop.
IPSEC VPN on Centos6 with StrongSwan for iOS9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## Main reference https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html | |
| yum -y install epel-release | |
| yum -y install haveged strongswan | |
| /etc/init.d/haveged start | |
| chkconfig haveged on | |
| cd /etc/strongswan || exit | |
| cat > strongswan.conf <<'EOF' | |
| # strongswan.conf - strongSwan configuration file | |
| # | |
| # Refer to the strongswan.conf(5) manpage for details | |
| # | |
| # Configuration changes should be made in the included files | |
| charon { | |
| load_modular = yes | |
| #duplicheck.enable = no | |
| #install_virtual_ip = yes | |
| #dns1 = 8.8.8.8 | |
| #dns2 = 8.8.4.4 | |
| plugins { | |
| include strongswan.d/charon/*.conf | |
| openssl { | |
| fips_mode = 0 | |
| } | |
| } | |
| } | |
| pki { | |
| plugins { | |
| openssl { | |
| fips_mode = 0 | |
| } | |
| } | |
| } | |
| include strongswan.d/*.conf | |
| EOF | |
| cat > ipsec.conf <<'EOF' | |
| # ipsec.conf - strongSwan IPsec configuration file | |
| #https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection | |
| config setup | |
| #charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" | |
| #uniqueids=never | |
| #https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection | |
| conn %default | |
| keyexchange=ikev2 | |
| dpdaction=clear | |
| dpddelay=300s | |
| rekey=no | |
| left=%any | |
| leftsubnet=0.0.0.0/0 | |
| leftcert=vpnHostCert.der | |
| right=%any | |
| rightdns=8.8.8.8,8.8.4.4 | |
| rightsourceip=10.86.86.0/24 | |
| conn IPSec-IKEv2 | |
| keyexchange=ikev2 | |
| auto=add | |
| conn IPSec-IKEv2-EAP | |
| leftsendcert=always | |
| [email protected] | |
| also="IPSec-IKEv2" | |
| rightauth=eap-mschapv2 | |
| rightsendcert=never | |
| eap_identity=%any | |
| conn CiscoIPSec | |
| keyexchange=ikev1 | |
| forceencaps=yes | |
| authby=xauthrsasig | |
| xauth=server | |
| auto=add | |
| EOF | |
| cat > ipsec.secrets <<'EOF' | |
| : RSA vpnHostKey.der | |
| example : EAP "1234" | |
| EOF | |
| cat > strongswan.d/charon-logging.conf <<'EOF' | |
| charon { | |
| # Section to define file loggers, see LOGGER CONFIGURATION in | |
| # strongswan.conf(5). | |
| filelog { | |
| /var/log/charon.log { | |
| #flush_line = yes | |
| #job = -1 | |
| #enc = 1 | |
| #asn = 2 | |
| #net = 2 | |
| #ike = 2 | |
| #default = 2 | |
| default = 1 | |
| time_format = %Y%m%d%H%M%S | |
| } | |
| } | |
| } | |
| EOF | |
| strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/strongswanKey.der | |
| chmod 600 ipsec.d/private/strongswanKey.der | |
| strongswan pki --self --ca --lifetime 3650 --in ipsec.d/private/strongswanKey.der --type rsa --dn "C=CN, O=Leo Company, CN=Leo Root CA" --outform der > ipsec.d/cacerts/strongswanCert.der | |
| openssl x509 -inform DER -in ipsec.d/cacerts/strongswanCert.der -out ipsec.d/cacerts/strongswanCert.pem -outform PEM | |
| #strongswan pki --print --in ipsec.d/cacerts/strongswanCert.der | |
| strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/vpnHostKey.der | |
| chmod 600 ipsec.d/private/vpnHostKey.der | |
| CN_NAME="vpn.example.com" | |
| CN_IP="192.168.199.131" | |
| strongswan pki --pub --in ipsec.d/private/vpnHostKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/strongswanCert.der --cakey ipsec.d/private/strongswanKey.der --dn "C=CN, O=Leo Company, CN=${CN_NAME}" --san ${CN_NAME} --san ${CN_IP} --san @${CN_IP} --flag serverAuth --flag ikeIntermediate --outform der > ipsec.d/certs/vpnHostCert.der | |
| #strongswan pki --print --in ipsec.d/certs/vpnHostCert.der | |
| #openssl x509 -inform DER -in ipsec.d/certs/vpnHostCert.der -noout -text | |
| /etc/init.d/strongswan start | |
| chkconfig strongswan on | |
| cat >> /etc/sysctl.conf <<'EOF' | |
| net.ipv4.ip_forward = 1 | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| EOF | |
| sysctl -p | |
| iptables -t nat -A POSTROUTING -s 10.86.86.0/24 ! -d 10.86.86.0/24 -o eth0 -j MASQUERADE | |
| /etc/init.d/iptables save | |
| #copy /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your iPhone, an install. | |
| #and Settings --> General --> VPN --> Add VPN Configuration... | |
| # Description: myVPN (whatever) | |
| # Server: your_CentOS_server_IP | |
| # Remote ID: vpn.example.com (in ipsec.conf, option leftid's value) | |
| # User Authentication: Username | |
| # Username: example (in ipsec.secrets) | |
| # Password: 1234 (in ipsec.secrets) | |
| #################### | |
| #### For Users | |
| #################### | |
| strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/LeoKey.der | |
| chmod 600 ipsec.d/private/LeoKey.der | |
| strongswan pki --pub --in ipsec.d/private/LeoKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/strongswanCert.der --cakey ipsec.d/private/strongswanKey.der --dn "C=CN, O=Leo Company, [email protected]" --san "[email protected]" --outform der > ipsec.d/certs/LeoCert.der | |
| openssl rsa -inform DER -in ipsec.d/private/LeoKey.der -out ipsec.d/private/LeoKey.pem -outform PEM | |
| openssl x509 -inform DER -in ipsec.d/certs/LeoCert.der -out ipsec.d/certs/LeoCert.pem -outform PEM | |
| openssl pkcs12 -export -inkey ipsec.d/private/LeoKey.pem -in ipsec.d/certs/LeoCert.pem -name "Leo's VPN Certificate" -certfile ipsec.d/cacerts/strongswanCert.pem -caname "Leo Root CA" -out Leo.p12 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment