Last active
February 8, 2024 01:12
-
-
Save carlesloriente/4496fa54e444456435ec7e7e897a28e3 to your computer and use it in GitHub Desktop.
configure-and-setup-ikev2.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| sudo dnf remove -y strongswan NetworkManager-strongswan NetworkManager-strongswan-gnome strongswan-libipsec | |
| sudo dnf install -y libreswan NetworkManager-libreswan NetworkManager-libreswan-gnome ldns nss-tools firewall-config | |
| echo "Changing ipsec.conf" | |
| sudo sed -i 's/# dnssec-enable=no/dnssec-enable=no/g' /etc/ipsec.conf | |
| sudo sed -i 's/#DNSSEC=allow-downgrade/DNSSEC=false/g' /etc/systemd/resolved.conf | |
| echo "Configuring Firewall" | |
| sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service ipsec | |
| sudo firewall-cmd --permanent --add-port=500/udp | |
| sudo firewall-cmd --permanent --add-port=4500/udp | |
| sudo firewall-cmd --reload | |
| sudo mkdir -p /var/lib/ipsec/nss | |
| #sudo chmod 755 /var/lib/ipsec/nss/ /etc/ipsec.d/ | |
| #sudo chown ${name}:${name} /var/lib/ipsec/nss/ | |
| #sudo chmod 644 /var/lib/ipsec/nss/*.* | |
| sudo ipsec initnss | |
| echo "" | |
| read -p "Enter your username: " name | |
| name=${name} | |
| echo "" | |
| read -p "Enter the VPN gateway: " vpn | |
| vpn=${vpn} | |
| echo "Your ID is ${name}@${vpn}" | |
| echo "" | |
| echo "Rename your cert file to ${name}@${vpn}.p12" | |
| echo "and save it to your ~/Documents folder" | |
| read -p "Press [Enter] to continue..." | |
| if [ ! -f ${HOME}/Documents/${name}@${vpn}.p12 ] | |
| then | |
| echo "~/Documents/${name}@${vpn}.p12 does not exist, error" | |
| exit 0 | |
| else | |
| echo "" | |
| echo "Now you need the VPN password to import the certificate" | |
| sudo ipsec import ~/Documents/${name}@${vpn}.p12 | |
| fi | |
| echo "Create configuration file for IPSec connection, connection name awsibikev2" | |
| sudo dd of=/etc/ipsec.d/roadwarriorclient.conf << EOF | |
| conn roadwarriorvpn | |
| ikev2=insist | |
| left=%defaultroute | |
| leftsubnet=0.0.0.0/0 | |
| leftcert=${name}@${vpn} | |
| leftid=%fromcert | |
| leftmodecfgclient=yes | |
| right=${vpn} | |
| rightid=%fromcert | |
| rightsubnet=0.0.0.0/0 | |
| rightca=%same | |
| authby=rsasig | |
| narrowing=yes | |
| mobike=yes | |
| auto=add | |
| EOF | |
| echo "Added to .bashrc start_vpn and stop_vpn commands" | |
| cat <<EOT >> $HOME/.bashrc | |
| function start_vpn() | |
| { | |
| sudo ipsec auto --up roadwarriorvpn | |
| } | |
| function stop_vpn() | |
| { | |
| sudo ipsec auto --down roadwarriorvpn | |
| } | |
| EOT | |
| sudo semanage fcontext -a -t ipsec_key_file_t '/var/lib/ipsec/nss' | |
| sudo restorecon -v /var/lib/ipsec/* | |
| sudo systemctl enable ipsec | |
| sudo ipsec pluto --stderrlog --config /etc/ipsec.conf | |
| echo "Please reboot the system" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Full article: https://www.notesoncloudcomputing.com/fedora/vpn/ikev2/2021/04/24/configure-ikev2-vpn-connection-fedora/