Skip to content

Instantly share code, notes, and snippets.

@coconut49

coconut49/linux上用strongswan搭建ikev2协议vpn.md

Forked from losisli/linux上用strongswan搭建ikev2协议vpn.md
Last active August 29, 2015 14:25
Download ZIP

Revisions

  1. @zjgood zjgood revised this gist Jul 25, 2015. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    **测试平台**:DigitalOcean VPS ubuntu14.04 x64, strongswan5.2.2
    **测试平台**:DigitalOcean VPS ubuntu14.04 x64, strongswan5.3.2

    运行以下命令请使用root权限

    @@ -11,12 +11,12 @@ aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libp

    **strongswan官网** http://www.strongswan.org/

    **5.2.2版本地址** http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    **5.2.2版本地址** http://download.strongswan.org/strongswan-5.3.2.tar.bz2

    **注:对于更新的版本,不排除该教程某些地方有失效的可能,请灵活处理**
    ```bash
    wget http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    tar -jxvf strongswan-5.2.2.tar.bz2 && cd strongswan-5.2.2
    wget http://download.strongswan.org/strongswan-5.3.2.tar.bz2
    tar -jxvf strongswan-5.3.2.tar.bz2 && cd strongswan-5.3.2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install
    ```
  2. @losisli losisli revised this gist May 31, 2015. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -12,6 +12,7 @@ aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libp
    **strongswan官网** http://www.strongswan.org/

    **5.2.2版本地址** http://download.strongswan.org/strongswan-5.2.2.tar.bz2

    **注:对于更新的版本,不排除该教程某些地方有失效的可能,请灵活处理**
    ```bash
    wget http://download.strongswan.org/strongswan-5.2.2.tar.bz2
  3. @losisli losisli revised this gist May 31, 2015. 1 changed file with 3 additions and 1 deletion.
    4 changes: 3 additions & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,5 @@
    **平台**:DigitalOcean VPS ubuntu14.04 x64, strongswan5.2.2
    **测试平台**:DigitalOcean VPS ubuntu14.04 x64, strongswan5.2.2

    运行以下命令请使用root权限

    ## 一:安装strongswan
    @@ -11,6 +12,7 @@ aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libp
    **strongswan官网** http://www.strongswan.org/

    **5.2.2版本地址** http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    **注:对于更新的版本,不排除该教程某些地方有失效的可能,请灵活处理**
    ```bash
    wget http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    tar -jxvf strongswan-5.2.2.tar.bz2 && cd strongswan-5.2.2
  4. @losisli losisli revised this gist May 31, 2015. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -13,7 +13,7 @@ aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libp
    **5.2.2版本地址** http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    ```bash
    wget http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    tar -jxvf strongswan-5.2.2.tar.bz2 & cd strongswan-5.2.2
    tar -jxvf strongswan-5.2.2.tar.bz2 && cd strongswan-5.2.2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install
    ```
  5. @losisli losisli revised this gist Jan 20, 2015. 1 changed file with 4 additions and 2 deletions.
    6 changes: 4 additions & 2 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,8 @@
    **平台**:DigitalOcean VPS ubuntu14.04 x64, strongswan5.2.2
    运行以下命令请使用root权限

    ## 一:安装strongswan
    由于ubuntu软件仓库中strongswan版本较低,因此从官网源码编译安装
    ```bash
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件
    @@ -18,7 +20,7 @@ make && make install
    ## 二:生成、安装证书
    win7+和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书

    1.先生成ca证书
    1.先生成根证书
    ```bash
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    @@ -43,7 +45,7 @@ cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/
    ```
    客户端安装caCert.pem与clientCert.pem(clientCert.p12)
    客户端安装caCert.pem与clientCert.pem(clientCert.p12),下载文件可使用ftp软件,或使用`cat caCert.pem``cat clientCert.pem`命令,将打印出的内容直接复制到本地即可。

    ## 三:配置strongswan
    1: /etc/ipsec.conf
  6. @losisli losisli revised this gist Jan 20, 2015. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -77,6 +77,7 @@ conn windowsphone
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    ```
    对于windowsphone8.1,在客户端输入的用户名发送到服务器显示为`设备名称\用户名`的形式,故认证需加上设备名称,设备名称在`设置-关于-手机信息` 中查看

    3: /etc/strongswan.conf
    ```text
    #加入分配的dns
  7. @losisli losisli revised this gist Jan 20, 2015. 1 changed file with 10 additions and 7 deletions.
    17 changes: 10 additions & 7 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -5,8 +5,10 @@
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件
    ```

    **strongswan官网** http://www.strongswan.org/
    **5.2.0版本地址** http://download.strongswan.org/strongswan-5.2.2.tar.bz2

    **5.2.2版本地址** http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    ```bash
    wget http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    tar -jxvf strongswan-5.2.2.tar.bz2 & cd strongswan-5.2.2
    @@ -16,17 +18,17 @@ make && make install
    ## 二:生成、安装证书
    win7+和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书

    1先生成ca证书
    1.先生成ca证书
    ```bash
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    ```
    2然后是服务器端的证书
    2.然后是服务器端的证书
    ```bash
    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    ```
    3客户端的证书
    3.客户端的证书
    ```bash
    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    @@ -35,7 +37,7 @@ ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cak
    ```bash
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    ```
    4安装证书
    4.安装证书
    ```bash
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    @@ -71,10 +73,10 @@ conn windowsphone
    2: /etc/ipsec.secrets
    ```text
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    用户名1 : EAP "密码1" #win7+
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名称在 `设置-关于-手机信息` 中查看
    ```
    对于windowsphone8.1,在客户端输入的用户名发送到服务器显示为`设备名称\用户名`的形式,故认证需加上设备名称,设备名称在`设置-关于-手机信息` 中查看
    3: /etc/strongswan.conf
    ```text
    #加入分配的dns
    @@ -93,6 +95,7 @@ iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上5行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。
    ```
    ## 五:启动strongswan:
    后台运行:
    ```bash
    ipsec start
    ```
  8. @losisli losisli revised this gist Jan 20, 2015. 1 changed file with 4 additions and 3 deletions.
    7 changes: 4 additions & 3 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -5,7 +5,7 @@
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件
    ```
    **strongswan官网** http://www.strongswan.org/
    **strongswan官网** http://www.strongswan.org/
    **5.2.0版本地址** http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    ```bash
    wget http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    @@ -15,6 +15,7 @@ make && make install
    ```
    ## 二:生成、安装证书
    win7+和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书

    1:先生成ca证书
    ```bash
    ipsec pki --gen --outform pem > caKey.pem
    @@ -72,7 +73,7 @@ conn windowsphone
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名称在`设置-关于-手机信息`中查看
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名称在 `设置-关于-手机信息` 中查看
    ```
    3: /etc/strongswan.conf
    ```text
    @@ -91,7 +92,7 @@ iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上5行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。
    ```
    ## 最后,启动strongswan:
    ## 五:启动strongswan:
    ```bash
    ipsec start
    ```
  9. @losisli losisli revised this gist Jan 20, 2015. 1 changed file with 86 additions and 83 deletions.
    169 changes: 86 additions & 83 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,101 +1,104 @@
    **平台**:DigitalOcean VPS原生ubuntu14.04 x86, strongswan5.2.0
    **平台**:DigitalOcean VPS ubuntu14.04 x64, strongswan5.2.2

    ## 一:安装strongswan

    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件

    **strongswan官网** http://www.strongswan.org/**5.2.0版本地址** http://download.strongswan.org/strongswan-5.2.0.tar.bz2

    wget http://download.strongswan.org/strongswan-5.2.0.tar.bz2
    tar -jxvf strongswan-5.2.0.tar.bz2
    cd strongswan-5.2.0
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

    ```bash
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件
    ```
    **strongswan官网** http://www.strongswan.org/
    **5.2.0版本地址** http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    ```bash
    wget http://download.strongswan.org/strongswan-5.2.2.tar.bz2
    tar -jxvf strongswan-5.2.2.tar.bz2 & cd strongswan-5.2.2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install
    ```
    ## 二:生成、安装证书
    1:win7和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书,先生成ca证书

    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    win7+和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书
    1:先生成ca证书
    ```bash
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    ```
    2:然后是服务器端的证书

    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    ```bash
    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    ```
    3:客户端的证书

    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    生成的客户端证书 clientCert.pem 不能直接导入到win7或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。

    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    ```bash
    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    ```
    生成的客户端证书 clientCert.pem 不能直接导入到win7+或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。
    ```bash
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    ```
    4:安装证书

    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/
    ```bash
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/
    ```
    客户端安装caCert.pem与clientCert.pem(clientCert.p12)

    ## 三:配置strongswan
    1: /etc/ipsec.conf

    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线

    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

    ```text
    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线
    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add
    ```
    2: /etc/ipsec.secrets

    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)

    ```text
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名称在`设置-关于-手机信息`中查看
    ```
    3: /etc/strongswan.conf

    #加入分配的dns
    charon {

    dns1 = 8.8.8.8
    dns2 = 208.67.222.222

    }

    ```text
    #加入分配的dns
    charon {
    dns1 = 8.8.8.8
    dns2 = 208.67.222.222
    }
    ```
    ## 四:配置 Iptables 转发

    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上5行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    ```bash
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上5行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。
    ```
    ## 最后,启动strongswan:

    ipsec start
    ```bash
    ipsec start
    ```
    滚动日志:

    ipsec start --nofork

    ```bash
    ipsec start --nofork
    ```
    ## 参考链接:
    * http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    * http://si-you.com/?p=1167
  10. @losisli losisli revised this gist Oct 11, 2014. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    **平台**:DigitalOcean VPS原生ubuntu14.04 x86, strongswan5.1.3
    **平台**:DigitalOcean VPS原生ubuntu14.04 x86, strongswan5.2.0

    ## 一:安装strongswan

    @@ -87,7 +87,7 @@
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。
    #为避免VPS重启后NAT功能失效,可以把如上5行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    ## 最后,启动strongswan:

  11. @losisli losisli revised this gist Aug 26, 2014. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -5,11 +5,11 @@
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件

    **strongswan官网** http://www.strongswan.org/**5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    **strongswan官网** http://www.strongswan.org/**5.2.0版本地址** http://download.strongswan.org/strongswan-5.2.0.tar.bz2

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3
    wget http://download.strongswan.org/strongswan-5.2.0.tar.bz2
    tar -jxvf strongswan-5.2.0.tar.bz2
    cd strongswan-5.2.0
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

  12. losisli revised this gist May 27, 2014. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -5,7 +5,7 @@
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件

    **strongswan官网** http://www.strongswan.org/, **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    **strongswan官网** http://www.strongswan.org/ **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    @@ -34,6 +34,7 @@
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/
    客户端安装caCert.pem与clientCert.pem(clientCert.p12)

    ## 三:配置strongswan
    1: /etc/ipsec.conf
  13. losisli revised this gist Apr 23, 2014. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -9,7 +9,7 @@

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

  14. losisli revised this gist Apr 19, 2014. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    **平台**原生ubuntu14.04 x86 strongswan5.1.3
    **平台**DigitalOcean VPS原生ubuntu14.04 x86, strongswan5.1.3

    ## 一:安装strongswan

  15. losisli revised this gist Apr 19, 2014. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -84,9 +84,9 @@
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE //地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT //同上
    //为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    ## 最后,启动strongswan:

  16. losisli revised this gist Apr 19, 2014. 1 changed file with 3 additions and 6 deletions.
    9 changes: 3 additions & 6 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -2,13 +2,10 @@

    ## 一:安装strongswan

    apt-get install gcc make strongswan //strongswan版本可能较低
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    如编译出现错误“OpenSSL crypto library not found”,用一下命令解决(ubuntu14.04本身已安装openssl)
    apt-get install openssl-dev
    apt-get install build-essential #编译环境
    aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
    **官网** http://www.strongswan.org/, **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    **strongswan官网** http://www.strongswan.org/, **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
  17. losisli revised this gist Apr 19, 2014. 1 changed file with 3 additions and 2 deletions.
    5 changes: 3 additions & 2 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,9 +1,10 @@
    **平台**:原生ubuntu14.04 x86 strongswan5.1.3

    ## 一:安装strongswan

    apt-get install gcc make strongswan //strongswan版本可能较低
    //到**https://gmplib.org/** 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    //如编译出现错误“OpenSSL crypto library not found”,用一下命令解决(ubuntu14.04本身已安装openssl)
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    如编译出现错误“OpenSSL crypto library not found”,用一下命令解决(ubuntu14.04本身已安装openssl)
    apt-get install openssl-dev

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
  18. losisli revised this gist Apr 19, 2014. 1 changed file with 5 additions and 6 deletions.
    11 changes: 5 additions & 6 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -44,7 +44,6 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线


    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    @@ -74,7 +73,7 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载

    3: /etc/strongswan.conf

    //加入分配的dns
    #加入分配的dns
    charon {

    dns1 = 8.8.8.8
    @@ -91,14 +90,14 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT //同上
    //为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    最后,启动strongswan:
    ## 最后,启动strongswan:

    ipsec start
    滚动日志:

    ipsec start --nofork

    ## 参考链接:
    http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    http://si-you.com/?p=1167
    http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
    * http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    * http://si-you.com/?p=1167
    * http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
  19. losisli revised this gist Apr 19, 2014. 1 changed file with 17 additions and 6 deletions.
    23 changes: 17 additions & 6 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -7,7 +7,8 @@
    apt-get install openssl-dev

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
    **官网**http://www.strongswan.org/, 5.1.3版本地址 http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    **官网** http://www.strongswan.org/, **5.1.3版本地址** http://download.strongswan.org/strongswan-5.1.3.tar.bz2

    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    @@ -16,27 +17,34 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载

    ## 二:生成、安装证书
    1:win7和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书,先生成ca证书

    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    2:然后是服务器端的证书

    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    3:客户端的证书

    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    生成的客户端证书 clientCert.pem 不能直接导入到win7或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。

    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4:安装证书

    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/

    ## 三:配置strongswan
    1: /etc/ipsec.conf

    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线


    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    @@ -57,14 +65,16 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载
    auto=add

    2: /etc/ipsec.secrets

    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)

    3: /etc/strongswan.conf
    //加入分配的dns

    //加入分配的dns
    charon {

    dns1 = 8.8.8.8
    @@ -73,18 +83,19 @@ ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载
    }

    ## 四:配置 Iptables 转发

    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE //地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT //同上
    //为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    最后,启动strongswan:

    ipsec start
    滚动日志:

    ipsec start --nofork

    ## 参考链接:
  20. losisli revised this gist Apr 19, 2014. 1 changed file with 67 additions and 66 deletions.
    133 changes: 67 additions & 66 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,92 +1,93 @@
    平台:原生ubuntu14.04 x86 strongswan5.1.3
    **平台**:原生ubuntu14.04 x86 strongswan5.1.3

    一:安装strongswan
    apt-get install gcc make strongswan (strongswan版本可能较低)
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    如编译出现错误“OpenSSL crypto library not found”,用 apt-get install openssl-dev 命令解决(ubuntu14.04本身已安装openssl)
    ## 一:安装strongswan
    apt-get install gcc make strongswan //strongswan版本可能较低
    //到**https://gmplib.org/** 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    //如编译出现错误“OpenSSL crypto library not found”,用一下命令解决(ubuntu14.04本身已安装openssl)
    apt-get install openssl-dev

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
    官网http://www.strongswan.org/, 5.1.3地址 http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install
    **官网**http://www.strongswan.org/, 5.1.3版本地址 http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

    二:生成、安装证书
    ## 二:生成、安装证书
    1:win7和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书,先生成ca证书
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    2:然后是服务器端的证书
    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    3:客户端的证书
    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    生成的客户端证书 clientCert.pem 不能直接导入到win7或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4安装证书
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4:安装证书
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/

    三:配置strongswan
    1: #/etc/ipsec.conf
    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线
    ## 三:配置strongswan
    1: /etc/ipsec.conf
    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线

    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add
    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

    2: #/etc/ipsec.secrets
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    2: /etc/ipsec.secrets
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)

    3: #/etc/strongswan.conf
    #加入分配的dns
    charon {
    3: /etc/strongswan.conf
    //加入分配的dns
    charon {

    dns1 = 8.8.8.8
    dns2 = 208.67.222.222
    dns1 = 8.8.8.8
    dns2 = 208.67.222.222

    }
    }

    四:配置 Iptables 转发
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    ## 四:配置 Iptables 转发
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT

    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。
    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE //地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT //同上
    //为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    最后,启动strongswan:
    ipsec start
    ipsec start
    滚动日志:
    ipsec start --nofork
    ipsec start --nofork

    参考链接:
    ## 参考链接:
    http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    http://si-you.com/?p=1167
    http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
  21. losisli revised this gist Apr 19, 2014. No changes.
  22. losisli revised this gist Apr 19, 2014. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,5 @@
    平台:原生ubuntu14.04 x86 strongswan5.1.3

    一:安装strongswan
    apt-get install gcc make strongswan (strongswan版本可能较低)
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    @@ -78,6 +79,7 @@ echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
    #为避免VPS重启后NAT功能失效,可以把如上8行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。

    最后,启动strongswan:
    ipsec start
  23. losisli revised this gist Apr 19, 2014. 1 changed file with 90 additions and 1 deletion.
    91 changes: 90 additions & 1 deletion linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1 +1,90 @@
    平台:ubuntu14.04 x86
    平台:原生ubuntu14.04 x86 strongswan5.1.3
    一:安装strongswan
    apt-get install gcc make strongswan (strongswan版本可能较低)
    https://gmplib.org/ 下载编译最新的The GNU Multiple Precision Arithmetic Library(编译strongswan过程依赖)
    如编译出现错误“OpenSSL crypto library not found”,用 apt-get install openssl-dev 命令解决(ubuntu14.04本身已安装openssl)

    ubuntu仓库中的strongswan经实验多次没有成功,遂重新自己下载编译
    官网http://www.strongswan.org/, 5.1.3地址 http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    wget http://download.strongswan.org/strongswan-5.1.3.tar.bz2
    tar -jxvf strongswan-5.1.3.tar.bz2
    cd strongswan-5.1.3.tar.bz2
    ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
    make && make install

    二:生成、安装证书
    1:win7和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书,先生成ca证书
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
    2:然后是服务器端的证书
    ipsec pki --gen --outform pem > serverKey.pem
    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
    3:客户端的证书
    ipsec pki --gen --outform pem > clientKey.pem
    ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem
    生成的客户端证书 clientCert.pem 不能直接导入到win7或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)。
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
    4安装证书
    cp caCert.pem /etc/ipsec.d/cacerts/
    cp serverCert.pem /etc/ipsec.d/certs/
    cp serverKey.pem /etc/ipsec.d/private/

    三:配置strongswan
    1: #/etc/ipsec.conf
    config setup
    strictcrlpolicy=no
    uniqueids=no #允许多设备同时在线

    conn windowsphone
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid="C=CN, O=strongSwan, CN=X.X.X.X" #C=国家,CN=自己vps的公网ip
    right=%any
    rightsourceip=10.11.1.0/24 #为客户端分配的虚拟地址池
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

    2: #/etc/ipsec.secrets
    : RSA serverKey.pem
    用户名1 : EAP "密码1"
    wp设备名称\用户名2 : EAP "密码2" #仅对windowsphone8.1设备
    #windowsphone8.1,在客户端输入的用户名发送到服务器显示为“设备名称\用户名”的形式,故认证需加上设备名称,设备名限制15字符
    #貌似只能全英文不能有标点、符号(这一点有待确认)

    3: #/etc/strongswan.conf
    #加入分配的dns
    charon {

    dns1 = 8.8.8.8
    dns2 = 208.67.222.222

    }

    四:配置 Iptables 转发
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
    iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上

    最后,启动strongswan:
    ipsec start
    滚动日志:
    ipsec start --nofork

    参考链接:
    http://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
    http://si-you.com/?p=1167
    http://blog.ltns.info/linux/pure_ipsec_multi-platform_vpn_client_debian_vps/
  24. losisli created this gist Apr 19, 2014.
    1 change: 1 addition & 0 deletions linux上用strongswan搭建ikev2协议vpn.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1 @@
    平台:ubuntu14.04 x86