Last active
August 20, 2019 06:40
-
-
Save kasuganosora/7714921 to your computer and use it in GitHub Desktop.
刚配置完IPSEC(strongSwan U5.1.1/K3.11.6) 用到的配置
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#生成CA密钥 | |
ipsec pki --gen --outform pem > caKey.pem | |
#生成CA证书 | |
ipsec pki --self --in caKey.pem --dn "C=US, O=你的组织名字, CN=你的CA名字" --ca --outform pem > caCert.pem | |
#生成服务器密钥 | |
ipsec pki --gen --outform pem > serverKey.pem | |
#用CA和服务器密钥来颁发服务器证书 | |
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \ | |
--dn "C=US, O=你的组织名字, CN=服务器域名" --san="服务器域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem | |
其中服务器域名用于给客户端时候连接是用,用域名就写域名,用IP就写IP | |
#生成客户端密钥 | |
ipsec pki --gen --outform pem > clientKey.pem | |
#用CA给客户端颁发证书 | |
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem \ | |
--cakey caKey.pem --dn "C=US, O=组织名字, CN=client" \ | |
--outform pem > clientCert.pem | |
#生成客户端的pkcs12证书 | |
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" \ | |
-certfile caCert.pem -caname "CA的名字" -out clientCert.p12 | |
#这里会叫你输入密码 | |
#安装证书 | |
cp -r caCert.pem /etc/ipsec.d/cacerts/ | |
cp -r serverCert.pem /etc/ipsec.d/certs/ | |
cp -r serverKey.pem /etc/ipsec.d/private/ | |
cp -r clientCert.pem /etc/ipsec.d/certs/ | |
cp -r clientKey.pem /etc/ipsec.d/private/ | |
#启动一下ipsec 然后结束她 | |
ipsec start --nofork | |
#配置 Strongswan | |
# /etc/ipsec.conf | |
config setup | |
uniqueids=never | |
conn iOS_cert | |
keyexchange=ikev1 | |
# strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1 | |
fragmentation=yes | |
left=%defaultroute | |
leftauth=pubkey | |
leftsubnet=0.0.0.0/0 | |
leftcert=serverCert.pem | |
right=%any | |
rightauth=pubkey | |
rightauth2=xauth | |
rightsourceip=10.0.0.0/24 | |
rightcert=clientCert.pem | |
auto=add | |
# also supports iOS PSK and Shrew on Windows | |
conn android_xauth_psk | |
keyexchange=ikev1 | |
left=%defaultroute | |
leftauth=psk | |
leftsubnet=0.0.0.0/0 | |
right=%any | |
rightauth=psk | |
rightauth2=xauth | |
rightsourceip=10.0.0.0/24 | |
auto=add | |
# compatible with "strongSwan VPN Client" for Android 4.0+ | |
# and Windows 7 cert mode. | |
conn networkmanager-strongswan | |
keyexchange=ikev2 | |
left=%defaultroute | |
leftauth=pubkey | |
leftsubnet=0.0.0.0/0 | |
leftcert=serverCert.pem | |
right=%any | |
rightauth=pubkey | |
rightsourceip=10.0.0.0/24 | |
rightcert=clientCert.pem | |
auto=add | |
conn windows7 | |
keyexchange=ikev2 | |
ike=aes256-sha1-modp1024! | |
rekey=no | |
left=%defaultroute | |
leftauth=pubkey | |
leftsubnet=0.0.0.0/0 | |
leftcert=serverCert.pem | |
right=%any | |
rightauth=eap-mschapv2 | |
rightsourceip=10.0.0.0/24 | |
rightsendcert=never | |
eap_identity=%any | |
auto=add | |
conn CiscoIPSec | |
keyexchange=ikev1 | |
auto=add | |
aggressive=yes | |
compress=yes | |
ike=aes256-sha1-modp1024! | |
esp=aes256-sha1! | |
dpdaction=clear | |
leftid=blackberry | |
type=tunnel | |
xauth=server | |
leftauth=psk | |
rightauth=psk | |
rightauth2=xauth-eap | |
leftfirewall=yes | |
#配置IPSEC密钥 | |
#/etc/ipsec.secrets | |
: RSA serverKey.pem | |
: PSK "公钥" | |
用户名 : XAUTH "密码" | |
用户名 : EAP "密码" | |
#然后在 /etc/strongswan.conf 修改其中的 charon 下面加入这样的东西 | |
dns1 = 8.8.8.8 | |
dns2 = 8.8.4.4 | |
# for Windows only | |
nbns1 = 8.8.8.8 | |
nbns2 = 8.8.4.4 | |
duplicheck.enable = no | |
#iptable | |
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT | |
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT | |
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE | |
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT | |
sudo echo 1 > /proc/sys/net/ipv4/ip_forward |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment