Skip to content

Instantly share code, notes, and snippets.

@kasuganosora
Last active August 20, 2019 06:40
Show Gist options
  • Save kasuganosora/7714921 to your computer and use it in GitHub Desktop.
Save kasuganosora/7714921 to your computer and use it in GitHub Desktop.
刚配置完IPSEC(strongSwan U5.1.1/K3.11.6) 用到的配置
#生成CA密钥
ipsec pki --gen --outform pem > caKey.pem
#生成CA证书
ipsec pki --self --in caKey.pem --dn "C=US, O=你的组织名字, CN=你的CA名字" --ca --outform pem > caCert.pem
#生成服务器密钥
ipsec pki --gen --outform pem > serverKey.pem
#用CA和服务器密钥来颁发服务器证书
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
--dn "C=US, O=你的组织名字, CN=服务器域名" --san="服务器域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
其中服务器域名用于给客户端时候连接是用,用域名就写域名,用IP就写IP
#生成客户端密钥
ipsec pki --gen --outform pem > clientKey.pem
#用CA给客户端颁发证书
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem \
--cakey caKey.pem --dn "C=US, O=组织名字, CN=client" \
--outform pem > clientCert.pem
#生成客户端的pkcs12证书
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" \
-certfile caCert.pem -caname "CA的名字" -out clientCert.p12
#这里会叫你输入密码
#安装证书
cp -r caCert.pem /etc/ipsec.d/cacerts/
cp -r serverCert.pem /etc/ipsec.d/certs/
cp -r serverKey.pem /etc/ipsec.d/private/
cp -r clientCert.pem /etc/ipsec.d/certs/
cp -r clientKey.pem /etc/ipsec.d/private/
#启动一下ipsec 然后结束她
ipsec start --nofork
#配置 Strongswan
# /etc/ipsec.conf
config setup
uniqueids=never
conn iOS_cert
keyexchange=ikev1
# strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=serverCert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.0.0.0/24
rightcert=clientCert.pem
auto=add
# also supports iOS PSK and Shrew on Windows
conn android_xauth_psk
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.0.0.0/24
auto=add
# compatible with "strongSwan VPN Client" for Android 4.0+
# and Windows 7 cert mode.
conn networkmanager-strongswan
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=serverCert.pem
right=%any
rightauth=pubkey
rightsourceip=10.0.0.0/24
rightcert=clientCert.pem
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=serverCert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.0.0.0/24
rightsendcert=never
eap_identity=%any
auto=add
conn CiscoIPSec
keyexchange=ikev1
auto=add
aggressive=yes
compress=yes
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
leftid=blackberry
type=tunnel
xauth=server
leftauth=psk
rightauth=psk
rightauth2=xauth-eap
leftfirewall=yes
#配置IPSEC密钥
#/etc/ipsec.secrets
: RSA serverKey.pem
: PSK "公钥"
用户名 : XAUTH "密码"
用户名 : EAP "密码"
#然后在 /etc/strongswan.conf 修改其中的 charon 下面加入这样的东西
dns1 = 8.8.8.8
dns2 = 8.8.4.4
# for Windows only
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
duplicheck.enable = no
#iptable
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment