Skip to content

Instantly share code, notes, and snippets.

@shvchk

shvchk/StrongSwan IKEv2 server on Ubuntu 14.04.md

Forked from aguegu/strongswan ikev2 server on ubuntu 14.04
Last active November 18, 2019 05:56
Show Gist options
  • Save shvchk/5509a61f6118a5c005a3 to your computer and use it in GitHub Desktop.
Save shvchk/5509a61f6118a5c005a3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
StrongSwan IKEv2 server on Ubuntu 14.04.md

Basic Strongswan ikev2 server setup

  • paltform: atlantic.net ubuntu 14.04 x64
  • the commands below are run with root account

Strongswan

apt-get install strongswan
apt-get install iptables iptables-persistent

ca

root ca

cd ~
mkdir swan
cd swan
ipsec pki --gen --outform pem > ca_key.pem
ipsec pki --self --in caKey.pem --dn "C=CN, O=strongswan, CN=strongswan ca" --ca --outform pem > ca_cert.pem

server ca

ipsec pki --gen --outform pem > server_key.pem
ipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongswan, CN=vpn.strong.com" --san="vpn.strong.com" --outform pem > server_cert.pem

client ca

ipsec pki --gen --outform pem > client_key.pem
ipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem

implement ca

cp ca_cert.pem /etc/ipsec.d/cacerts/
cp server_cert.pem /etc/ipsec.d/certs/
cp server_key.pem /etc/ipsec.d/private/

conf

  • /etc/ipsec.conf
config setup
	# strictcrlpolicy=yes
	# uniqueids = no

conn %default
        leftcert=server_cert.pem
        auto=add
        dpdaction=clear
        dpddelay=300s
        dpdtimeout=1h

conn rw
        leftfirewall=yes
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=10.0.0.0/24
  • /etc/ipsec.secerts
: RSA server_key.pem
  • /etc/strongswan.conf
charon {
	load_modular = yes
	install_virtual_ip = yes

	dns1 = 8.8.8.8
	dns2 = 8.8.4.4 
	# use the dns provided by vps

	plugins {
		include strongswan.d/charon/*.conf
	}
}

system conf

net.ipv4.ip_forward = 1

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 22 14:53:31 2013
# Generated by iptables-save v1.4.18 on Mon Jul 22 14:53:31 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [432:67301]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT

client settings

  • ss_cert.pem
  • client_key.pem
  • client_cert.pem

Download these files to client, with scp or ftp. Use them for Strongswan vpn connection.

Referenece

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment