centos6.5 x86_64 under compile and install Strongswan

centos6.5 x86_64

1. Install the necessary libraries

Yum Update

Yum install pam-devel openssl-devel make GCC

2, download Strongswan

wget http://download.strongswan.org/strongswan.tar.gz

Tar xzf strongswan.tar.gz

CD strongswan-*

3, compiling and installing

./configure--enable-eap-identity--enable-eap-md5--enable-eap-mschapv2--enable-eap-tls--enable-eap-ttls-- Enable-eap-peap--ENABLE-EAP-TNC--enable-eap-dynamic--enable-eap-radius--enable-xauth-eap--enable-xauth-pam-- Enable-dhcp--enable-openssl--enable-addrblock--enable-unity--enable-certexpire--enable-radattr--enable-tools-- Enable-openssl--disable-gmp

Make && make install

4, generate the CA certificate private key

IPSec PKI--gen--outform PEM > Ca.pem

Signing with a private key

IPSec PKI--self--in ca.pem--dn "C=col, O=ssvpn, Cn=vpnca"--ca--outform PEM >ca.cert.pem

The private key required to generate the server certificate:

IPSec PKI--gen--outform PEM > Server.pem

To issue a server certificate with a CA certificate

First confirm your server's IP address or domain name, in the future when the client connection can only use the address in the certificate connection (multi-server using the same root certificate CA, please do the server's domain name resolution),

Then replace the 123.123.123.123 in the following command with the IP address or domain name of your own server, and you will need to replace two places:

IPSec PKI--pub--in Server.pem | IPSec PKI--issue--cacert ca.cert.pem--cakey ca.pem--dn "C=col, O=ssvpn, cn=123.123.123.123"--san= "123.1 23.123.123"--flag serverauth--flag ikeintermediate--outform PEM > Server.cert.pem

Note: The values for "c=" and "o=" in the above command are consistent with the value of C,o in the 2nd step ca.

5, the private key required to generate the client certificate:

IPSec PKI--gen--outform PEM > Client.pem

Sign the client certificate with CA (the value of C,o is the same as the value of the 2nd CA above, the value of CN is arbitrary):

IPSec PKI--pub--in Client.pem | IPSec PKI--issue--cacert ca.cert.pem--cakey ca.pem--dn "C=col, O=ssvpn, Cn=vpn Client"--outform PEM > Client.cert. Pem

Generate PKCS12 Certificate

OpenSSL pkcs12-export-inkey client.pem-in client.cert.pem-name "client"-certfile ca.cert.pem-caname "VPNCA"-out cl Ient.cert.p12

Note the value in the quotation marks after "-caname" in the above command must be consistent with the value of "cn=" in the 2nd step ca.

Enter the client login user password Hello

6, install the certificate:

Cp-r ca.cert.pem/usr/local/etc/ipsec.d/cacerts/

Cp-r server.cert.pem/usr/local/etc/ipsec.d/certs/

Cp-r server.pem/usr/local/etc/ipsec.d/private/

Cp-r client.cert.pem/usr/local/etc/ipsec.d/certs/

Cp-r client.pem/usr/local/etc/ipsec.d/private/

7, Configuration Strongswan

Vi/usr/local/etc/ipsec.conf completely replace the content with the content

Config setup

Uniqueids=never

Conn Ios_cert

Keyexchange=ikev1

Fragmentation=yes

Left=%defaultroute

Leftauth=pubkey

leftsubnet=0.0.0.0/0

Leftcert=server.cert.pem

Right=%any

Rightauth=pubkey

Rightauth2=xauth

Rightsourceip=10.11.2.0/24

Rightcert=client.cert.pem

Auto=add

Conn ANDROID_XAUTH_PSK

Keyexchange=ikev1

Left=%defaultroute

Leftauth=psk

leftsubnet=0.0.0.0/0

Right=%any

Rightauth=psk

Rightauth2=xauth

Rightsourceip=10.11.2.0/24

Auto=add

Conn Networkmanager-strongswan

Keyexchange=ikev2

Left=%defaultroute

Leftauth=pubkey

leftsubnet=0.0.0.0/0

Leftcert=server.cert.pem

Right=%any

Rightauth=pubkey

Rightsourceip=10.11.2.0/24

Rightcert=client.cert.pem

Auto=add

Conn Windows7

Keyexchange=ikev2

ike=aes256-sha1-modp1024!

Rekey=no

Left=%defaultroute

Leftauth=pubkey

leftsubnet=0.0.0.0/0

Leftcert=server.cert.pem

Right=%any

Rightauth=eap-mschapv2

Rightsourceip=10.11.2.0/24

Rightsendcert=never

Eap_identity=%any

Auto=add

Vi/usr/local/etc/strongswan.conf

Charon {

Load_modular = yes

Duplicheck.enable = No

Compress = yes

Plugins {

Include strongswan.d/charon/*.conf

}

DNS1 = 8.8.8.8

Dns2 = 8.8.4.4

NBNS1 = 8.8.8.8

Nbns2 = 8.8.4.4

}

Include strongswan.d/*.conf

Vi/usr/local/etc/ipsec.secrets

: RSA Server.pem

: PSK "Xskywallker"

: XAUTH "uiop890"

Law%any:eap "Hello"

Change the Xskywallker word above to the key of the PSK authentication method you need;

Change the above uiop890 Word to the password of the Xauth authentication method you need, the user name of the authentication method is arbitrary;

To change the above law to the login name you want, hello to the password you want, you can add multiple lines to get multiple users, this is the use of IKEV2 user name + Password authentication method of login credentials.

Start the service

IPSec start

Turn off SELinux

Sed-i ' s/selinux=enforcing/selinux=disabled/g '/etc/selinux/config

Setenforce 0

Configure forwarding

Echo 1 >/proc/sys/net/ipv4/ip_forward

Sed-i ' s/net.ipv4.ip_forward=0/net.ipv4.ip_forward=1/g '/etc/sysctl.conf

Sysctl-p

Add a firewall rule

Iptables-a forward-m State--state related,established-j ACCEPT

Iptables-a forward-s 10.11.0.0/24-j ACCEPT

Iptables-a forward-s 10.11.1.0/24-j ACCEPT

Iptables-a forward-s 10.11.2.0/24-j ACCEPT

Iptables-a input-i eth0-p esp-j ACCEPT

Iptables-a input-i eth0-p UDP--dport 500-j ACCEPT

Iptables-a input-i eth0-p TCP--dport 500-j ACCEPT

Iptables-a input-i eth0-p UDP--dport 4500-j ACCEPT

Iptables-a input-i eth0-p UDP--dport 1701-j ACCEPT

Iptables-a input-i eth0-p TCP--dport 1723-j ACCEPT

Iptables-a forward-j REJECT

Iptables-t nat-a postrouting-s 10.11.0.0/24-o eth0-j Masquerade

Iptables-t nat-a postrouting-s 10.11.1.0/24-o eth0-j Masquerade

Iptables-t nat-a postrouting-s 10.11.2.0/24-o eth0-j Masquerade

Service Iptables Save

Win7 under test

Using the Shrew Soft VPN Client

Download: Https://www.shrew.net/download/vpn

Open after installation, select "add":

"general" tab, add "host Name or IP address".

Under the "authorization" tab:

"authorization method" Select "mutual PSK + xauth"

"local identity" 's "identification type" "ip address"

"credentials" below "pre Shared key" input PSK password

"phrase 1","exchange type" Selection "main"

"phrase 2","PFS exchange" Selection "auto"

Save. The user name password is your XAUTH user name password when connecting.

Using your own client (Agile):

To import a certificate:

Start Menu Search "cmd", open and enter MMC (Microsoft management Console).

"File"-"Add/Remove Snap-in", add the "Certificates" unit

You must select "Computer Account" in the pop-up window of the certificate unit, then select "Local Computer" to determine.

On the left, under Console root, select certificate "-" Personal, and then choose More Actions "-" All Tasks "-" import on the right to open the Certificate Import window.

Select the Client.cert.p12 file that you just generated. Next enter the private key password. Next, "certificate store" is selected "personal".

After the import is successful, cut the imported CA certificate into the Trusted Root Certification Authorities certificate folder.

Open the rest of the private certificate and see if there is a "you have a private key corresponding to the certificate" and "certificate path" is not displayed "there is no problem with this certificate".

Then close the MMC and prompt "Save console settings to console 1" and select "No".

At this point, the certificate import is complete.

Note Never double-click the. P12 Certificate Import! Because that would be imported into the current user instead of the native computer, the IPSec daemon would not be able to access it.

To establish a connection:

"Control Panel"-"Network and Sharing Center"-"set up a new connection or network"-"connect to the workspace"-"use my Internet connection"

Internet address Write server address, note the same as OpenSUSE, both IP or URL.

Description casually write.

The user name password is written before the EAP that is configured.

Are you sure

Click the Network icon in the lower right corner, right-click on the new VPN connection and switch to the Security tab.

VPN Type Select IKEv2

Data encryption is "encryption required"

Identity authentication here, if you want to use Eap-mschapv2, select "Use Extensible Authentication Protocol"-"microsoft Secure Password" and select "Using Computer certificate" If you want to use private certificate authentication.

This article refer to http://quericy.me/blog/512

centos6.5 x86_64 under compile and install Strongswan