1. install the required Library CentOS: 1yumupdate2yuminstallpam-developens 1. install the required Library
CentOS:
2 |
Yum install pam-devel openssl-devel make gcc |
2. download strongswan and decompress it (* indicates the current Strongswan version number)
1 |
Wget http://download.strongswan.org/strongswan.tar.gz |
2 |
Tar xzf strongswan.tar.gz |
3. compile Strongswan:
Xen and KVM use the following parameters:
1 |
./Configure -- enable-eap-identity -- enable-eap-md5 \ |
2 |
-- Enable-eap-mschapv2 -- enable-eap-tls -- enable-eap-ttls -- enable-eap-peap \ |
3 |
-- Enable-eap-tnc -- enable-eap-dynamic -- enable-eap-radius -- enable-xauth-eap \ |
4 |
-- Enable-xauth-pam -- enable-dhcp -- enable-openssl -- enable-addrblock -- enable-unity \ |
5 |
-- Enable-certexpire -- enable-radattr -- enable-tools -- enable-openssl -- disable-gmp |
OpenVZ requires an additional enable-kernel-libipsec:
1 |
./Configure -- enable-eap-identity -- enable-eap-md5 \ |
2 |
-- Enable-eap-mschapv2 -- enable-eap-tls -- enable-eap-ttls -- enable-eap-peap \ |
3 |
-- Enable-eap-tnc -- enable-eap-dynamic -- enable-eap-radius -- enable-xauth-eap \ |
4 |
-- Enable-xauth-pam -- enable-dhcp -- enable-openssl -- enable-addrblock -- enable-unity \ |
5 |
-- Enable-certexpire -- enable-radattr -- enable-tools -- enable-openssl -- disable-gmp -- enable-kernel-libipsec |
4. Compile and install:
If no error is reported after compilation and version information is displayed using the ipsec version command, the installation is successful.
Configure certificate
1. Generate the private key of the CA certificate
1 |
Ipsec pki -- gen -- outform pem> ca. pem |
2. use the private key to sign the CA certificate
1 |
Ipsec pki -- self -- in ca. pem -- dn "C = com, O = myvpn, CN = vpn ca" -- ca -- outform pem> ca. cert. pem |
Tip: Use the same CA root certificate for multiple vps:
If you need multiple vps to use the same CA root certificate, perform the preceding two steps only once, and then all vps will use the two cas generated above. pem and ca. cert. pem file for subsequent operations.
Resolve multiple vps to different second-level domain names of the same domain name.
In this way, the client only needs to install the root certificate ca. cert. pem once to connect to each server.
3. Generate the private key required for the server certificate:
1 |
Ipsec pki -- gen -- outform pem> server. pem |
4. Use a CA certificate to issue a server certificate
Please confirm the IP address or domain name of your server first. later, when connecting to the client, you can only use the address in the certificate to connect (multiple servers use the same root certificate CA, please first do the server domain name resolution ),
Then replace 123.123.123.123 in the following command with the IP address or domain name of your server. There are two replications:
1 |
Ipsec pki -- pub -- in server. pem | ipsec pki -- issue -- cacert ca. cert. pem \ |
2 |
-- Cakey ca. pem -- dn "C = com, O = myvpn, CN = 123.123.123.123 "\ |
3 |
-- San = "123.123.123.123" -- flag serverAuth -- flag ikeIntermediate \ |
4 |
-- Outform pem> server. cert. pem |
Note that the values of "C =" and "O =" in the preceding commands must be consistent with the values of C and O in step 2 CA.
5. Generate the private key required for the client certificate:
1 |
Ipsec pki -- gen -- outform pem> client. pem |
6. use CA to sign the client certificate (the C and O values must be consistent with the CA values in step 1 above, and the CN values are random ):
1 |
Ipsec pki -- pub -- in client. pem | ipsec pki -- issue -- cacert ca. cert. pem -- cakey ca. pem -- dn "C = com, O = myvpn, CN = VPN Client" -- outform pem> client. cert. pem |
7. Generate the pkcs12 certificate:
1 |
Openssl pkcs12-export-inkey client. pem-in client. cert. pem-name "client"-certfile ca. cert. pem-caname "vpn ca"-out client. cert. p12 |
Note that the value in the quotation marks after "-caname" in the preceding command must be consistent with the value of "CN =" in step 2 CA.
8. install the certificate:
1 |
Cp-r ca. cert. pem/usr/local/etc/ipsec. d/cacerts/ |
2 |
Cp-r server. cert. pem/usr/local/etc/ipsec. d/certs/ |
3 |
Cp-r server. pem/usr/local/etc/ipsec. d/private/ |
4 |
Cp-r client. cert. pem/usr/local/etc/ipsec. d/certs/ |
5 |
Cp-r client. pem/usr/local/etc/ipsec. d/private/ |
Configure Strongswan
1. edit the/usr/local/etc/ipsec. conf file:
1 |
Vim/usr/local/etc/ipsec. conf |
Change to the following content (click to expand ):
Show source
An ipsec. conf file can be downloaded and uploaded to vps through sftp:
Ipsec. conf: Baidu disk
2. use vim to edit the/usr/local/etc/strongswan. conf file:
3 |
Duplicheck. enable = no |
6 |
Include strongswan. d/charon/*. conf |
13 |
Include strongswan. d/*. conf |
3. use vim to edit the/usr/local/etc/ipsec. secrets file:
4 |
[User name] % any: EAP "[password]" |
Change the above myPSKkey word to your key for the PSK authentication method;
Change the above myXAUTHPass word to the password required for the XAUTH authentication method. the user name for this authentication method is random;
Change the [user name] to the login name you want and the [password] to the password you want (remove the [] symbol). you can add multiple lines to obtain multiple users, this is the credential used for user name and password authentication of IKEv2.
Prompt: questions about the username of the wp8.1 client connection
Because the domain with the same name as the mobile phone is added by default when wp8.1 connects to the IKEv2 vpn, the user name or password is displayed during the connection. There are two solutions:
Method 1: Set/usr/local/etc/ipsec above. the last line of the secrets file is changed to % any: EAP "[password]", so that you can use any user name to log on without any errors.
Method 2: Use FreeRADIUS to filter out the domain of the login name. refer to connection: remove FreeRADIUS from the login username's Windows Firewall domain to configure the firewall.
1. edit/etc/sysctl. conf, set net. ipv4.ip _ forward = remove the # sign in front of a line 1 (otherwise, the Ikev2 vpn connection will not be able to access the Internet), save and run sysctl-p (if an error is reported after execution, re-open sysctl. conf: comment out the error part # and save it until sysctl-p is executed ).
In addition, if you need to further optimize the TCP connection and speed, for more information, see the TCP section in my article titled vps quick building shadowsocks and optimization summary for each platform (be sure not to overwrite the ip_forward of the existing vpn configuration ).
2. configure iptables:
OpenVZ execution:
1 |
Iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT |
2 |
Iptables-a forward-s 10.31.0.0/24-j ACCEPT |
3 |
Iptables-a forward-s 10.31.1.0/24-j ACCEPT |
4 |
Iptables-a forward-s 10.31.2.0/24-j ACCEPT |
5 |
Iptables-a input-I venet0-p esp-j ACCEPT |
6 |
Iptables-a input-I venet0-p udp -- dport 500-j ACCEPT |
7 |
Iptables-a input-I venet0-p tcp -- dport 500-j ACCEPT |
8 |
Iptables-a input-I venet0-p udp -- dport 4500-j ACCEPT |
9 |
Iptables-a input-I venet0-p udp -- dport 1701-j ACCEPT |
10 |
Iptables-a input-I venet0-p tcp -- dport 1723-j ACCEPT |
11 |
Iptables-a forward-j REJECT |
12 |
Iptables-t nat-a postrouting-s 10.31.0.0/24-o venet0-j MASQUERADE |
13 |
Iptables-t nat-a postrouting-s 10.31.1.0/24-o venet0-j MASQUERADE |
14 |
Iptables-t nat-a postrouting-s 10.31.2.0/24-o venet0-j MASQUERADE |
Run Xen and KVM:
1 |
Iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT |
2 |
Iptables-a forward-s 10.31.0.0/24-j ACCEPT |
3 |
Iptables-a forward-s 10.31.1.0/24-j ACCEPT |
4 |
Iptables-a forward-s 10.31.2.0/24-j ACCEPT |
5 |
Iptables-a input-I eth0-p esp-j ACCEPT |
6 |
Iptables-a input-I eth0-p udp -- dport 500-j ACCEPT |
7 |
Iptables-a input-I eth0-p tcp -- dport 500-j ACCEPT |
8 |
Iptables-a input-I eth0-p udp -- dport 4500-j ACCEPT |
9 |
Iptables-a input-I eth0-p udp -- dport 1701-j ACCEPT |
10 |
Iptables-a input-I eth0-p tcp -- dport 1723-j ACCEPT |
11 |
Iptables-a forward-j REJECT |
12 |
Iptables-t nat-a postrouting-s 10.31.0.0/24-o eth0-j MASQUERADE |
13 |
Iptables-t nat-a postrouting-s 10.31.1.0/24-o eth0-j MASQUERADE |
14 |
Iptables-t nat-a postrouting-s 10.31.2.0/24-o eth0-j MASQUERADE |
3. automatically load iptables at startup:
Ubuntu:
1 |
Iptables-save>/etc/iptables. rules |
2 |
Cat>/etc/network/if-up.d/iptables < |
4 |
Iptables-restore </etc/iptables. rules |
6 |
Chmod + x/etc/net/if-up.d/iptables |
CentOS:
Now, IPSec/IKEv2 VPN has been set up! Now you can use the service:
Reference link:
Use Strongswan to build an IPSec/IKEv2 VPN
Use Strongswan to build an IPSec VPN server that supports IKEv1/IKEv2
Remove FreeRADIUS from the Windows login domain in the login username
Use Strongswan to set up an Ipsec VPN