StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.

Install strongSwan

The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.

yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

yum install strongswan openssl

Generate certificates

Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d.

cd /etc/strongswan/ipsec.d

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/server_key.sh

chmod a+x server_key.sh

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/client_key.sh

chmod a+x client_key.sh

In these two .sh files, I have set the organization name as VULTR-VPS-CENTOS. If you want to change it, open the .sh files and replace O=VULTR-VPS-CENTOS with O=YOUR_ORGANIZATION_NAME.

Next, use server_key.sh with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP with the IP address of your Vultr VPS.

./server_key.sh SERVER_IP

Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user "john".

./client_key.sh john john@gmail.com

Replace "john" and his email with yours before running the script.

After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your local computer.

Configure strongSwan

Open the strongSwan IPSec configuration file.

vi /etc/strongswan/ipsec.conf

Replace its content with the following text.

config setup

    uniqueids=never

    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default

    left=%defaultroute

    leftsubnet=0.0.0.0/0

    leftcert=vpnHostCert.pem

    right=%any

    rightsourceip=172.16.1.100/16

conn CiscoIPSec

    keyexchange=ikev1

    fragmentation=yes

    rightauth=pubkey

    rightauth2=xauth

    leftsendcert=always

    rekey=no

    auto=add

conn XauthPsk

    keyexchange=ikev1

    leftauth=psk

    rightauth=psk

    rightauth2=xauth

    auto=add

conn IpsecIKEv2

    keyexchange=ikev2

    leftauth=pubkey

    rightauth=pubkey

    leftsendcert=always

    auto=add

conn IpsecIKEv2-EAP

    keyexchange=ikev2

    ike=aes256-sha1-modp1024!

    rekey=no

    leftauth=pubkey

    leftsendcert=always

    rightauth=eap-mschapv2

    eap_identity=%any

    auto=add

Edit the strongSwan configuration file, strongswan.conf.

vi /etc/strongswan/strongswan.conf

Delete everything and replace it with the following.

charon {

    load_modular = yes

    duplicheck.enable = no

    compress = yes

    plugins {

            include strongswan.d/charon/*.conf

    }

    dns1 = 8.8.8.8

    dns2 = 8.8.4.4

    nbns1 = 8.8.8.8

    nbns2 = 8.8.4.4

}

include strongswan.d/*.conf

Edit the IPsec secret file to add a user and password.

vi /etc/strongswan/ipsec.secrets

Add a user account "john" into it.

: RSA vpnHostKey.pem

: PSK "PSK_KEY"

john %any : EAP "John's Password"

john %any : XAUTH "John's Password"

Please note that both sides of the colon ':' need a white-space.

Allow IPv4 forwarding

Edit /etc/sysctl.conf to allow forwarding in the Linux kernel.

vi /etc/sysctl.conf

Add the following line into the file.

net.ipv4.ip_forward=1

Save the file, then apply the change.

sysctl -p

Configure the firewall

Open the firewall for your VPN on the server.

firewall-cmd --permanent --add-service="ipsec"

firewall-cmd --permanent --add-port=4500/udp

firewall-cmd --permanent --add-masquerade

firewall-cmd --reload

Start VPN

systemctl start strongswan

systemctl enable strongswan

StrongSwan is now is running on your server. Install the strongswanCert.pem and .p12 certificate files into your client. You will now be able to join your private network.

strongswan的更多相关文章

  1. StrongSwan 5.1.1 发布,Linux 的 IPsec 项目

    StrongSwan是一个完整的2.4和2.6的Linux内核下的IPsec和IKEv1 的实现.它也完全支持新的IKEv2协议的Linux 2.6内核.结合IKEv1和IKEv2模式与大多数其他基于 ...

  2. 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(下篇)

    续篇—— 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(上篇) 上篇文章写了如何构建一个支持IKEv2的VPN,本篇记录的是如 ...

  3. 架设基于StrongSwan的L2tp/IPSec VPN服务器

    架设基于StrongSwan的L2tp/IPSec VPN服务器 参考: http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-w ...

  4. CentOS6.5 部署VPN管理系统(StrongSwan+iKEv2+Freeradiu+Mysql+Daloradius)

    一.环境介绍 Server IP:192.168.30.133 System: CentOS 6.5 Client:Winodows 二.编译安装StrongSwan 1.下载StrongSwan w ...

  5. [dev][ipsec][dpdk] strongswan/dpdk源码分析之ipsec算法配置过程

    1 简述 storngswan的配置里用一种固定格式的字符串设置了用于协商的预定义算法.在包协商过程中strongswan将字符串转换为固定的枚举值封在数据包里用于传输. 协商成功之后,这组被协商选中 ...

  6. [dev][crypto][strongswan] 有关strongswan的forward policy的源码分析

    一 默认情况下,我们使用strongswan建立了一个ipsec隧道之后,建立的policy如下: [root@D129 OUTPUT]# ip xfrm policy src dst dir pty ...

  7. [strongswan][autoconf][automake][cento] 在CentOS上编译strongswan git源码时遇到的autoconf问题

    编译strongswan的git源码问题 1. 概述 首先,我们想要通过源码编译strongswan.当满足以下条件时,通常你会遇见此问题: 源码时通过git clone的得来的,而不是官网下载的源码 ...

  8. [strongswan] strongswan是如何实现与xfrm之间的trap机制的

    目录 strongswan与xfrm之间的trap机制 0. 1. 前言 2. 描述 2.1 none 2.2 trap 3. 实验与过程 3.1 trap实验 3.2 none实验 4 背景知识 5 ...

  9. [ipsec][strongswan] 使用wireshark查看strongswan ipsec esp ikev1 ikev2的加密内容

    一,编译,启用strongswan的save-keys plugin ./configure --prefix=/root/OUTPUT --exec-prefix=/root/OUTPUT --en ...

  10. strongSwan配置、运行及测试

    版本信息:strongSwan v5.7.2 1.      编译 tar xvf strongswan-5.7.2.tar.gz ./configure --prefix=/usr/ --sysco ...

随机推荐

  1. wpf--- TextBlock文字设置属性

    ProgressBar控件的重要属性:        FontFamily——控件中显示文本的字体        FontSize——控件中显示的字体的大小        Foreground——控件 ...

  2. Linux命令详解-printf

    printf命令格式化并输出结果到标准输出. 1.命令格式: printf (选项) (参数) 2.命令功能: echo会将输入的字符串送往标准输出.输出的字符串间以空白字符隔开,并在最后加上换行号. ...

  3. 【Demo】Tree.js实例

    Three.js是通过对WebGL接口的封装与简化而形成的一个易用的图形库. 简单点的说法:WebGL可以看成是浏览器给我们提供的接口,在javascript中可以直接用这些API进行3D图形的绘制: ...

  4. 前端 crypto-js aes 加解密

    下载:npm install crypto-js --save 需要定义两个方法 ,分别是用于加密和解密,这里我将它放在了 utils 文件夹下,命名为 secret.js ,其具体代码如下: con ...

  5. POSIX线程接口编程学习心得

    由于实验需要,需要了解下C语言多线程编程的知识,于是学习了下POSIX线程编程的知识,有点心得,记录并分享一下. POSIX(可移植操作系统接口)线程是提高代码响应和性能的有力手段.与标准 fork( ...

  6. 利用Pandoc将markdown文件转化为pdf

    利用Pandoc将markdown文件转化为pdf 准备工作 安装pandoc 安装MiKTeX 将markdown文件转换为pdf 准备工作 安装pandoc Windows下安装pandoc很容易 ...

  7. 快速切题CF 158B taxi 构造 && 82A double cola 数学观察 难度:0

    实在太冷了今天 taxi :错误原因1 忽略了 1 1 1 1 和 1 2 1 这种情况,直接认为最多两组一车了 2 语句顺序错 double cola: 忘了减去n的序号1,即n-- B. Taxi ...

  8. 安装Ubuntu之后的配置

    经常装系统或者给人装系统,这些配置还是记一下,方便恢复到以前的环境 删除libreoffice sudo apt-get remove libreoffice-common 删除Amazon的链接 s ...

  9. Nginx安装配置详解

    http://nginx.org/download/ 下载对应的Nginx 安装nginx之前需要安装依赖包 yum install gcc gcc-c++ zlib-devel pcre-devel ...

  10. C/C++函数中使用可变参数

    先说明可变参数是什么,先回顾一下C++里面的函数重载,如果重复给出如下声明: int func(); int func(int); int func(float); int func(int, int ...