StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.

Install strongSwan

The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.

yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

yum install strongswan openssl

Generate certificates

Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d.

cd /etc/strongswan/ipsec.d

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/server_key.sh

chmod a+x server_key.sh

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/client_key.sh

chmod a+x client_key.sh

In these two .sh files, I have set the organization name as VULTR-VPS-CENTOS. If you want to change it, open the .sh files and replace O=VULTR-VPS-CENTOS with O=YOUR_ORGANIZATION_NAME.

Next, use server_key.sh with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP with the IP address of your Vultr VPS.

./server_key.sh SERVER_IP

Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user "john".

./client_key.sh john john@gmail.com

Replace "john" and his email with yours before running the script.

After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your local computer.

Configure strongSwan

Open the strongSwan IPSec configuration file.

vi /etc/strongswan/ipsec.conf

Replace its content with the following text.

config setup

    uniqueids=never

    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default

    left=%defaultroute

    leftsubnet=0.0.0.0/0

    leftcert=vpnHostCert.pem

    right=%any

    rightsourceip=172.16.1.100/16

conn CiscoIPSec

    keyexchange=ikev1

    fragmentation=yes

    rightauth=pubkey

    rightauth2=xauth

    leftsendcert=always

    rekey=no

    auto=add

conn XauthPsk

    keyexchange=ikev1

    leftauth=psk

    rightauth=psk

    rightauth2=xauth

    auto=add

conn IpsecIKEv2

    keyexchange=ikev2

    leftauth=pubkey

    rightauth=pubkey

    leftsendcert=always

    auto=add

conn IpsecIKEv2-EAP

    keyexchange=ikev2

    ike=aes256-sha1-modp1024!

    rekey=no

    leftauth=pubkey

    leftsendcert=always

    rightauth=eap-mschapv2

    eap_identity=%any

    auto=add

Edit the strongSwan configuration file, strongswan.conf.

vi /etc/strongswan/strongswan.conf

Delete everything and replace it with the following.

charon {

    load_modular = yes

    duplicheck.enable = no

    compress = yes

    plugins {

            include strongswan.d/charon/*.conf

    }

    dns1 = 8.8.8.8

    dns2 = 8.8.4.4

    nbns1 = 8.8.8.8

    nbns2 = 8.8.4.4

}

include strongswan.d/*.conf

Edit the IPsec secret file to add a user and password.

vi /etc/strongswan/ipsec.secrets

Add a user account "john" into it.

: RSA vpnHostKey.pem

: PSK "PSK_KEY"

john %any : EAP "John's Password"

john %any : XAUTH "John's Password"

Please note that both sides of the colon ':' need a white-space.

Allow IPv4 forwarding

Edit /etc/sysctl.conf to allow forwarding in the Linux kernel.

vi /etc/sysctl.conf

Add the following line into the file.

net.ipv4.ip_forward=1

Save the file, then apply the change.

sysctl -p

Configure the firewall

Open the firewall for your VPN on the server.

firewall-cmd --permanent --add-service="ipsec"

firewall-cmd --permanent --add-port=4500/udp

firewall-cmd --permanent --add-masquerade

firewall-cmd --reload

Start VPN

systemctl start strongswan

systemctl enable strongswan

StrongSwan is now is running on your server. Install the strongswanCert.pem and .p12 certificate files into your client. You will now be able to join your private network.

strongswan的更多相关文章

  1. StrongSwan 5.1.1 发布,Linux 的 IPsec 项目

    StrongSwan是一个完整的2.4和2.6的Linux内核下的IPsec和IKEv1 的实现.它也完全支持新的IKEv2协议的Linux 2.6内核.结合IKEv1和IKEv2模式与大多数其他基于 ...

  2. 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(下篇)

    续篇—— 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(上篇) 上篇文章写了如何构建一个支持IKEv2的VPN,本篇记录的是如 ...

  3. 架设基于StrongSwan的L2tp/IPSec VPN服务器

    架设基于StrongSwan的L2tp/IPSec VPN服务器 参考: http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-w ...

  4. CentOS6.5 部署VPN管理系统(StrongSwan+iKEv2+Freeradiu+Mysql+Daloradius)

    一.环境介绍 Server IP:192.168.30.133 System: CentOS 6.5 Client:Winodows 二.编译安装StrongSwan 1.下载StrongSwan w ...

  5. [dev][ipsec][dpdk] strongswan/dpdk源码分析之ipsec算法配置过程

    1 简述 storngswan的配置里用一种固定格式的字符串设置了用于协商的预定义算法.在包协商过程中strongswan将字符串转换为固定的枚举值封在数据包里用于传输. 协商成功之后,这组被协商选中 ...

  6. [dev][crypto][strongswan] 有关strongswan的forward policy的源码分析

    一 默认情况下,我们使用strongswan建立了一个ipsec隧道之后,建立的policy如下: [root@D129 OUTPUT]# ip xfrm policy src dst dir pty ...

  7. [strongswan][autoconf][automake][cento] 在CentOS上编译strongswan git源码时遇到的autoconf问题

    编译strongswan的git源码问题 1. 概述 首先,我们想要通过源码编译strongswan.当满足以下条件时,通常你会遇见此问题: 源码时通过git clone的得来的,而不是官网下载的源码 ...

  8. [strongswan] strongswan是如何实现与xfrm之间的trap机制的

    目录 strongswan与xfrm之间的trap机制 0. 1. 前言 2. 描述 2.1 none 2.2 trap 3. 实验与过程 3.1 trap实验 3.2 none实验 4 背景知识 5 ...

  9. [ipsec][strongswan] 使用wireshark查看strongswan ipsec esp ikev1 ikev2的加密内容

    一,编译,启用strongswan的save-keys plugin ./configure --prefix=/root/OUTPUT --exec-prefix=/root/OUTPUT --en ...

  10. strongSwan配置、运行及测试

    版本信息:strongSwan v5.7.2 1.      编译 tar xvf strongswan-5.7.2.tar.gz ./configure --prefix=/usr/ --sysco ...

随机推荐

  1. Android之利用JSBridge库实现Html,JavaScript与Android的所有交互

    java 和 js互通框架 WebViewJavascriptBridge是移动UIView和Html交互通信的桥梁,用作者的话来说就是实现java和js的互相调用的桥梁. 替代了WebView的自带 ...

  2. windowplayer播放列表属性

    ArrayList a = new ArrayList(); a.Add("c:\\kugou\\林宇中 - 干物女.mp3"); a.Add("c:\\kugou\\海 ...

  3. css实现心形图案

    用1个标签实现心形图案,show you the code; <!DOCTYPE html> <html lang="en"> <head> & ...

  4. Java虚拟机体系结构分析

    下图是JAVA虚拟机的结构图: 每个Java虚拟机都有一个类装载子系统,它根据给定的全限定名来装入类型(类或接口).同样,每个Java虚拟机都有一个执行引擎,它负责执行那些包含在被装载类的方法中的指令 ...

  5. hdu 3682 10 杭州 现场 C To Be an Dream Architect 容斥 难度:0

    C - To Be an Dream Architect Time Limit:1000MS     Memory Limit:32768KB     64bit IO Format:%I64d &a ...

  6. PHPCMS v9 二次开发_验证码结合Session开发

    本文主要讲解了在V9中使用v9自带验证码并且需要使用session的情况下,多种问题的解决.:).如有问题或者更好的解决办法,希望不吝赐教. 1.前端调用验证码 pc_base::load_sys_c ...

  7. JDk和Mevan安装和配置

    一.Mevan安装和配置 1.下载Maven 官方下载地址:http://maven.apache.org/download.html 选择你所希望下载的版本,并保存到常用安装目录.这里以Maven ...

  8. Python中的变量和常量

    本文主要介绍Python中的变量和常量,包括变量的命名规范,使用注意事项 -------------- 完美的分割线 --------------- 1.变量 1.1.变量理解 1)什么是变量 变量即 ...

  9. java第十次面试题

    一.给定一个字符串,把字符串内的字母转换成该字母的下一个字母,a换成b,z换成a,Z换成A,如aBf转换成bCg,字符串内的其他字符不改变,给定函数,编写函数. public static void ...

  10. 使用_beginThreadex创建多线程(C语言版多线程)

    _beginThreadex创建多线程解读 一.需要的头文件支持 #include <process.h>         // for _beginthread() 需要的设置:Proj ...