StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.

Install strongSwan

The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.

yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

yum install strongswan openssl

Generate certificates

Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d.

cd /etc/strongswan/ipsec.d

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/server_key.sh

chmod a+x server_key.sh

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/client_key.sh

chmod a+x client_key.sh

In these two .sh files, I have set the organization name as VULTR-VPS-CENTOS. If you want to change it, open the .sh files and replace O=VULTR-VPS-CENTOS with O=YOUR_ORGANIZATION_NAME.

Next, use server_key.sh with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP with the IP address of your Vultr VPS.

./server_key.sh SERVER_IP

Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user "john".

./client_key.sh john john@gmail.com

Replace "john" and his email with yours before running the script.

After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your local computer.

Configure strongSwan

Open the strongSwan IPSec configuration file.

vi /etc/strongswan/ipsec.conf

Replace its content with the following text.

config setup

    uniqueids=never

    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default

    left=%defaultroute

    leftsubnet=0.0.0.0/0

    leftcert=vpnHostCert.pem

    right=%any

    rightsourceip=172.16.1.100/16

conn CiscoIPSec

    keyexchange=ikev1

    fragmentation=yes

    rightauth=pubkey

    rightauth2=xauth

    leftsendcert=always

    rekey=no

    auto=add

conn XauthPsk

    keyexchange=ikev1

    leftauth=psk

    rightauth=psk

    rightauth2=xauth

    auto=add

conn IpsecIKEv2

    keyexchange=ikev2

    leftauth=pubkey

    rightauth=pubkey

    leftsendcert=always

    auto=add

conn IpsecIKEv2-EAP

    keyexchange=ikev2

    ike=aes256-sha1-modp1024!

    rekey=no

    leftauth=pubkey

    leftsendcert=always

    rightauth=eap-mschapv2

    eap_identity=%any

    auto=add

Edit the strongSwan configuration file, strongswan.conf.

vi /etc/strongswan/strongswan.conf

Delete everything and replace it with the following.

charon {

    load_modular = yes

    duplicheck.enable = no

    compress = yes

    plugins {

            include strongswan.d/charon/*.conf

    }

    dns1 = 8.8.8.8

    dns2 = 8.8.4.4

    nbns1 = 8.8.8.8

    nbns2 = 8.8.4.4

}

include strongswan.d/*.conf

Edit the IPsec secret file to add a user and password.

vi /etc/strongswan/ipsec.secrets

Add a user account "john" into it.

: RSA vpnHostKey.pem

: PSK "PSK_KEY"

john %any : EAP "John's Password"

john %any : XAUTH "John's Password"

Please note that both sides of the colon ':' need a white-space.

Allow IPv4 forwarding

Edit /etc/sysctl.conf to allow forwarding in the Linux kernel.

vi /etc/sysctl.conf

Add the following line into the file.

net.ipv4.ip_forward=1

Save the file, then apply the change.

sysctl -p

Configure the firewall

Open the firewall for your VPN on the server.

firewall-cmd --permanent --add-service="ipsec"

firewall-cmd --permanent --add-port=4500/udp

firewall-cmd --permanent --add-masquerade

firewall-cmd --reload

Start VPN

systemctl start strongswan

systemctl enable strongswan

StrongSwan is now is running on your server. Install the strongswanCert.pem and .p12 certificate files into your client. You will now be able to join your private network.

strongswan的更多相关文章

  1. StrongSwan 5.1.1 发布,Linux 的 IPsec 项目

    StrongSwan是一个完整的2.4和2.6的Linux内核下的IPsec和IKEv1 的实现.它也完全支持新的IKEv2协议的Linux 2.6内核.结合IKEv1和IKEv2模式与大多数其他基于 ...

  2. 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(下篇)

    续篇—— 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(上篇) 上篇文章写了如何构建一个支持IKEv2的VPN,本篇记录的是如 ...

  3. 架设基于StrongSwan的L2tp/IPSec VPN服务器

    架设基于StrongSwan的L2tp/IPSec VPN服务器 参考: http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-w ...

  4. CentOS6.5 部署VPN管理系统(StrongSwan+iKEv2+Freeradiu+Mysql+Daloradius)

    一.环境介绍 Server IP:192.168.30.133 System: CentOS 6.5 Client:Winodows 二.编译安装StrongSwan 1.下载StrongSwan w ...

  5. [dev][ipsec][dpdk] strongswan/dpdk源码分析之ipsec算法配置过程

    1 简述 storngswan的配置里用一种固定格式的字符串设置了用于协商的预定义算法.在包协商过程中strongswan将字符串转换为固定的枚举值封在数据包里用于传输. 协商成功之后,这组被协商选中 ...

  6. [dev][crypto][strongswan] 有关strongswan的forward policy的源码分析

    一 默认情况下,我们使用strongswan建立了一个ipsec隧道之后,建立的policy如下: [root@D129 OUTPUT]# ip xfrm policy src dst dir pty ...

  7. [strongswan][autoconf][automake][cento] 在CentOS上编译strongswan git源码时遇到的autoconf问题

    编译strongswan的git源码问题 1. 概述 首先,我们想要通过源码编译strongswan.当满足以下条件时,通常你会遇见此问题: 源码时通过git clone的得来的,而不是官网下载的源码 ...

  8. [strongswan] strongswan是如何实现与xfrm之间的trap机制的

    目录 strongswan与xfrm之间的trap机制 0. 1. 前言 2. 描述 2.1 none 2.2 trap 3. 实验与过程 3.1 trap实验 3.2 none实验 4 背景知识 5 ...

  9. [ipsec][strongswan] 使用wireshark查看strongswan ipsec esp ikev1 ikev2的加密内容

    一,编译,启用strongswan的save-keys plugin ./configure --prefix=/root/OUTPUT --exec-prefix=/root/OUTPUT --en ...

  10. strongSwan配置、运行及测试

    版本信息:strongSwan v5.7.2 1.      编译 tar xvf strongswan-5.7.2.tar.gz ./configure --prefix=/usr/ --sysco ...

随机推荐

  1. 利用JavaScript将页面截图生成图片传给后台的插件:html2canvas

    利用JavaScript将页面截图生成图片传给后台的插件:html2canvas 一.总结 一句话总结: 10 <script type="text/javascript"& ...

  2. IOS-网络(小文件下载)

    // // ViewController.m // IOS_0131_小文件下载 // // Created by ma c on 16/1/31. // Copyright © 2016年 博文科技 ...

  3. 多个数值转QString

    int, float, double等数值类型转换为QString的方法 1. 用QTextStream QTextStream类可以用数据流的方式直接将任意多个数值.字符.字符串等传入QString ...

  4. bzoj1025

    题意: 找环 有多少种不同的排列 使排列数目为n 题解: 考虑dp f[i][j]表示前i个质数,和为j的方案数 然后转移一下即可 代码: #include<bits/stdc++.h> ...

  5. bzoj3862

    题解: 这一道题目和模板有不同的地方就是在于可以修改只有一条边和i相邻 于是我们还要记录与这个点相邻的点有没有改变 代码: #pragma GCC optimize(2) #include<bi ...

  6. Thinking in Java之衍生类和基础类的初始化顺序

    <Thinking in Java>书里的例子,我又稍微修改了下代码: class Real{ public Real(String index) { // TODO Auto-gener ...

  7. 在jenkins和sonar中集成jacoco(二)--在jenkins中生成jacoco覆盖率报告

    先要在jenkins上安装jacoco的插件,安装完成之后在job的配置项中可以增加这个选项: 第一个录入框是你的覆盖率文件(exec),第二个是class文件目录,第三个是源代码文件目录. 配置好了 ...

  8. Java中常用的日期操作方法

    日常项目当中经常会用到操作日期,抽出时间总结了一下,欢迎和大家多多沟通学习,如有任何改进意见和建议,我的QQ是1243672,欢迎联系哦. /** * 日期操作类 * 开发公司:北京东达悦科技有限公司 ...

  9. .properties文件常量定义

    application.properties文件,位于resources目录下.一般定义一些不会改变的数据如数据库相关配置,文件路径,项目地址. 如何在项目代码中获取该文件中的配置信息: 1,在app ...

  10. Spring的JDBC Template

    Spring的JDBC Template(JDBC模板)简化JDBC API开发,使用上和Apache公司的DBUtils框架非常类似) 快速入门实例 1.创建项目后,导入Spring基础核心开发包. ...