strongswan
StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.
Install strongSwan
The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.
yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
yum install strongswan openssl
Generate certificates
Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d
.
cd /etc/strongswan/ipsec.d
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/server_key.sh
chmod a+x server_key.sh
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/client_key.sh
chmod a+x client_key.sh
In these two .sh
files, I have set the organization name as VULTR-VPS-CENTOS
. If you want to change it, open the .sh
files and replace O=VULTR-VPS-CENTOS
with O=YOUR_ORGANIZATION_NAME
.
Next, use server_key.sh
with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP
with the IP address of your Vultr VPS.
./server_key.sh SERVER_IP
Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user "john".
./client_key.sh john john@gmail.com
Replace "john" and his email with yours before running the script.
After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12
and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem
to your local computer.
Configure strongSwan
Open the strongSwan IPSec configuration file.
vi /etc/strongswan/ipsec.conf
Replace its content with the following text.
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 0"
conn %default
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightsourceip=172.16.1.100/16
conn CiscoIPSec
keyexchange=ikev1
fragmentation=yes
rightauth=pubkey
rightauth2=xauth
leftsendcert=always
rekey=no
auto=add
conn XauthPsk
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
auto=add
conn IpsecIKEv2
keyexchange=ikev2
leftauth=pubkey
rightauth=pubkey
leftsendcert=always
auto=add
conn IpsecIKEv2-EAP
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
leftsendcert=always
rightauth=eap-mschapv2
eap_identity=%any
auto=add
Edit the strongSwan configuration file, strongswan.conf
.
vi /etc/strongswan/strongswan.conf
Delete everything and replace it with the following.
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
Edit the IPsec secret file to add a user and password.
vi /etc/strongswan/ipsec.secrets
Add a user account "john" into it.
: RSA vpnHostKey.pem
: PSK "PSK_KEY"
john %any : EAP "John's Password"
john %any : XAUTH "John's Password"
Please note that both sides of the colon ':' need a white-space.
Allow IPv4 forwarding
Edit /etc/sysctl.conf
to allow forwarding in the Linux kernel.
vi /etc/sysctl.conf
Add the following line into the file.
net.ipv4.ip_forward=1
Save the file, then apply the change.
sysctl -p
Configure the firewall
Open the firewall for your VPN on the server.
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
Start VPN
systemctl start strongswan
systemctl enable strongswan
StrongSwan is now is running on your server. Install the strongswanCert.pem
and .p12
certificate files into your client. You will now be able to join your private network.
strongswan的更多相关文章
- StrongSwan 5.1.1 发布,Linux 的 IPsec 项目
StrongSwan是一个完整的2.4和2.6的Linux内核下的IPsec和IKEv1 的实现.它也完全支持新的IKEv2协议的Linux 2.6内核.结合IKEv1和IKEv2模式与大多数其他基于 ...
- 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(下篇)
续篇—— 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(上篇) 上篇文章写了如何构建一个支持IKEv2的VPN,本篇记录的是如 ...
- 架设基于StrongSwan的L2tp/IPSec VPN服务器
架设基于StrongSwan的L2tp/IPSec VPN服务器 参考: http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-w ...
- CentOS6.5 部署VPN管理系统(StrongSwan+iKEv2+Freeradiu+Mysql+Daloradius)
一.环境介绍 Server IP:192.168.30.133 System: CentOS 6.5 Client:Winodows 二.编译安装StrongSwan 1.下载StrongSwan w ...
- [dev][ipsec][dpdk] strongswan/dpdk源码分析之ipsec算法配置过程
1 简述 storngswan的配置里用一种固定格式的字符串设置了用于协商的预定义算法.在包协商过程中strongswan将字符串转换为固定的枚举值封在数据包里用于传输. 协商成功之后,这组被协商选中 ...
- [dev][crypto][strongswan] 有关strongswan的forward policy的源码分析
一 默认情况下,我们使用strongswan建立了一个ipsec隧道之后,建立的policy如下: [root@D129 OUTPUT]# ip xfrm policy src dst dir pty ...
- [strongswan][autoconf][automake][cento] 在CentOS上编译strongswan git源码时遇到的autoconf问题
编译strongswan的git源码问题 1. 概述 首先,我们想要通过源码编译strongswan.当满足以下条件时,通常你会遇见此问题: 源码时通过git clone的得来的,而不是官网下载的源码 ...
- [strongswan] strongswan是如何实现与xfrm之间的trap机制的
目录 strongswan与xfrm之间的trap机制 0. 1. 前言 2. 描述 2.1 none 2.2 trap 3. 实验与过程 3.1 trap实验 3.2 none实验 4 背景知识 5 ...
- [ipsec][strongswan] 使用wireshark查看strongswan ipsec esp ikev1 ikev2的加密内容
一,编译,启用strongswan的save-keys plugin ./configure --prefix=/root/OUTPUT --exec-prefix=/root/OUTPUT --en ...
- strongSwan配置、运行及测试
版本信息:strongSwan v5.7.2 1. 编译 tar xvf strongswan-5.7.2.tar.gz ./configure --prefix=/usr/ --sysco ...
随机推荐
- Ant是什么
Ant是什么? 一.总结 一句话总结: 编译 打包 测试 工具 xml Ant是Java的生成工具,是Apache的核心项目: Ant类似于Unix中的Make工具,都是用来编译.生成: Ant是跨平 ...
- 路由跟踪tracert
Tracert命令 如果我们要测试某一个IP都经过哪些路由,用trcert命令即可,这是dos下的一个基本网络命令,具体使用方法: 1,在windows系统下,打开 运行 :输入 cmd :在弹出的d ...
- django网站
https://www.djangoproject.com/download/ 指定版本安装django命令:pip install Django==1.11.8
- 如何高效利用 GitHub
正是 Github,让社会化编程成为现实.本文尝试谈谈 GitHub 的文化.技巧与影响. Q1:GitHub 是什么 Q2:GitHub 风格 Q3: 在 GitHub,如何跟牛人学习 Q4: 享受 ...
- LINUX QQ
查询龙井QQ http://www.longene.org/forum/viewtopic.php?f=6&t=4700
- 几句话概括理查德成熟度模型(RESTful)
近期做的项目中准备引入RESTful风格,特地进行了一些学习,其中比较重点的有一个理查德成熟度模型(Richardson Maturity Model),模型提出了四个等级(0-3),如下图 其中只有 ...
- 字典序全排列(java实现)
import java.util.Arrays; /** *字典序全排列 *字符串的全排列 *比如单词"too" 它的全排列是"oot","oto&q ...
- iOS开发Objective-C基础之──多态
Objective-C语言是面向对象的高级编程语言,因此,它具有面向对象编程所具有的一些特性,即:封装性.继承性和多态性. 今天介绍一下Objective-C中的多态性. 一.什么是多态 多态:不同对 ...
- java基础第10天
Java异常 Exception 异常指的的在运行期出现的错误,在编译阶段出现的语法错误等,不能称之为异常. 编译类异常 必须处理之后才能正常编译(类找不到,IO异常,在API文档中明确写明throw ...
- block 回调个人理解
在网上见过这么个面试题 使用block和GCD时要注意些什么?他们是一回事吗?block在ARC和MRC的用法有什么不同?使用时要注意些什么? 首先block 和 GCD 在我看来他们是完全不同的概念 ...