Openwrt 路由器,使用 strongswan 配置 ikev2 服务

44 天前
 wuruxu

背景:方便在外面连接家中网络
软件环境 OpenWrt SNAPSHOT, r27700 / Linux OpenWrt 6.6.54 / Strongswan 5.9.14
配置 /etc/config/ipsec 

config 'ipsec'
	list listen 'wan'
	option 'zone' 'ssvpn'

config 'remote' 'acme'
	option 'enabled' '1'
	option 'gateway' 'any'
	option 'authentication_method' 'pubkey'
	option 'local_gateway' 'xyz.mydomain.cn'
	option 'local_cert' 'xyz.mydomain.cn.cer'
	option 'local_key' 'xyz.mydomain.cn.key'
	option 'rekeytime' '6h'
	option 'keyingretries' '3'
	option 'mobike' '1'
	option 'fragmentation' 'yes'
	option 'keyexchange' 'ikev2'
	option 'local_identifier' 'xyz.mydomain.cn'
	#option 'dpdaction' 'clear'
	list 'local_sourceip' '0.0.0.0'
	list 'local_sourceip' '::'
	list 'crypto_proposal' 'ike_proposal1'
	list 'crypto_proposal' 'ike_proposal2'
	list 'tunnel' 'sstun'
	list 'pools' 'ipv4addr'

config 'crypto_proposal' 'ike_proposal1'
	option 'encryption_algorithm' 'chacha20poly1305'
	option 'dh_group' 'curve25519'
	option 'prf_algorithm' 'prfsha512'

config 'crypto_proposal' 'ike_proposal2'
	option 'encryption_algorithm' 'aes256gcm16'
	option 'dh_group' 'curve25519'
	option 'prf_algorithm' 'prfsha512'

# we don't specify subnets because we're going to use XFRM-interfaced based routes instead
config 'tunnel' 'sstun'
	list 'local_subnet' '0.0.0.0/0'
	#list 'remote_subnet' '0.0.0.0/0'
	list 'remote_subnet' 'dynamic'
	list 'remote_subnet' '224.0.0.0/4'
	option 'if_id' '666'
	option 'rekeytime' '1h'
	option 'dpdaction' 'clear'
	option 'startaction' 'none'
	option 'closeaction' 'none'
	list   'crypto_proposal' 'esp_proposal1'
	list   'crypto_proposal' 'esp_proposal2'

config 'crypto_proposal' 'esp_proposal1'
	option 'encryption_algorithm' 'chacha20poly1305'
	option 'dh_group' 'x25519'

config 'crypto_proposal' 'esp_proposal2'
	option 'encryption_algorithm' 'aes256gcm'
	option 'dh_group' 'modp2048'

config 'pools' 'ipv4addr'
	option 'addrs' '192.168.166.0/24'
	list 'dns' '192.168.163.1'

配置 VPN 用户/etc/swanctl/conf.d/10.EAP_MSCHAPv2.users.conf 

secrets {
    eap-user1 {
        id = user1
        secret = "user11980#"
    }
}
449 次点击
所在节点    OpenWrt
0 条回复

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1078331

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX