首先:安装Strongswan, cat strongswaninstall.zsh:
cd ~
wget
http://download.strongswan.org/strongswan.tar.gztar xvf strongswan.tar.gz
cd strongswan-*
apt-get build-dep strongswan -y
apt-get install libgmp3-dev openssl libssl-dev -y
./configure --sysconfdir=/etc --disable-sql --disable-mysql --disable-ldap --enable-dhcp --enable-eap-identity --enable-eap-mschapv2 --enable-md4 --enable-xauth-eap --enable-eap-peap --enable-eap-md5 --enable-openssl --enable-shared --enable-unity --enable-eap-tls --enable-eap-ttls --enable-eap-tnc --enable-eap-dynamic --enable-addrblock --enable-eap-radius --enable-radattr --enable-kernel-netlink --enable-kernel-libipsec --enable-ipseckey --enable-pkcs11 --enable-whitelist --enable-socket-dynamic --enable-unity --enable-duplicheck --enable-error-notify --enable-ha --enable-libipsec
cd strongswan-*
make && make install
然后配置Strongswan, cat strongswanconfig.zsh:
cat << _EOF_ >/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids = no
# charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange = ike
ike = aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp = aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction = clear
# keyingtries = 1
ikelifetime = 24h
closeaction = clear
dpdtimeout = 5s
dpddelay = 300s
forceencaps = yes
fragmentation = force
lifetime = 24h
# modeconfig = push
rekey = no
left = %any
leftsubnet = 0.0.0.0/0
leftcert = vpnServerCert.pem
leftsendcert = always
rightallowany = yes
right = %any
# rightdns = 8.8.4.4,8.8.8.8
rightsourceip = 172.16.16.0/24
conn IPSec-IKEv2
leftid = 11.22.33.44
rightid = *@11.22.33.44
# keyexchange = ikev2
# leftauth = pubkey
# rightauth = pubkey
mobike = yes
# leftauth = psk
# leftauth2 = pubkey
# rightauth = psk
auto = add
conn IPSec-IKEv2-EAP
also = "IPSec-IKEv2"
rightauth = eap-mschapv2
rightsendcert=never
eap_identity = %any
conn IKEv1-Certs
# keyexchange = ikev1
leftauth = pubkey
rightauth = pubkey
rightauth2 = xauth
rightcert = iPhone5sCert.pem
auto = add
conn IKEv1-PSK
# keyexchange = ikev1
leftauth = psk
rightauth = psk
rightauth2 = xauth
auto = add
_EOF_
cat << _EOF_ > /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
: RSA vpnServerKey.pem
#: RSA serverKey.pem
: PSK "fuckgfw748"
j : XAUTH "fuckgfw748"
jj : EAP "fuckgfw748"
_EOF_
cat << _EOF_ >/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
charon {
duplicheck.enable = no
dns1 = 8.8.4.4
dns2 = 8.8.8.8
}
include strongswan.d/*.conf
_EOF_
# iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
# OpenVZ please use above command if the following command does not work
iptables -t nat -A POSTROUTING -j MASQUERADE
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
sysctl -p
然后搞定证书, cat ikev2ca.zsh:
mkdir ~/sswan/ca
cd ~/sswan/ca
###Root Certs
ipsec pki --gen --type rsa --size 4096 \
--outform pem \
> rootKey.pem
chmod 600 rootKey.pem
ipsec pki --self --ca --lifetime 3650 \
--in rootKey.pem --type rsa \
--dn "C=CH, O=justin, CN=justin Root CA" \
--outform pem \
> rootCert.pem
### VPN Server Certs
ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> vpnServerKey.pem
chmod 600 vpnServerKey.pem
ipsec pki --pub --in vpnServerKey.pem --type rsa | \
ipsec pki --issue --lifetime 3650 \
--cacert rootCert.pem \
--cakey rootKey.pem \
--dn "C=CH, O=justin, CN=11.22.33.44" \
--san 11.22.33.44 \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpnServerCert.pem
#### IKEv2 Client Certs
ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> iPhone5sKey.pem
chmod 600 iPhone5sKey.pem
ipsec pki --pub --in iPhone5sKey.pem --type rsa | \
ipsec pki --issue --lifetime 3650 \
--cacert rootCert.pem \
--cakey rootKey.pem \
--dn "C=CH, O=justin, CN=iPhone5s@11.22.33.44" \
--san iPhone5s@11.22.33.44 \
--outform pem > iPhone5sCert.pem
### P12 file for iPhone
openssl pkcs12 -export -inkey iPhone5sKey.pem \
-in iPhone5sCert.pem -name "iPhone5s's VPN Certificate" \
-certfile rootCert.pem \
-caname "justin Root CA" \
-out iPhone5s.p12
### ROOT Certs DER format
openssl x509 -outform der -in rootCert.pem -out rootCertforiPhone.crt
## Copy them to the right places
cp iPhone5sKey.pem vpnServerKey.pem /etc/ipsec.d/private/
cp iPhone5sCert.pem vpnServerCert.pem /etc/ipsec.d/certs/
cp rootCert.pem /etc/ipsec.d/cacerts/
最后运行:
ipsec start --nofork
然后连接客户端debug,没啥问题的话把 ipsec start 丢到 /etc/rc.local
注意把 11.22.33.44 换成你自己的IP或者域名,iPhone在用Apple Configurator配置IKEv2的时候主要是远程ID和本地ID一定要写对,远程ID写 11.22.33.44 本地ID写 whatever@11.22.33.44 ,这里whatever表示随便写,只要不要自找麻烦写太奇怪的字符。