@
Quaintjade 去服务器里面拿下来的配置,“ youdomain ”需要修改你对应的。
CA 证书,域名证书和 key 放在 /etc/ipsec.d/ 对应的目录下面
配置里面只配置了域名证书。
要说明的是 leftid=@*.youdomain.com 改成你证书里面签的域名
rightid=*@youdomain.com 这个无所谓填什么,主要是在 iOS 生成描述文件会用到。
config setup
uniqueids=never
#charondebug="cfg 2, dmn 2, ike 2, net 2"
#if uniqueids is yes, ipsec will only allow
#one connection per user, which will cause
#connect failed on iOS
conn %default
keyexchange=ikev2
fragmentation=yes
dpdaction=clear
dpddelay=5s
#auto destroy unused connections
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=youdomain-cert.pem
#server cert that will send to client
leftsendcert=always
#always send server cert
#not set may cause cert failed
right=%any
rightdns=8.8.8.8,8.8.4.4
#DNS send to client
rightsourceip=10.11.0.0/24
#DHCP Pool for client
conn IPSec-IKEv2
keyexchange=ikev2
leftid=@*.youdomain.com
#your servr name in cert
rightid=*@youdomain.com
#define a suffix for user account
rightauth=eap-mschapv2
#define auth type to EAP
rightsendcert=never
#do not need client cert
eap_identity=%any
#any user can login successfully
auto=add
conn IPSec-IKEv2-EAP
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
conn CiscoIPSec
keyexchange=ikev1
leftsendcert=never
#do not need server side cert
leftauth=psk
rightauth=psk
#use PSK as client server auth type
rightauth2=xauth
#use xauth as user login auth type
auto=add