StrongSwan Ikev2 Client
在Centos6.8系统上使用StrongSwan连接Ikev2 VPN
安装
yum install epel-release -y
yum install gpm-devel pam-devel openssl-devel make gcc
wget http://download.strongswan.org/strongswan.tar.gz
tar xzvf strongswan.tar.gz
cd strongswan-5.5.2
./configure --prefix=/usr --sysconfdir=/etc/strongswan --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
make
make install
配置
配置之前,你需要把服务端的key下载到本地,同时把服务端的ipsec.secrets下载到本地。
strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = no
plugins {
include strongswan.d/charon/*.conf
resolve {
file = /etc/resolv.conf #设置reslov.conf文件的正确路径为/etc/
}
}
}
include strongswan.d/*.conf
ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
conn ikev2-rw
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
right=47.90.15.111
rightid=%47.90.15.111
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftsendcert=never
leftauth=eap-mschapv2
eap_identity=username
auto=add
conn exempt #配置LAN访问不走IPsec通道
right=127.0.0.1
leftsubnet=192.168.0.0/24
rightsubnet=192.168.0.0/24
type=passthrough
auto=route
ipsec.secrets
将服务端的ipsec.secrets替换到客户端,同时设置0600权限。
将服务端下载下来的key,放在ipsec.d/cacerts中:
[root@inject ipsec.d]# cd cacerts/
[root@inject cacerts]# ls
ca.cert.pem ca.pem client.cert.p12 client.cert.pem client.pem server.cert.pem server.pem
[root@inject cacerts]# pwd
/etc/strongswan/ipsec.d/cacerts
[root@inject cacerts]#
启动
ipsec start
ipsec up ikev2-rw