Skip to main content

Linux StrongSwan Cilent

by Ryszard Xiao Tagged in Server,

StrongSwan Ikev2 Client

在Centos6.8系统上使用StrongSwan连接Ikev2 VPN

安装

yum install epel-release -y  
yum install gpm-devel pam-devel openssl-devel make gcc  
wget http://download.strongswan.org/strongswan.tar.gz  
tar xzvf strongswan.tar.gz  
cd strongswan-5.5.2  
./configure --prefix=/usr --sysconfdir=/etc/strongswan --enable-eap-identity --enable-eap-md5             --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap             --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap             --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock             --enable-unity  --enable-certexpire --enable-radattr --enable-tools             --enable-openssl --disable-gmp
make  
make install

配置

配置之前,你需要把服务端的key下载到本地,同时把服务端的ipsec.secrets下载到本地。

strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {  
    load_modular = no
    plugins {
        include strongswan.d/charon/*.conf
                resolve {
                        file = /etc/resolv.conf                        #设置reslov.conf文件的正确路径为/etc/
                }
    }
}

include strongswan.d/*.conf

ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup  
    # strictcrlpolicy=yes
    # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

conn ikev2-rw  
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    right=47.90.15.111
    rightid=%47.90.15.111
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftsendcert=never
    leftauth=eap-mschapv2
    eap_identity=username
    auto=add

conn exempt                                         #配置LAN访问不走IPsec通道  
    right=127.0.0.1
    leftsubnet=192.168.0.0/24
    rightsubnet=192.168.0.0/24
    type=passthrough
    auto=route

ipsec.secrets

将服务端的ipsec.secrets替换到客户端,同时设置0600权限。
将服务端下载下来的key,放在ipsec.d/cacerts中: 

[root@inject ipsec.d]# cd cacerts/
[root@inject cacerts]# ls
ca.cert.pem  ca.pem  client.cert.p12  client.cert.pem  client.pem  server.cert.pem  server.pem  
[root@inject cacerts]# pwd
/etc/strongswan/ipsec.d/cacerts
[root@inject cacerts]#

启动

ipsec start  
ipsec up ikev2-rw