strongswan安装

yum install strongswan certbot firewalld -y
# 确保域名指向本机外网ip
sudo certbot certonly --standalone --agree-tos --no-eff-email \
     -m javacoder.cn@hotmail.com -d xyz.javacoder.cn
ln -s /etc/letsencrypt/live/xyz.javacoder.cn/fullchain.pem \
    /etc/strongswan/ipsec.d/certs
ln -s /etc/letsencrypt/live/xyz.javacoder.cn/privkey.pem \
    /etc/strongswan/ipsec.d/private
ln -s /etc/letsencrypt/live/xyz.javacoder.cn/chain.pem \
    /etc/strongswan/ipsec.d/cacerts
cd /etc/strongswan/
cp ipsec.conf  ipsec.conf.bk
cat << eof > ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
  charondebug="ike 1, knl 1, cfg 1"
  enable-tcp=yes
  tcp-remoteport=4500
  listen-tcp=yes
  listen-udp=false
conn ikev2-vpn
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256-sha1-modp1024
  esp=aes256-sha1
  dpdaction=clear
  dpddelay=30s
  rekey=no
  left=%any
  leftid=@xyz.javacoder.cn
  leftcert=fullchain.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=10.10.10.0/24
  rightdns=8.8.8.8,8.8.4.4,223.5.5.5
  rightsendcert=never
  eap_identity=%identity
eof

# vim ipsec.secrets 
cat << eof > ipsec.secrets 
# ipsec.secrets - strongSwan IPsec secrets file

: RSA "privkey.pem"
user1 : EAP "changepwd"
eof

systemctl  enable  firewalld --now
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=500/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --reload
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.conf
systemctl enable  strongswan --now

Posted in: 开源软件