sudo yum install gmp gmp-devel mpfr mpfr-devel libmpc libmpc-devel
wget
tar -jxvf strongswan-5.3.4.tar.bz2
cd strongswan-5.3.4/
./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
make
make install
cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
chmod 600 private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > cacerts/strongswanCert.pem
ipsec pki --print --in cacerts/strongswanCert.pem
CREATE YOUR VPN HOST CERTIFICATE
ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=114.247.235.50" --san 114.247.235.50 --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem
CREATE A CLIENT CERTIFICATE
ipsec pki --gen --type rsa --size 2048 --outform pem > private/AlexanderKey.pem
chmod 600 private/AlexanderKey.pem
ipsec pki --pub --in private/
AlexanderKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=114.247.235.50" --san 114.247.235.50 --outform pem > certs/AlexanderCert.pem
EXPORT CLIENT CERTIFICATE AS A PKCS#12 FILE
openssl pkcs12 -export -inkey private/AlexanderKey.pem -in certs/AlexanderCert.pem -name "Alexander's VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -nodes -out Alexander.p12
openssl x509 -in certs/AlexanderCert.pem -noout -text
ipsec.conf 配置
win7部分
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=20.0.0.0/24
rightsendcert=never
eap_identity=%any
auto=add
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=172.16.16.0/24
安装目录
ipsec脚本路径
/usr/sbin
插件路径
/usr/lib/ipsec/plugins
程序路径
/usr/libexec/ipsec/
库路径
/usr/lib/ipsec/plugins
kernel-libipsec plugin
使用tun驱动 这个应该和 android一致
阅读(6496) | 评论(0) | 转发(0) |
