Chinaunix首页 | 论坛 | 博客
  • 博客访问: 4248212
  • 博文数量: 447
  • 博客积分: 1241
  • 博客等级: 中尉
  • 技术积分: 5786
  • 用 户 组: 普通用户
  • 注册时间: 2011-01-27 06:48
个人简介

读好书,交益友

文章分类

全部博文(447)

文章存档

2024年(1)

2023年(5)

2022年(29)

2021年(49)

2020年(16)

2019年(15)

2018年(23)

2017年(67)

2016年(42)

2015年(51)

2014年(57)

2013年(52)

2012年(35)

2011年(5)

分类: 网络与安全

2015-11-26 19:16:03

sudo yum install gmp gmp-devel mpfr mpfr-devel libmpc libmpc-devel


wget
tar -jxvf   strongswan-5.3.4.tar.bz2


cd  strongswan-5.3.4/




./configure --prefix=/usr --sysconfdir=/etc  --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap  --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2  --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls




make 
make install


cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem


chmod 600 private/strongswanKey.pem


ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > cacerts/strongswanCert.pem


ipsec pki --print --in cacerts/strongswanCert.pem


CREATE YOUR VPN HOST CERTIFICATE


ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
 ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=114.247.235.50" --san 114.247.235.50 --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem


CREATE A CLIENT CERTIFICATE
ipsec pki --gen --type rsa --size 2048 --outform pem > private/AlexanderKey.pem
chmod 600 private/AlexanderKey.pem
ipsec pki --pub --in private/AlexanderKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=114.247.235.50" --san 114.247.235.50 --outform pem > certs/AlexanderCert.pem


EXPORT CLIENT CERTIFICATE AS A PKCS#12 FILE
openssl pkcs12 -export -inkey private/AlexanderKey.pem -in certs/AlexanderCert.pem -name "Alexander's VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA"  -nodes -out Alexander.p12

 openssl x509 -in  certs/AlexanderCert.pem  -noout -text



ipsec.conf 配置
win7部分
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024! 
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=20.0.0.0/24
rightsendcert=never
eap_identity=%any
auto=add

conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=172.16.16.0/24

安装目录
ipsec脚本路径
/usr/sbin
插件路径
 /usr/lib/ipsec/plugins
程序路径
/usr/libexec/ipsec/
库路径
/usr/lib/ipsec/plugins




kernel-libipsec plugin

使用tun驱动 这个应该和 android一致

阅读(6506) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~