ipsec pki --gen --type rsa --size 4096 --outform pem > private/openwrt.pem
chmod 600 private/openwrt.pem
ipsec pki --self --ca --lifetime 3650 --in private/openwrt.pem --type rsa --dn "C=CH, O=acron, CN=centos Root CA" --outform pem > cacerts/openwrtCert.pem
ipsec pki --print --in cacerts/openwrtCert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/openwrtCert.pem --cakey private/openwrt.pem --dn "C=CH, O=acorn, CN=172.18.10.77" --san 172.18.10.77 --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem > private/androidKey.pem
chmod 600 private/androidKey.pem
ipsec pki --pub --in private/androidKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/openwrtCert.pem --cakey private/openwrt.pem --dn "C=CH, O=acorn, CN=172.18.10.77" --san 172.18.10.77 --outform pem > certs/androidCert.pem
openssl pkcs12 -export -inkey private/androidKey.pem -in certs/androidCert.pem -name "hongrui's VPN Certificate" -certfile cacerts/openwrtCert.pem -caname "centos Root CA" -nodes -out hongrui.p12
chmod 0600 /etc/ipsec.d/private/*
编辑/etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
uniqueids=never
conn roadwarrior-ikev2
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=openwrt
leftcert=vpnHostCert.pem
leftauth=pubkey
leftsendcert=always
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightauth=pubkey
rightsourceip=20.20.0.0/24
rightdns=8.8.8.8
#eap_identity=%any
auto=add
编辑/etc/config/firewall
添加
# allow incoming IPsec connections
config rule
option src lan
option proto esp
option target ACCEPT
config rule
option src lan
option proto udp
option dest_port 500
option target ACCEPT
config rule
option src lan
option proto udp
option dest_port 4500
option target ACCEPT
config rule
option src lan
option proto ah
option target ACCEPT
运行
ipsec start --nofork --debug-all
阅读(1416) | 评论(0) | 转发(0) |