搭建ipsec服务

生成ca证书

  • 生成私钥: ipsec pki --gen --outform pem > ca.pem
  • ipsec pki --self --in ca.pem --dn "C=com, O=vpn, CN=VPN CA" --ca --outform pem > ca.cert.pem

签名服务器证书

  • 生成私钥: ipsec pki --gen --outform pem > server.pem
  • ipsec pki --issue --in server.pem --type rsa --cakey ca.pem --cacert ca.cert.pem --dn "C=com, O=vpn, CN=52.193.249.79" --san 52.193.249.79 --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem

生成客户端证书

  • 私钥:ipsec pki --gen --outform pem > client.pem
  • ipsec pki --issue --in client.pem --type rsa --cakey ca.pem --cacert ca.cert.pem --dn "C=com, O=vpn, CN=VPN Client" --outform pem > client.cert.pem

ipsec 配置文件

  • 文件名:ipsec.conf
config setup
    uniqueids=never
conn %default
    keyexchange=ike
    left=%any
    leftsubnet=0.0.0.0/0
    right=%any
conn IKE-BASE
    leftcert=server.cert.pem
    rightsourceip=10.0.0.0/24
# ios etc.
conn by_cert
    also=IKE-BASE
    keyexchange=ikev1
    fragmentation=yes
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    rightauth=pubkey
    rightauth2=xauth
    rightcert=client.cert.pem
    auto=add
# ios etc.
conn by_psk
    also=IKE-BASE
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add
# osx linux android etc.
conn by_key
    also=IKE-BASE
    keyexchange=ikev2
    leftauth=pubkey
    rightauth=pubkey
    rightcert=client.cert.pem
    auto=add
# ikev2 (ios osx win7 etc.)
conn IKEv2-EAP
    also=IKE-BASE
    keyexchange=ikev2
    ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
    esp=aes256-sha256,3des-sha1,aes256-sha1!
    rekey=no
    leftid=52.193.249.79
    leftauth=pubkey
    leftsendcert=always
    rightfirewall=yes
    rightsendcert=never
    rightauth=eap-mschapv2
    eap_identity=%any
    dpdaction=clear
    fragmentation=yes
    auto=add