vpn:linux_server_ikev2
Это старая версия документа!
Install packages
apt install strongswan strongswan-pki libcharon-extra-plugins netfilter-persistent iptables-persistent
Generate CA and certificates
ipsec pki --gen --type ecdsa --outform pem > vpn_ca_key.pem ipsec pki --self --in vpn_ca_key.pem --type ecdsa --dn "C=US, O=Testig Ltd., CN=Root CA" --ca --lifetime 3650 --outform pem > vpn_ca_cert.pem ipsec pki --gen --type ecdsa --outform pem > vpn_server_key.pem ipsec pki --pub --in vpn_server_key.pem --type ecdsa > vpn_server_pub_key.pem ipsec pki --issue --in vpn_server_pub_key.pem --lifetime 3650 --cacert vpn_ca_cert.pem --cakey vpn_ca_key.pem --dn "CN=FQDN" --san="FQDN" --flag serverAuth --flag ikeIntermediate --outform pem > vpn_server_cert.pem
Move certs
mv vpn_ca_cert.pem /etc/ipsec.d/cacerts/ mv vpn_server_cert.pem /etc/ipsec.d/certs/ mv vpn_server_key.pem /etc/ipsec.d/private/
Change ipsec conf
# cat /etc/ipsec.conf config setup strictcrlpolicy=no uniqueids=no conn ipsec-ikev2-vpn ike=aes256gcm16-aes192gcm16-chacha20poly1305-prfsha512-prfsha256-ecp521-ecp256,aes256-sha512-sha256-prfsha512-prfsha256-modp3072-modp2048-modp1024-ecp521! esp=aes256gcm16-aes192gcm16-chacha20poly1305-ecp521-ecp256-modp3072-modp2048,aes256-sha512-sha256-modp3072-modp2048! auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@FQDN leftcert=vpn_server_cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=172.16.15.2/24 rightdns=1.1.1.1,8.8.8.8 rightsendcert=always eap_identity=%identity
vpn/linux_server_ikev2.1632057811.txt.gz · Последнее изменение: — bers