# Basic Strongswan ikev2 server setup * paltform: atlantic.net ubuntu 14.04 x64 * the commands below are run with root account ## Strongswan ``` apt-get install strongswan apt-get install iptables iptables-persistent ``` ## ca ### root ca ``` cd ~ mkdir swan cd swan ipsec pki --gen --outform pem > ca_key.pem ipsec pki --self --in caKey.pem --dn "C=CN, O=strongswan, CN=strongswan ca" --ca --outform pem > ca_cert.pem ``` ### server ca ``` ipsec pki --gen --outform pem > server_key.pem ipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongswan, CN=vpn.strong.com" --san="vpn.strong.com" --outform pem > server_cert.pem ``` ### client ca ``` ipsec pki --gen --outform pem > client_key.pem ipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem ``` ### implement ca ``` cp ca_cert.pem /etc/ipsec.d/cacerts/ cp server_cert.pem /etc/ipsec.d/certs/ cp server_key.pem /etc/ipsec.d/private/ ``` ## conf * /etc/ipsec.conf ``` config setup # strictcrlpolicy=yes # uniqueids = no conn %default leftcert=server_cert.pem auto=add dpdaction=clear dpddelay=300s dpdtimeout=1h conn rw leftfirewall=yes leftsubnet=0.0.0.0/0 right=%any rightsourceip=10.0.0.0/24 ``` * /etc/ipsec.secerts ``` : RSA server_key.pem ``` * /etc/strongswan.conf ``` charon { load_modular = yes install_virtual_ip = yes dns1 = 8.8.8.8 dns2 = 8.8.4.4 # use the dns provided by vps plugins { include strongswan.d/charon/*.conf } } ``` ## system conf * [/etc/sysctl.conf][1] ``` net.ipv4.ip_forward = 1 ``` * [/etc/iptables/rules.v4][2] ``` *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Mon Jul 22 14:53:31 2013 # Generated by iptables-save v1.4.18 on Mon Jul 22 14:53:31 2013 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [432:67301] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -j REJECT --reject-with icmp-proto-unreachable COMMIT ``` ## client settings * ss_cert.pem * client_key.pem * client_cert.pem Download these files to client, with scp or ftp. Use them for Strongswan vpn connection. ## Referenece * [linux上用strongswan搭建ikev2协议vpn.md][3] * [How to save rules of the iptables?][4] * [How To Set Up a Firewall Using IPTables on Ubuntu 14.04][5] * [How to make IP forwarding permanent?][6] * [IPsec-based VPN Server (简体中文)][7] * [strongSwan Configuration][8] [1]: http://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent [2]: https://wiki.archlinux.org/index.php/IPsec-based_VPN_Server_%28%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%29 [3]: https://gist.github.com/losisli/11081793 [4]: http://askubuntu.com/questions/119393/how-to-save-rules-of-the-iptables [5]: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04 [6]: http://askubuntu.com/questions/311053/how-to-make-ip-forwarding-permanent [7]: https://wiki.archlinux.org/index.php/IPsec-based_VPN_Server_%28%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%29 [8]: https://github.com/strongswan/strongswan