1、在azure上创建ubuntu虚拟机 选择v15.04 server 版本

2、添加端口号

3、远程桌面到ubuntu

命令行 输入 sudo su  输入创建 ubuntu虚拟机 时候的 密码

切换到root身份。

4、开始创建 ipsec/ikev2 vpn 服务器

【注】 我选择的是  Xen、KVM 的vps类型

【注】修改后 文件 不生效 则重新启动虚拟机

【注】win7客户端连接vpn 需要证书安装到  计算机账户的 受信任的根证书颁发机构

具体如下:
1.下载脚本:

wget https://raw.githubusercontent.com/quericy/one-key-ikev2-vpn/master/one-key-ikev2.sh

2.运行(如果有需要使用自己已有的根证书,请将私钥命名为ca.cert,将根证书命名为ca.cert.pem,放到脚本的相同目录下再运行该脚本,没有证书的话将自动生成自签名证书咯):

chmod +x one-key-ikev2.sh

bash one-key-ikev2.sh

3.等待自动配置部分内容后,选择vps类型(OpenVZ还是Xen、KVM),选错将无法成功连接,请务必核实服务器的类型。输入服务器ip或者绑定的域名(连接vpn时服务器地址将需要与此保持一致),以及证书的相关信息(C,O,CN),使用自己的根证书的话,C,O,CN的值需要与根证书一致,为空将使用默认值(default value),确认无误后按任意键继续

4.输入两次pkcs12证书的密码(可以为空)

5.看到install success字样即表示安装成功。默认用户名密码将以黄字显示,可根据提示自行修改文件中的用户名密码。(WindowsPhone8.1的用户请将用户名myUserNames修改为%any ,否则可能会由于域的问题无法连接,具体参见这篇文章中的说明)

6.将提示信息中的证书文件ca.cert.pem拷贝到客户端,修改后缀名为.cer后导入。ios设备使用Ikev1无需导入证书,而是需要在连接时输入共享密钥,共享密钥即是提示信息中的黄字PSK.

服务器重启后默认ipsec不会自启动,请自行添加,或使用命令手动开启:

 
ipsec start

连上服务器后无法链接外网:

 
vim /etc/sysctl.conf

修改net.ipv4.ip_forward=1后保存并关闭文件 然后使用以下指令刷新sysctl:

sysctl -p

如遇报错信息,请重新打开/etc/syctl并将报错的那些代码用#号注释,保存后再刷新sysctl直至不会报错为止。

bash脚本源码(点击展开)

#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
#===============================================================================================
#   System Required:  CentOS6.x (32bit/64bit) or Ubuntu
#   Description:  Install IKEV2 VPN for CentOS and Ubuntu
#   Author: quericy
#   Intro:  http://quericy.me/blog/699
#===============================================================================================

clear
echo "#############################################################"
echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu"
echo "# Intro: http://quericy.me/blog/699"
echo "#"
echo "# Author:quericy"
echo "#"
echo "#############################################################"
echo ""

# Install IKEV2
function install_ikev2(){
	rootness
	disable_selinux
	get_my_ip
	get_system
	yum_install
	pre_install
	download_files
	setup_strongswan
	get_key
	configure_ipsec
	configure_strongswan
	configure_secrets
	iptables_set
	ipsec start
	success_info
}

# Make sure only root can run our script
function rootness(){
if [[ $EUID -ne 0 ]]; then
   echo "Error:This script must be run as root!" 1>&2
   exit 1
fi
}

# Disable selinux
function disable_selinux(){
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
    setenforce 0
fi
}

# Get IP address of the server
function get_my_ip(){
    echo "Preparing, Please wait a moment..."
    IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6  | cut -d'<' -f 1`
    if [ -z $IP ]; then
        IP=`curl -s ifconfig.me/ip`
    fi
}

# Ubuntu or CentOS
function get_system(){
	get_system_str=`cat /etc/issue`
	echo "$get_system_str" |grep -q "CentOS"
	if  [ $? -eq 0 ]
	then
		system_str="0"
	else
		echo "$get_system_str" |grep -q "Ubuntu"
		if [ $? -eq 0 ]
		then
			system_str="1"
		else
			echo "This Script must be running at the CentOS or Ubuntu!"
			exit 1
		fi
	fi

}

# Pre-installation settings
function pre_install(){
	echo "#############################################################"
	echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu"
	echo "# Intro: http://quericy.me/blog/699"
	echo "#"
	echo "# Author:quericy"
	echo "#"
	echo "#############################################################"
	echo ""
    echo "please choose the type of your VPS(Xen、KVM: 1  ,  OpenVZ: 2):"
    read -p "your choice(1 or 2):" os_choice
    if [ "$os_choice" = "1" ]; then
        os="1"
		os_str="Xen、KVM"
		else
			if [ "$os_choice" = "2" ]; then
				os="2"
				os_str="OpenVZ"
				else
				echo "wrong choice!"
				exit 1
			fi
    fi
	echo "please input the ip (or domain) of your VPS:"
    read -p "ip or domain(default_vale:${IP}):" vps_ip
	if [ "$vps_ip" = "" ]; then
		vps_ip=$IP
	fi
	echo "please input the cert country(C):"
    read -p "C(default value:com):" my_cert_c
	if [ "$my_cert_c" = "" ]; then
		my_cert_c="com"
	fi
	echo "please input the cert organization(O):"
    read -p "O(default value:myvpn):" my_cert_o
	if [ "$my_cert_o" = "" ]; then
		my_cert_o="myvpn"
	fi
	echo "please input the cert common name(CN):"
    read -p "CN(default value:VPN CA):" my_cert_cn
	if [ "$my_cert_cn" = "" ]; then
		my_cert_cn="VPN CA"
	fi
	echo "####################################"
    get_char(){
        SAVEDSTTY=`stty -g`
        stty -echo
        stty cbreak
        dd if=/dev/tty bs=1 count=1 2> /dev/null
        stty -raw
        stty echo
        stty $SAVEDSTTY
    }
    echo "Please confirm the information:"
	echo ""
	echo -e "the type of your server: [\033[32;1m$os_str\033[0m]"
	echo -e "the ip(or domain) of your server: [\033[32;1m$vps_ip\033[0m]"
	echo -e "the cert_info:[\033[32;1mC=${my_cert_c}, O=${my_cert_o}\033[0m]"
	echo ""
    echo "Press any key to start...or Press Ctrl+C to cancel"
	char=`get_char`
	#Current folder
    cur_dir=`pwd`
    cd $cur_dir
}

#install necessary lib
function yum_install(){
	if [ "$system_str" = "0" ]; then
	yum -y update
	yum -y install pam-devel openssl-devel make gcc
	else
	apt-get -y update
	apt-get -y install libpam0g-dev libssl-dev make gcc
	fi
}

# Download strongswan
function download_files(){
    if [ -f strongswan.tar.gz ];then
        echo -e "strongswan.tar.gz [\033[32;1mfound\033[0m]"
    else
        if ! wget http://download.strongswan.org/strongswan.tar.gz;then
            echo "Failed to download strongswan.tar.gz"
            exit 1
        fi
    fi
    tar xzf strongswan.tar.gz
    if [ $? -eq 0 ];then
        cd $cur_dir/strongswan-*/
    else
        echo ""
        echo "Unzip strongswan.tar.gz failed! Please visit http://quericy.me/blog/699 and contact."
        exit 1
    fi
}

# configure and install strongswan
function setup_strongswan(){
	if [ "$os" = "1" ]; then
		./configure  --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  \
--enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp

	else
		./configure  --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  \
--enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec

	fi
	make; make install
}

# configure cert and key
function get_key(){
	cd $cur_dir
    if [ -f ca.pem ];then
        echo -e "ca.pem [\033[32;1mfound\033[0m]"
    else
        echo -e "ca.pem [\033[32;1mauto create\032[0m]"
		echo "auto create ca.pem ..."
		ipsec pki --gen --outform pem > ca.pem
    fi

	if [ -f ca.cert.pem ];then
        echo -e "ca.cert.pem [\033[32;1mfound\033[0m]"
    else
        echo -e "ca.cert.pem [\032[33;1mauto create\032[0m]"
		echo "auto create ca.cert.pem ..."
		ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem
    fi
	if [ ! -d my_key ];then
        mkdir my_key
    fi
	mv ca.pem my_key/ca.pem
	mv ca.cert.pem my_key/ca.cert.pem
	cd my_key
	ipsec pki --gen --outform pem > server.pem
	ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
--san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
	ipsec pki --gen --outform pem > client.pem
	ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem
	echo "configure the pkcs12 cert password(Can be empty):"
	openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}"  -out client.cert.p12
	echo "####################################"
    get_char(){
        SAVEDSTTY=`stty -g`
        stty -echo
        stty cbreak
        dd if=/dev/tty bs=1 count=1 2> /dev/null
        stty -raw
        stty echo
        stty $SAVEDSTTY
    }
    echo "Press any key to install ikev2 VPN cert"
	cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
	cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
	cp -r server.pem /usr/local/etc/ipsec.d/private/
	cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
	cp -r client.pem  /usr/local/etc/ipsec.d/private/

}

# configure the ipsec.conf
function configure_ipsec(){
 cat > /usr/local/etc/ipsec.conf<<-EOF
config setup
    uniqueids=never 

conn iOS_cert
    keyexchange=ikev1
    fragmentation=yes
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=pubkey
    rightauth2=xauth
    rightsourceip=10.31.2.0/24
    rightcert=client.cert.pem
    auto=add

conn android_xauth_psk
    keyexchange=ikev1
    left=%defaultroute
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightauth2=xauth
    rightsourceip=10.31.2.0/24
    auto=add

conn networkmanager-strongswan
    keyexchange=ikev2
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=pubkey
    rightsourceip=10.31.2.0/24
    rightcert=client.cert.pem
    auto=add

conn windows7
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=eap-mschapv2
    rightsourceip=10.31.2.0/24
    rightsendcert=never
    eap_identity=%any
    auto=add

EOF
}

# configure the strongswan.conf
function configure_strongswan(){
 cat > /usr/local/etc/strongswan.conf<<-EOF
 charon {
        load_modular = yes
        duplicheck.enable = no
        compress = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        dns1 = 8.8.8.8
        dns2 = 8.8.4.4
        nbns1 = 8.8.8.8
        nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
EOF
}

# configure the ipsec.secrets
function configure_secrets(){
	cat > /usr/local/etc/ipsec.secrets<<-EOF
: RSA server.pem
: PSK "myPSKkey"
: XAUTH "myXAUTHPass"
myUserName %any : EAP "myUserPass"
	EOF
}

# iptables set
function iptables_set(){
    sysctl -w net.ipv4.ip_forward=1
    if [ "$os" = "1" ]; then
		iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
		iptables -A FORWARD -s 10.31.0.0/24  -j ACCEPT
		iptables -A FORWARD -s 10.31.1.0/24  -j ACCEPT
		iptables -A FORWARD -s 10.31.2.0/24  -j ACCEPT
		iptables -A INPUT -i eth0 -p esp -j ACCEPT
		iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
		iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
		iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
		iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
		iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
		iptables -A FORWARD -j REJECT
		iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
		iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
		iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
	else
		iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
		iptables -A FORWARD -s 10.31.0.0/24  -j ACCEPT
		iptables -A FORWARD -s 10.31.1.0/24  -j ACCEPT
		iptables -A FORWARD -s 10.31.2.0/24  -j ACCEPT
		iptables -A INPUT -i venet0 -p esp -j ACCEPT
		iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
		iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT
		iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
		iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT
		iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
		iptables -A FORWARD -j REJECT
		iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE
		iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE
		iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE
    fi
	if [ "$system_str" = "0" ]; then
		service iptables save
	else
		iptables-save > /etc/iptables.rules
		cat > /etc/network/if-up.d/iptables<<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
EOF
		chmod +x /etc/network/if-up.d/iptables
	fi
}

# echo the success info
function success_info(){
	echo "#############################################################"
	echo -e "#"
	echo -e "# [\033[32;1mInstall Successful\033[0m]"
	echo -e "# There is the default login info of your VPN"
	echo -e "# UserName:\033[33;1m myUserName\033[0m"
	echo -e "# PassWord:\033[33;1m myUserPass\033[0m"
	echo -e "# PSK:\033[33;1m myPSKkey\033[0m"
	echo -e "# you can change UserName and PassWord in\033[32;1m /usr/local/etc/ipsec.secrets\033[0m"
	echo -e "# you must copy the cert \033[32;1m ${cur_dir}/my_key/ca.cert.pem \033[0m to the client and install it."
	echo -e "#"
	echo -e "#############################################################"
	echo -e ""
}

# Initialization step
install_ikev2
 
 

如需Debian系统的IKEV2一键安装脚本,可参考magic282童鞋的一键脚本:
https://github.com/magic282/One-Key-L2TP-IKEV2-Setup

转载自quericy Eden*博客

参考

UBUNTU、CENTOS搭建IPSEC/IKEV2 VPN服务器全攻略

CENTOS/UBUNTU一键安装IPSEC/IKEV2 VPN服务器的更多相关文章

  1. CentOS Linux VPS安装IPSec+L2TP VPN

    CentOS Linux VPS安装IPSec+L2TP VPN 时间 -- :: 天使羊波波闪耀光芒 相似文章 () 原文 http://www.live-in.org/archives/818.h ...

  2. 转:CentOS/Debian/Ubuntu一键安装LAMP(Apache/MySQL/PHP)环境

    CentOS/Debian/Ubuntu一键安装LAMP(Apache/MySQL/PHP) 今天遇到一个网友提到需要在Linux VPS服务器中安装LAMP(Apache/MySQL/PHP)网站环 ...

  3. CentOS下一键安装Openstack

    CentOS下一键安装Openstack 系统环境:Oracle VirtualBox 4.38CentOS-6.5-x86_64-bin-DVD1.iso 安装前需要修改 /etc/hosts文件, ...

  4. 使用Cobbler批量部署Linux和Windows:CentOS/Ubuntu批量安装(二)

    通过前面服务端的部署,已经配置好了 Cobbler Server 端,接下来开始进行 CentOS/Ubuntu 的批量安装,在进行 CentOS/Ubuntu 批量安装时,也需要通过Cobbler来 ...

  5. 在阿里云服务器上(centos 8) 安装自己的MQTT服务器 (mosquitto)

    layout: post title: 在阿里云服务器上(centos 8) 安装自己的MQTT服务器 (mosquitto) subtitle: date: 2020-3-2 author: Dap ...

  6. (转)CentOS下一键安装GitLab

    [环境准备]OS: CentOS 6.3 x86_64 [安装要求]如果有条件,提供一台全新的Server(仅仅只安装了一些系统的软件包),可以直接使用一键安装脚本(gitlab-install-el ...

  7. centos 7 一键安装gitlab

    # cat /etc/redhat-release CentOS release 6.5 (Final) # strings /lib64/libc.so.6 |grep GLIBC_ 首先升级 如果 ...

  8. 如何在CentOS 7上安装Memcached(缓存服务器)

    首先更新本地软件包索引,然后使用以下yum命令从官方CentOS存储库安装Memcached. yum update yum install memcached 接下来,我们将安装libmemcach ...

  9. CentOS全自动一键安装PHP,MySQL,phpmyadmin与Nginx

    运行install_nginx.sh即可 1,需要修改install_nginx.sh中的相应路径: #存放源代码和本脚本的目录 compile_dir=/root/nginx_compile,需要修 ...

随机推荐

  1. 马哥教育视频笔记:01(Linux常用命令)

    1.查看缓存中使用的命令和命令路径 [wskwskwsk@localhost /]$ hash 命中 命令 /usr/bin/printenv /usr/bin/ls /usr/bin/clear 2 ...

  2. android在全屏下第一次触摸屏幕没有触发事件

    A.设置全屏的方法很多就不多说了,常见如下两种(记录用以备忘): 1.在Androidmanifest.xml文件中设定,如: <activity android:name="com. ...

  3. zigbee学习之路(九):串口(发送)

    一.前言 今天,我们来学习和实验串口模块方面的,串口通信是我们常用的通信手段,通过串口交互,我们可以很容易的和pc机进行数据的交换和发送,所以我们今天就来学习一下.这个实验所进行的功能是一开始CC25 ...

  4. 【Spring】利用Spring最简单地使用异步方法

    有时候我们想异步地调用某个方法. 比如这个场景:在业务处理完毕后,需给用户发送通知邮件.由于邮件发送需调用邮箱服务商,有可能发生阻塞,我们就可以异步调用.当然有个前提,即如果邮件发送失败,不需要提示用 ...

  5. Python3基础 isinstance 判断一个变量是否为指定的类型

    镇场诗:---大梦谁觉,水月中建博客.百千磨难,才知世事无常.---今持佛语,技术无量愿学.愿尽所学,铸一良心博客.------------------------------------------ ...

  6. h-ui前端框架

    h-ui.net

  7. C# 从CIL代码了解委托,匿名方法,Lambda 表达式和闭包本质

    前言 C# 3.0 引入了 Lambda 表达式,程序员们很快就开始习惯并爱上这种简洁并极具表达力的函数式编程特性. 本着知其然,还要知其所以然的学习态度,笔者不禁想到了几个问题. (1)匿名函数(匿 ...

  8. Zero Copy

    原文出处: http://www.ibm.com/developerworks/library/j-zerocopy/ 传统的I/O 使用传统的I/O程序读取文件内容, 并写入到另一个文件(或Sock ...

  9. iOS - Library 库

    1.动态库 & 静态库 什么是库: 库是程序代码的集合,是共享程序代码的一种方式.根据源代码的公开情况,库可以分为 2 种类型: 开源库: 公开源代码,能看到具体实现. 比如 SDWebIma ...

  10. git@Osc初识

    加油! 参考博客:http://www.cnblogs.com/lpshou/archive/2013/07/18/3199243.html 今天尝试了下git@osc的项目导入,基本算是入门了git ...