StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.

Install strongSwan

The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.

yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

yum install strongswan openssl

Generate certificates

Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d.

cd /etc/strongswan/ipsec.d

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/server_key.sh

chmod a+x server_key.sh

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/client_key.sh

chmod a+x client_key.sh

In these two .sh files, I have set the organization name as VULTR-VPS-CENTOS. If you want to change it, open the .sh files and replace O=VULTR-VPS-CENTOS with O=YOUR_ORGANIZATION_NAME.

Next, use server_key.sh with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP with the IP address of your Vultr VPS.

./server_key.sh SERVER_IP

Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user "john".

./client_key.sh john john@gmail.com

Replace "john" and his email with yours before running the script.

After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your local computer.

Configure strongSwan

Open the strongSwan IPSec configuration file.

vi /etc/strongswan/ipsec.conf

Replace its content with the following text.

config setup

    uniqueids=never

    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default

    left=%defaultroute

    leftsubnet=0.0.0.0/0

    leftcert=vpnHostCert.pem

    right=%any

    rightsourceip=172.16.1.100/16

conn CiscoIPSec

    keyexchange=ikev1

    fragmentation=yes

    rightauth=pubkey

    rightauth2=xauth

    leftsendcert=always

    rekey=no

    auto=add

conn XauthPsk

    keyexchange=ikev1

    leftauth=psk

    rightauth=psk

    rightauth2=xauth

    auto=add

conn IpsecIKEv2

    keyexchange=ikev2

    leftauth=pubkey

    rightauth=pubkey

    leftsendcert=always

    auto=add

conn IpsecIKEv2-EAP

    keyexchange=ikev2

    ike=aes256-sha1-modp1024!

    rekey=no

    leftauth=pubkey

    leftsendcert=always

    rightauth=eap-mschapv2

    eap_identity=%any

    auto=add

Edit the strongSwan configuration file, strongswan.conf.

vi /etc/strongswan/strongswan.conf

Delete everything and replace it with the following.

charon {

    load_modular = yes

    duplicheck.enable = no

    compress = yes

    plugins {

            include strongswan.d/charon/*.conf

    }

    dns1 = 8.8.8.8

    dns2 = 8.8.4.4

    nbns1 = 8.8.8.8

    nbns2 = 8.8.4.4

}

include strongswan.d/*.conf

Edit the IPsec secret file to add a user and password.

vi /etc/strongswan/ipsec.secrets

Add a user account "john" into it.

: RSA vpnHostKey.pem

: PSK "PSK_KEY"

john %any : EAP "John's Password"

john %any : XAUTH "John's Password"

Please note that both sides of the colon ':' need a white-space.

Allow IPv4 forwarding

Edit /etc/sysctl.conf to allow forwarding in the Linux kernel.

vi /etc/sysctl.conf

Add the following line into the file.

net.ipv4.ip_forward=1

Save the file, then apply the change.

sysctl -p

Configure the firewall

Open the firewall for your VPN on the server.

firewall-cmd --permanent --add-service="ipsec"

firewall-cmd --permanent --add-port=4500/udp

firewall-cmd --permanent --add-masquerade

firewall-cmd --reload

Start VPN

systemctl start strongswan

systemctl enable strongswan

StrongSwan is now is running on your server. Install the strongswanCert.pem and .p12 certificate files into your client. You will now be able to join your private network.

strongswan的更多相关文章

  1. StrongSwan 5.1.1 发布,Linux 的 IPsec 项目

    StrongSwan是一个完整的2.4和2.6的Linux内核下的IPsec和IKEv1 的实现.它也完全支持新的IKEv2协议的Linux 2.6内核.结合IKEv1和IKEv2模式与大多数其他基于 ...

  2. 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(下篇)

    续篇—— 利用开源软件strongSwan实现支持IKEv2的企业级IPsec VPN,并结合FreeRadius实现AAA协议(上篇) 上篇文章写了如何构建一个支持IKEv2的VPN,本篇记录的是如 ...

  3. 架设基于StrongSwan的L2tp/IPSec VPN服务器

    架设基于StrongSwan的L2tp/IPSec VPN服务器 参考: http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-w ...

  4. CentOS6.5 部署VPN管理系统(StrongSwan+iKEv2+Freeradiu+Mysql+Daloradius)

    一.环境介绍 Server IP:192.168.30.133 System: CentOS 6.5 Client:Winodows 二.编译安装StrongSwan 1.下载StrongSwan w ...

  5. [dev][ipsec][dpdk] strongswan/dpdk源码分析之ipsec算法配置过程

    1 简述 storngswan的配置里用一种固定格式的字符串设置了用于协商的预定义算法.在包协商过程中strongswan将字符串转换为固定的枚举值封在数据包里用于传输. 协商成功之后,这组被协商选中 ...

  6. [dev][crypto][strongswan] 有关strongswan的forward policy的源码分析

    一 默认情况下,我们使用strongswan建立了一个ipsec隧道之后,建立的policy如下: [root@D129 OUTPUT]# ip xfrm policy src dst dir pty ...

  7. [strongswan][autoconf][automake][cento] 在CentOS上编译strongswan git源码时遇到的autoconf问题

    编译strongswan的git源码问题 1. 概述 首先,我们想要通过源码编译strongswan.当满足以下条件时,通常你会遇见此问题: 源码时通过git clone的得来的,而不是官网下载的源码 ...

  8. [strongswan] strongswan是如何实现与xfrm之间的trap机制的

    目录 strongswan与xfrm之间的trap机制 0. 1. 前言 2. 描述 2.1 none 2.2 trap 3. 实验与过程 3.1 trap实验 3.2 none实验 4 背景知识 5 ...

  9. [ipsec][strongswan] 使用wireshark查看strongswan ipsec esp ikev1 ikev2的加密内容

    一,编译,启用strongswan的save-keys plugin ./configure --prefix=/root/OUTPUT --exec-prefix=/root/OUTPUT --en ...

  10. strongSwan配置、运行及测试

    版本信息:strongSwan v5.7.2 1.      编译 tar xvf strongswan-5.7.2.tar.gz ./configure --prefix=/usr/ --sysco ...

随机推荐

  1. 雷林鹏分享:JSP 开发环境搭建

    JSP 开发环境搭建 JSP开发环境是您用来开发.测试和运行JSP程序的地方. 本节将会带您搭建JSP开发环境,具体包括以下几个步骤. 配置Java开发工具(JDK) 这一步涉及Java SDK的下载 ...

  2. Rspec: everyday-rspec实操: 第9章 快速编写测试,编写快速的测试。

    Make it work, make it right, make it fast. 测试运行的时间.应用和测试组件的增长,速度会越来越慢,目标是保持代码的readable, maintainable ...

  3. linux三尖刀

    序 我们都知道,一个可执行程序的基本的生命过程是如此的: (编辑)源文件--->(编译)目标文件--->(链接)可执行文件--->(调试排错)稳定执行 所以,在这个过程中,我们很容易 ...

  4. Linux命令详解-echo

    echo会将输入的字符串送往标准输出.输出的字符串间以空白字符隔开,并在最后加上换行号. 1.命令格式: file [ -bchikLnNprsvz ] [ -f namefile ] [ -F se ...

  5. 如何获取Android应用的packageName和ActivityName,识别应用中的控件

    1.获取Android应用的packageName和ActivityName A:adb logcat >log.txt 在log中搜索package B:adb shell  logcat | ...

  6. HDU 1969 精度二分

    Pie Time Limit: 5000/1000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others)Total Submiss ...

  7. 在请求中使用XML Publisher生成文件报错

    在页面上使用按钮生成该文件不报错,但是使用请求就报错. 错误内容如下 Error : No corresponding LOB data found :SELECT L.FILE_DATA FILE_ ...

  8. TCP/UDP协议

    body, table{font-family: 微软雅黑; font-size: 10pt} table{border-collapse: collapse; border: solid gray; ...

  9. linux提权辅助工具(二):linux-exploit-suggester-2.pl

    来自:https://github.com/jondonas/linux-exploit-suggester-2/blob/master/linux-exploit-suggester-2.pl #! ...

  10. New Concept English Two 31 85

    $课文83  大选之后 904. The former Prime Minister, Mr. Wentworth Lane, was defeated in the recent elections ...