StrongSwan install from source
Download preferred release from download.strongswan.org
wget https://download.strongswan.org/strongswan.tar.gz
Untar and cd source directory.
./configure --prefix=/usr --sysconfdir=/etc --enable-systemd --enable-swanctl --enable-openssl --enable-xauth-eap --enable-xauth-noauth make make install
Systemd enable/start
systemctl enable strongswan.service systemctl enable strongswan-starter.service systemctl start strongswan.service systemctl start strongswan-starter.service
Certs
git clone https://github.com/ValdikSS/easy-rsa-ipsec.git cd easy-rsa-ipsec/easyrsa3
./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa build-server-full domain_name nopass
./easyrsa build-client-full client_name nopass ./easyrsa export-p12 client_name nopass
Successful export of p12 file. Your exported file is at the following
location: /usr/src/easy-rsa-ipsec/easyrsa3/pki/private/<client_name>.p12
cp pki/ca.crt /etc/ipsec.d/cacerts/ cp pki/issued/domain.name.crt /etc/ipsec.d/certs/ cp pki/private/domain.name.key /etc/ipsec.d/private/
Road Warrior config with ipsec.conf
/etc/ipsec.secrets
: RSA domain.name.key
<username> : XAUTH "pass"
/etc/ipsec.conf
config setup # strictcrlpolicy=yes # multiple connections with the one unique cert # uniqueids = no conn %default dpdaction=clear dpddelay=35s dpdtimeout=300s fragmentation=yes rekey=no ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1! # left - local (server) side left=%any leftauth=pubkey leftcert=domain.name.crt leftsendcert=always leftsubnet=0.0.0.0/0 # right - remote (client) side right=%any rightauth=pubkey rightsourceip=10.20.30.0/24 rightdns=8.8.8.8,8.8.4.4 conn ikev2-pubkey keyexchange=ikev2 auto=add conn ikev2-pubkey-osx also="ikev2-pubkey" leftid=domain.name conn ikev1-fakexauth keyexchange=ikev1 rightauth2=xauth-noauth auto=add conn ikev2-eap-tls also="ikev2-pubkey" rightauth=eap-tls eap_identity=%identity
restart
systemctl restart strongswan.service systemctl restart strongswan-starter.service
debug
swanctl -h
strongSwan 5.8.1 swanctl loaded plugins: aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac usage: swanctl --counters (-C) list or reset IKE event counters swanctl --initiate (-i) initiate a connection swanctl --terminate (-t) terminate a connection swanctl --rekey (-R) rekey an SA swanctl --redirect (-d) redirect an IKE_SA swanctl --uninstall (-u) uninstall a trap or shunt policy swanctl --install (-p) install a trap or shunt policy swanctl --list-sas (-l) list currently active IKE_SAs swanctl --monitor-sa (-m) monitor for IKE_SA and CHILD_SA changes swanctl --list-pols (-P) list currently installed policies swanctl --list-authorities (-B) list loaded authority configurations swanctl --list-conns (-L) list loaded configurations swanctl --list-certs (-x) list stored certificates swanctl --list-pools (-A) list loaded pool configurations swanctl --list-algs (-g) show loaded algorithms swanctl --flush-certs (-f) flush cached certificates swanctl --load-all (-q) load credentials, authorities, pools and connections swanctl --load-authorities (-b) (re-)load authority configuration swanctl --load-conns (-c) (re-)load connection configuration swanctl --load-creds (-s) (re-)load credentials swanctl --load-pools (-a) (re-)load pool configuration swanctl --log (-T) trace logging output swanctl --version (-v) show version information swanctl --stats (-S) show daemon stats information swanctl --reload-settings (-r) reload daemon strongswan.conf swanctl --help (-h) show usage information
Iptables
/etc/sysctl.conf
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -A INPUT -p ESP -j ACCEPT iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p 51 -j ACCEPT iptables -I INPUT -m policy --dir in -pol ipsec --proto esp -j ACCEPT iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
Только авторизованные участники могут оставлять комментарии.