StrongSwan install from source

Download preferred release from download.strongswan.org 

  wget https://download.strongswan.org/strongswan.tar.gz

install docs

Untar and cd source directory.

Configure Options 

./configure --prefix=/usr --sysconfdir=/etc --enable-systemd --enable-swanctl --enable-openssl --enable-xauth-eap --enable-xauth-noauth
make
make install
Systemd enable/start
systemctl enable strongswan.service
systemctl enable strongswan-starter.service
 
systemctl start strongswan.service
systemctl start strongswan-starter.service

Certs

Easy RSA source 

git clone https://github.com/ValdikSS/easy-rsa-ipsec.git
cd easy-rsa-ipsec/easyrsa3
./easyrsa init-pki

./easyrsa build-ca nopass

./easyrsa build-server-full domain_name nopass
./easyrsa build-client-full client_name nopass    

./easyrsa export-p12 client_name nopass
Successful export of p12 file. Your exported file is at the following location: /usr/src/easy-rsa-ipsec/easyrsa3/pki/private/<client_name>.p12 
cp pki/ca.crt /etc/ipsec.d/cacerts/
cp pki/issued/domain.name.crt /etc/ipsec.d/certs/
cp pki/private/domain.name.key /etc/ipsec.d/private/

Road Warrior config with ipsec.conf

/etc/ipsec.secrets 

: RSA domain.name.key
 
<username> : XAUTH "pass"

/etc/ipsec.conf 

config setup
        # strictcrlpolicy=yes
        # multiple connections with the one unique cert
	# uniqueids = no
conn %default
	dpdaction=clear
	dpddelay=35s
	dpdtimeout=300s
 
	fragmentation=yes
	rekey=no
 
	ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
 
	esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
 
	# left - local (server) side
	left=%any
	leftauth=pubkey
	leftcert=domain.name.crt
	leftsendcert=always
	leftsubnet=0.0.0.0/0
 
	# right - remote (client) side
	right=%any
	rightauth=pubkey
	rightsourceip=10.20.30.0/24
	rightdns=8.8.8.8,8.8.4.4
 
conn ikev2-pubkey
	keyexchange=ikev2
	auto=add
 
conn ikev2-pubkey-osx
	also="ikev2-pubkey"
	leftid=domain.name
 
conn ikev1-fakexauth
	keyexchange=ikev1
	rightauth2=xauth-noauth
	auto=add
 
conn ikev2-eap-tls
	also="ikev2-pubkey"
	rightauth=eap-tls
	eap_identity=%identity

restart

systemctl restart strongswan.service
systemctl restart strongswan-starter.service

debug

 swanctl -h 
strongSwan 5.8.1 swanctl
loaded plugins: aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac
usage:
  swanctl --counters         (-C)  list or reset IKE event counters
  swanctl --initiate         (-i)  initiate a connection
  swanctl --terminate        (-t)  terminate a connection
  swanctl --rekey            (-R)  rekey an SA
  swanctl --redirect         (-d)  redirect an IKE_SA
  swanctl --uninstall        (-u)  uninstall a trap or shunt policy
  swanctl --install          (-p)  install a trap or shunt policy
  swanctl --list-sas         (-l)  list currently active IKE_SAs
  swanctl --monitor-sa       (-m)  monitor for IKE_SA and CHILD_SA changes
  swanctl --list-pols        (-P)  list currently installed policies
  swanctl --list-authorities (-B)  list loaded authority configurations
  swanctl --list-conns       (-L)  list loaded configurations
  swanctl --list-certs       (-x)  list stored certificates
  swanctl --list-pools       (-A)  list loaded pool configurations
  swanctl --list-algs        (-g)  show loaded algorithms
  swanctl --flush-certs      (-f)  flush cached certificates
  swanctl --load-all         (-q)  load credentials, authorities, pools and connections
  swanctl --load-authorities (-b)  (re-)load authority configuration
  swanctl --load-conns       (-c)  (re-)load connection configuration
  swanctl --load-creds       (-s)  (re-)load credentials
  swanctl --load-pools       (-a)  (re-)load pool configuration
  swanctl --log              (-T)  trace logging output
  swanctl --version          (-v)  show version information
  swanctl --stats            (-S)  show daemon stats information
  swanctl --reload-settings  (-r)  reload daemon strongswan.conf
  swanctl --help             (-h)  show usage information

Iptables

/etc/sysctl.conf 

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
 iptables -A INPUT -p udp --dport 500 -j ACCEPT
 iptables -A INPUT -p udp --dport 4500 -j ACCEPT
 iptables -A INPUT -p ESP -j ACCEPT
 iptables -A INPUT -p 50 -j ACCEPT
 iptables -A INPUT -p 51 -j ACCEPT
 iptables -I INPUT -m policy --dir in -pol ipsec --proto esp -j ACCEPT
 iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
 iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
 iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
 iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
, ,
Только авторизованные участники могут оставлять комментарии.
  • blog/strongswan_install_from_source.txt
  • Последние изменения: 2019/11/20