在 Ubuntu 上用 StrongSwan 安装 IKEv2 VPN 服务器

在 Ubuntu 上用 StrongSwan 安装 IKEv2 VPN 服务器
1. 安装
sudo apt-get install strongswan strongswan-plugin-eap-mschapv2 moreutils iptables-persistent
2. 生成证书,复制到对应目录,有必要设置私钥的访问权限
建议使用 let’s encrypt 证书,客户端不用导入根证书
mkdir vpn-certs
cd vpn-certs
ipsec pki –gen –type rsa –size 4096 –outform pem > server-root-key.pem
chmod 600 server-root-key.pem
ipsec pki –self –ca –lifetime 3650 \
–in server-root-key.pem \
–type rsa –dn “C=US, O=VPN Server, CN=VPN Server Root CA” \
–outform pem > server-root-ca.pem
ipsec pki –gen –type rsa –size 4096 –outform pem > vpn-server-key.pem
ipsec pki –pub –in vpn-server-key.pem \
–type rsa | ipsec pki –issue –lifetime 1825 \
–cacert server-root-ca.pem \
–cakey server-root-key.pem \
–dn “C=US, O=VPN Server, CN=vpn.boypay.net” \
–san vpn.boypay.net \
–flag serverAuth –flag ikeIntermediate \
–outform pem > vpn-server-cert.pem
sudo cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem
sudo cp ./vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem
sudo chown root /etc/ipsec.d/private/vpn-server-key.pem
sudo chgrp root /etc/ipsec.d/private/vpn-server-key.pem
sudo chmod 600 /etc/ipsec.d/private/vpn-server-key.pem
3. 设置配置文件/etc/ipsec.conf 和 /etc/ipsec.secrets
vim  /etc/ipsec.conf
#注释的 # 前面不能有空格,
#leftid 使用域名时前面加@,如     leftid=@vpn.boypay.net ,使用IP时不加@
#如果服务器证书不是自签发的,如STARTSSL ,则有必要指定 leftca=
config setup
charondebug=”ike 1, knl 1, cfg 0″
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vpn.boypay.net
leftca=/etc/ipsec.d/certs/server-root-ca.pem
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
vim /etc/ipsec.secrets
: RSA “/etc/ipsec.d/private/vpn-server-key.pem”
ys138 %any% : EAP “www.ysuo.org”
4. 启用 IP Forwarding
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sysctl -p
5. 设置 iptables
sudo ufw disable

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -Z

sudo iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 21 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 1080 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 8989 -j ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -A INPUT -p udp –dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp –dport 4500 -j ACCEPT

sudo iptables -A FORWARD –match policy –pol ipsec –dir in –proto esp -s 10.10.10.10/24 -j ACCEPT
sudo iptables -A FORWARD –match policy –pol ipsec –dir out –proto esp -d 10.10.10.10/24 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -m policy –pol ipsec –dir out -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -j MASQUERADE

sudo iptables -t mangle -A FORWARD –match policy –pol ipsec –dir in -s 10.10.10.10/24 -o eth0 -p tcp -m tcp –tcp-flags SYN,RST SYN -m tcpmss –mss 1361:1536 -j TCPMSS –set-mss 1360

sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP

sudo netfilter-persistent save
sudo netfilter-persistent reload
6. 从新启动 ipsec
ipsec reload
ipsec restart
ipsec statusall
7. 其它
生产证书私钥和证书请求签发文件
openssl req -newkey rsa:2048 -keyout yourname.key -out yourname.csr
去掉私钥的密码
openssl rsa -in yourname.key -out new-server.key
网络运行中心信息管理系统(Network Operation Center Management Information Systems)

原文链接:,转发请注明来源!
评论已关闭。