forked from wbuntu/IPSecAndIKEv2VPNWithStrongswan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathIKEv2WithEAP-TLS.sh
executable file
·132 lines (115 loc) · 4.07 KB
/
IKEv2WithEAP-TLS.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/sh
apt-get update
apt-get install build-essential libgmp3-dev libgmp-dev openssl libssl-dev -y
wget https://download.strongswan.org/strongswan-5.5.0.tar.gz
tar zxvf strongswan-5.5.0.tar.gz
cd strongswan-5.5.0
./configure --sysconfdir=/etc --enable-eap-mschapv2 --enable-eap-identity --enable-md4 --enable-eap-tls
#openVZ virtualization should configure with this option: --enable-kernel-libipsec
make && make install
#you can replace C,O with anything you want, but they should be kept the same in those certs.
#replace ikev2.wbuntu.me with your server's domain name
#replace client.wbuntu.me with your url for client
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=CH, O=Wbuntu, CN=Wbuntu CA" --ca --outform pem > caCert.pem
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CH, O=Wbuntu, CN=ikev2.wbuntu.me" --san="ikev2.wbuntu.me" --flag serverAuth --outform pem > serverCert.pem
#you have to add a password for clientCert
ipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CH, O=Wbuntu, CN=client.wbuntu.me" --san="client.wbuntu.me" --flag clientAuth --outform pem > clientCert.pem
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client.wbuntu.me" -certfile caCert.pem -caname "Wbuntu CA" -out clientCert.p12
cp caCert.pem /etc/ipsec.d/cacerts/
cp serverCert.pem /etc/ipsec.d/certs/
cp serverKey.pem /etc/ipsec.d/private/
cp clientCert.pem /etc/ipsec.d/certs/
cp clientKey.pem /etc/ipsec.d/private/
mkdir clientCerts
cp caCert.pem clientCert.p12 clientCerts
mkdir allCerts
mv caKey.pem caCert.pem serverKey.pem serverCert.pem clientKey.pem clientCert.pem clientCert.p12 allCerts
#replace ikev2.wbuntu.me with your server's domain name
#replcae client.wbuntu.me with the url you defined before
cat > /etc/ipsec.conf<<EOF
config setup
uniqueids=never
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ike
conn ikev1
keyexchange=ikev1
authby=xauthpsk
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsourceip=10.0.0.0/24
auto=add
conn ikev2-eap-mschapv2
keyexchange=ikev2
leftauth=pubkey
leftcert=serverCert.pem
leftsendcert=always
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
rightauth=eap-mschapv2
right=%any
rightsourceip=10.0.0.0/24
eap_identity=%any
auto=add
conn ikev2-eap-tls
keyexchange=ikev2
leftauth=pubkey
leftcert=serverCert.pem
leftsendcert=always
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
rightauth=eap-tls
rightcert=clientCert.pem
rightsourceip=10.0.0.0/24
eap_identity=%any
auto=add
EOF
cat > /etc/strongswan.conf<<EOF
charon {
duplicheck.enable = no
install_virtual_ip = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
EOF
#replcae PSK, username, passwd with your own
cat > /etc/ipsec.secrets<<EOF
: RSA serverKey.pem
: RSA clientKey.pem
: PSK "YourPSKHere"
accountNameHere : EAP "passwdForAccountHere"
accountNameHere : XAUTH "passwdForAccountHere"
EOF
#replace 192.241.216.55 with your server IP
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.241.216.55
iptables-save > /etc/iptables.rules
cat > /etc/network/if-up.d/iptables<<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
ipsec start
EOF
chmod +x /etc/network/if-up.d/iptables
ipsec start