1
2
3
| sudo apt-get -y install charon-systemd libstrongswan-extra-plugins libcharon-extra-plugins
#sudo systemctl status strongswan
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| sudo tee /etc/swanctl/conf.d/swan.yanyong.cc.conf << EOF
authorities {
letsencrypt {
cacert = chain.pem
}
}
connections {
ikev2-eap-mschapv2 {
version = 2
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,aes256-sha384-modp2048-modp1024,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 0s # default 0s
send_cert = always # default ifasked
unique = never # default no
local-1 {
certs = cert.pem
id = strongswan.yanyong.cc
}
remote-1 {
auth = eap-mschapv2
eap_id = %any
}
children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
}
}
}
}
pools {
primary-pool-ipv4 {
addrs = 172.16.255.0/24
dns = 1.1.1.1, 8.8.8.8
}
}
secrets {
eap-carol {
id = fuckgfw
secret = "fuckgfwpassword"
}
}
EOF
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| #https://docs.strongswan.org/docs/5.9/swanctl/swanctlDir.html
sudo tee /etc/letsencrypt/renewal-hooks/deploy/strongswan.sh << EOF
#!/bin/bash
cp /etc/letsencrypt/live/yanyong.cc/cert.pem /etc/swanctl/x509/
cp /etc/letsencrypt/live/yanyong.cc/chain.pem /etc/swanctl/x509ca/
cp /etc/letsencrypt/live/yanyong.cc/privkey.pem /etc/swanctl/rsa/
chmod 400 /etc/swanctl/x509/cert.pem
chmod 400 /etc/swanctl/x509ca/chain.pem
chmod 400 /etc/swanctl/rsa/privkey.pem
swanctl --load-all
EOF
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/strongswan.sh
sudo /etc/letsencrypt/renewal-hooks/deploy/strongswan.sh
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| #https://docs.strongswan.org/docs/5.9/howtos/forwarding.html
#https://docs.strongswan.org/docs/5.9/features/mobike.html
# Forward
echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/ip_forward.conf
sudo sysctl -p /etc/sysctl.d/ip_forward.conf
# IKE & MobIKE
sudo iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 500,4500 -j ACCEPT
#sudo iptables -A INPUT -p udp -m state --state NEW -m multiport --dports isakmp,ipsec-nat-t -j ACCEPT
# NAT
sudo iptables -t nat -A POSTROUTING -s 172.16.255.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 172.16.255.0/24 -o eth0 -j MASQUERADE
# MTU/MSS
sudo iptables -t mangle -A FORWARD -s 172.16.255.0/24 -o eth0 -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
# ESP
#https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
sudo iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 172.16.255.0/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 172.16.255.0/24 -j ACCEPT
|
1
2
3
4
5
6
7
| sudo systemctl stop docker.socket
sudo systemctl stop docker
sudo netfilter-persistent save # /etc/iptables/rules.v4
#sudo iptables-save | sudo tee /etc/iptables/rules.v4.swan
sudo systemctl start docker
|
https://www.strongswan.org/
https://docs.strongswan.org/docs/5.9/daemons/charon-systemd.html
https://github.com/strongswan/strongswan
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Roadwarrior-scenario
https://docs.strongswan.org/docs/5.9/config/IKEv2.html
https://www.strongswan.org/testing/testresults/ikev2/rw-eap-mschapv2-id-rsa/
https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html
https://docs.strongswan.org/docs/5.9/howtos/securityRecommendations.html
https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html
