IKEv2 VPN + Let’s Encrypt

2024 年 06 月 22 日

337 次浏览

3374字数

编译strongswan

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-af-alg --enable-ccm --enable-chapoly --enable-ctr --enable-gcm --enable-newhope --enable-openssl --enable-aesni --enable-sqlite --enable-dhcp --enable-eap-identity --enable-eap-tls --enable-eap-ttls --enable-eap-mschapv2 --enable-systemd CFLAGS=-O2 --disable-ikev1

配置 /etc/ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn %default
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%defaultroute
    leftid=@你的域名
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsubnet=10.31.2.0/24
    rightdns=223.5.5.5,223.6.6.6
    rightsendcert=never
conn user1
    auto=add
    rightsourceip=10.31.2.11/32
    eap_identity=user1
conn user2
    auto=add
    rightsourceip=10.31.2.22/32
    eap_identity=user2

申请letsencrypt单域名证书，泛域名有莫名其妙问题。

ALICLOUD_ACCESS_KEY=xxxx \
ALICLOUD_SECRET_KEY=xxxx \
./lego --email xxx@qq.com -a --dns alidns -d xxx.com -k rsa4096 run

复制证书

cp xxx.com.issuer.crt /etc/ipsec.d/cacerts/chain.pem
cp xxx.com.key /etc/ipsec.d/private/privkey.pem
cp xxx.com.crt /etc/ipsec.d/certs/fullchain.pem

编辑/etc/ipsec.secrets 添加用户

: RSA privkey.pem
user1: EAP "pass1"
user2: EAP "pass2"

重启

ipsec restart

设置防火墙

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24  -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE

/etc/sysctl.conf

net.ipv4.ip_forward = 1  
net.ipv4.conf.all.accept_redirects = 0  
net.ipv4.conf.all.send_redirects = 0 



sysctl -p 

systemctl enable strongswan-starter.service

虚拟IP按照用户固定分配，win10, ios, android 流量都走vpn