×

openwrt的strongswan配置

hqy hqy 发表于2019-03-23 21:22:52 浏览3755 评论0

抢沙发发表评论

http://blog.chinaunix.net/uid-192452-id-5760577.html


ipsec pki --gen --type rsa --size 4096 --outform pem > private/openwrt.pem
chmod 600 private/openwrt.pem
ipsec pki --self --ca --lifetime 3650 --in private/openwrt.pem --type rsa --dn "C=CH, O=acron, CN=centos Root CA" --outform pem > cacerts/openwrtCert.pem
ipsec pki --print --in cacerts/openwrtCert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/openwrtCert.pem --cakey private/openwrt.pem --dn "C=CH, O=acorn, CN=172.18.10.77" --san 172.18.10.77 --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem




ipsec pki --gen --type rsa --size 2048 --outform pem > private/androidKey.pem
chmod 600 private/androidKey.pem
ipsec pki --pub --in private/androidKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/openwrtCert.pem --cakey private/openwrt.pem --dn "C=CH, O=acorn, CN=172.18.10.77" --san 172.18.10.77 --outform pem > certs/androidCert.pem




openssl pkcs12 -export -inkey private/androidKey.pem -in certs/androidCert.pem -name "hongrui's VPN Certificate" -certfile cacerts/openwrtCert.pem -caname "centos Root CA"  -nodes -out hongrui.p12


chmod 0600 /etc/ipsec.d/private/*


编辑/etc/ipsec.conf
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        uniqueids=never


conn roadwarrior-ikev2
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftid=openwrt
        leftcert=openwrt.cer
        leftauth=pubkey
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=%any
        rightauth=eap-mschapv2
        rightsourceip=
        rightdns=
        eap_identity=%any
        auto=add








编辑/etc/config/firewall 后面添加
# allow incoming IPsec connections
config rule
 option src lan
 option proto esp
 option target ACCEPT


config rule
 option src lan
 option proto udp
 option dest_port 500
 option target ACCEPT


config rule
 option src lan
 option proto udp
 option dest_port 4500
 option target ACCEPT


config rule
 option src lan
 option proto ah
 option target ACCEPT
 您阅读本篇文章共花了: 

打赏

本文链接:https://kinber.cn/post/408.html 转载需授权!

分享到:


推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

群贤毕至

访客