参考文档:
- https://www.strongswan.org/testing/testresults/ikev2-stroke/index.html
- https://docs.strongswan.org/docs/5.9/install/install.html
- https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
一、网络及服务器环境:
- 公网IP,可以是固定IP或DDNS
- OS: Debian 12 Kernel: 6.1.0-17-amd64
二、网络配置:
- 网关映射
udp:500
、udp:4500
这些端口和协议给内网Debian12 - 如果需要访问的内部资源IP与Debian12不在同一个网段,需要做静态路由把
rightsourceip
指向Debian12
三、安装strongSwan
apt安装:sudo apt install strongswan-starter
或者编译安装,两种安装方式默认的etc
配置路径有所不同,注意区分。
wget https://download.strongswan.org/strongswan-5.9.14.tar.bz2
tar xjf strongswan-5.9.14.tar.bz2
cd strongswan-5.9.14
./configure --enable-ikev2 --enable-openssl --enable-systemd --with-systemdsystemunitdir=/lib/systemd/system --enable-charon --enable-random --enable-nonce --enable-aes --enable-sha1 --enable-sha2 --enable-pem --enable-pkcs1 --enable-curve25519 --enable-gmp --enable-x509 --enable-curl --enable-revocation --enable-hmac --enable-kdf --enable-stroke --enable-kernel-netlink --enable-socket-default --enable-fips-prf --enable-eap-mschapv2 --enable-eap-identity --enable-updown --disable-defaults
make
sudo make install
四、acme申请证书
acme.sh --issue -d lotro.cc -k 3072 --cert-file /usr/local/etc/ipsec.d/certs/lotro.cc.cer --key-file /usr/local/etc/ipsec.d/private/lotro.cc.key --ca-file /usr/local/etc/ipsec.d/cacerts/ca.cer --reloadcmd "sudo ipsec restart"
五、配置 ipsec.conf
sudo nano /usr/local/etc/ipsec.conf
config setup
uniqueids = never
conn %default
keyexchange=ike
conn rw
leftsubnet=192.168.55.33[icmp],192.168.55.33[tcp/http] # 需要访问的内网资源
leftcert=lotro.cc.cer # acme申请的签名ssl证书
leftid=lotro.cc # 必须等于ssl证书的主机名
leftsendcert=yes
rightauth=eap-mschapv2 # 采用用户名密码验证
rightsourceip=192.168.101.0/24 # 分配给手机端的虚拟IP段
auto=add
认证密钥key
sudo nano /usr/local/etc/ipsec.secrets
# /usr/local/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA lotro.cc.key # ssl证书key
admin : EAP "admin" # 用户名和密码
重启 sudo ipsec restart
六、移动端配置
- 类型:
IKEv2
- 服务器:
lotro.cc
- 远程ID「服务器ID」:
lotro.cc
- 本地ID:
- 用户名:
admin
- 密码:
admin
- 代理:
关闭