apt-get install strongswan libstrongswan strongswan-pki libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-swanctl strongswan-charon strongswan-starter strongswan-libcharon libcharon-extra-plugins charon-systemd iptables-persistent
Make a key for your test Certification Authority (CA):
ipsec pki --gen --outform pem > /etc/swanctl/private/ca.pem
*Or use Commercial SSL certificate for 1 domain *.key
Restrict CA key access permissions:
chmod 600 /etc/swanctl/private/ca.pem
Make the CA certificate itself:
ipsec pki --self --ca --lifetime 3650 --in /etc/swanctl/private/ca.pem --dn "CN=my.domain.com" --outform pem > /etc/swanctl/x509ca/ca.pem
/etc/swanctl/x509ca/ca.pem - sending to the client.
cp /etc/swanctl/x509ca/ca.pem /etc/swanctl/x509/
Make a key for our server:
ipsec pki --gen --outform pem > /etc/swanctl/private/server0.pem
Restrict its key access permissions:
chmod 600 /etc/swanctl/private/server0.pem
Make the server certificate:
ipsec pki --pub --in /etc/swanctl/private/server0.pem | ipsec pki --issue --lifetime 3650 --cacert /etc/swanctl/x509ca/ca.pem --cakey /etc/swanctl/private/ca.pem --dn "CN=my.domain.com" --san 18.184.222.254 --flag serverAuth --flag ikeIntermediate --outform pem > /etc/swanctl/x509/server0.pem
--san - domainname or ip or both.
Or use Commercial SSL certificate for 1 domain *.cer
Restart sswanctl for the changes to take effect:
systemctl restart strongswan-swanctl
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o ens18 -j MASQUERADE
172.16.10.0 - subnet for vpn network
ens18 - ethernet interface
If you use Proxmox adding rules allow 500/udp and 4500/udp for this server. If you don't use Proxmox add rules for iptables:
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
For saving settings iptables:
netfilter-persistent save
Make a backup before you configure this file:
cp /etc/swanctl/swanctl.conf /etc/swanctl/swanctl.conf.bak
nano /etc/swanctl/swanctl.conf
connections {
ikev2-eap-mschapv2 {
version = 2
# proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
send_cert=always
unique=never
#unique=replace
# dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
local-1 {
certs = server0.pem
id = my.domain.com
auth = pubkey
}
remote-1 {
auth = eap-mschapv2
# go ask the client for its eap identity.
eap_id = %any
}
children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
# esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
updown = /usr/lib/ipsec/_updown iptables
}
}
}
}
pools {
primary-pool-ipv4 {
addrs = 172.16.10.0/24
dns = 192.168.4.2
}
}
secrets {
eap-user {
id = user
secret = "password"
}
eap-user2 {
id = user2
secret = "password2"
}
}
# Include config snippets
include conf.d/*.conf
addrs = 172.16.10.0/24 - subnet for vpn network
dns = 192.168.4.2 - Local DNS
id = 192.168.4.148 - IP
certs = server0.pem - name certificate in /etc/swanctl/x509/server0.pem
secrets {...} - pull users(clients)
Restart swanctl for the changes to take effect:
systemctl restart strongswan-swanctl
Или чтобы не поотваливать уже запущенные сессии
sudo swanctl -q
Check the status:
systemctl status strongswan-swanctl
Check server logs:
tail -f /var/log/syslog
*Since we are using the strongswan-swanctl service, disable the legacy strongswan service:
systemctl disable strongswan
sudo swanctl -q
------------------------------------------------------------------------------------
*Error in logs:
Mar 20 16:53:21 ikev2-kyiv charon-systemd2555: parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)N(NATD_D_IP) N(FRAG_SUP) ]
Mar 20 16:53:21 ikev2-kyiv charon-systemd2555: no IKE config found for 192.168.4.148...82.193.102.39, sending NO_PROPOSAL_CHOSEN
Mar 20 16:53:21 ikev2-kyiv charon-systemd2555: generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
This means there is an extra parenthesis in the config.