User Tools

Site Tools


Sidebar


Здравствуйте!

Меня зовут Михаил!
Я системный администратор
и наполняю эту wiki,
решая разнообразные IT-задачки.

Моя специализация - виртуализация!

Я всегда готов помочь Вам
наладить IT-инфраструктуру
за скромное вознаграждение!

mike@autosys.tk
+7 (910) 911-96-23

linux_faq:ubuntu_18.04_setup_strongswan
sudo apt-get update && sudo apt-get upgrade

sudo apt-get install strongswan certbot

sudo ufw allow OpenSSH
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 500,4500/udp

sudo ufw enable

sudo certbot certonly --rsa-key-size 4096 --standalone --agree-tos --no-eff-email --email mikhail@xc360.ru -d testprivate.xc360.ru

sudo cp /etc/letsencrypt/live/testprivate.xc360.ru/fullchain.pem /etc/ipsec.d/certs/
sudo cp /etc/letsencrypt/live/testprivate.xc360.ru/privkey.pem /etc/ipsec.d/private/
sudo cp /etc/letsencrypt/live/testprivate.xc360.ru/chain.pem /etc/ipsec.d/cacerts/


sudo mv /etc/ipsec.conf{,.original}

sudo nano /etc/ipsec.conf

#global configuration IPsec
#chron logger
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

#define new ipsec connection
conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ike
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@testprivate.xc360.ru
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=1.1.1.1,8.8.8.8
    rightsendcert=never
    eap_identity=%identity

    
sudo nano /etc/ipsec.secrets

: RSA "privkey.pem"
user : EAP "test"




sudo tail -f /var/log/syslog

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2

Discussion

Enter your comment. Wiki syntax is allowed:
C O G G S
 
linux_faq/ubuntu_18.04_setup_strongswan.txt · Last modified: 2019/01/11 13:28 by admin