23
2019
03
21:22:52

openwrt的strongswan配置



推荐点击下面图片,通过本站淘宝优惠价购买:

image.png

http://blog.chinaunix.net/uid-192452-id-5760577.html


ipsec pki --gen --type rsa --size 4096 --outform pem > private/openwrt.pem
chmod 600 private/openwrt.pem
ipsec pki --self --ca --lifetime 3650 --in private/openwrt.pem --type rsa --dn "C=CH, O=acron, CN=centos Root CA" --outform pem > cacerts/openwrtCert.pem
ipsec pki --print --in cacerts/openwrtCert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/openwrtCert.pem --cakey private/openwrt.pem --dn "C=CH, O=acorn, CN=172.18.10.77" --san 172.18.10.77 --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem




ipsec pki --gen --type rsa --size 2048 --outform pem > private/androidKey.pem
chmod 600 private/androidKey.pem
ipsec pki --pub --in private/androidKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/openwrtCert.pem --cakey private/openwrt.pem --dn "C=CH, O=acorn, CN=172.18.10.77" --san 172.18.10.77 --outform pem > certs/androidCert.pem




openssl pkcs12 -export -inkey private/androidKey.pem -in certs/androidCert.pem -name "hongrui's VPN Certificate" -certfile cacerts/openwrtCert.pem -caname "centos Root CA"  -nodes -out hongrui.p12


chmod 0600 /etc/ipsec.d/private/*


编辑/etc/ipsec.conf
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        uniqueids=never


conn roadwarrior-ikev2
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftid=openwrt
        leftcert=openwrt.cer
        leftauth=pubkey
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=%any
        rightauth=eap-mschapv2
        rightsourceip=
        rightdns=
        eap_identity=%any
        auto=add








编辑/etc/config/firewall 后面添加
# allow incoming IPsec connections
config rule
 option src lan
 option proto esp
 option target ACCEPT


config rule
 option src lan
 option proto udp
 option dest_port 500
 option target ACCEPT


config rule
 option src lan
 option proto udp
 option dest_port 4500
 option target ACCEPT


config rule
 option src lan
 option proto ah
 option target ACCEPT


本文链接:https://hqyman.cn/post/408.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:





休息一下,本站随机推荐观看栏目:


作者:hqy | 分类:技术文章 | 浏览:4365 | 评论:0
« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

您的IP地址是: