linode centos7 xl2tp ipsec - 走在左边 - ITeye技术网站
博客分类：
在aws上建立rhel7.1的虚拟机
PermitRootLogin yes
PasswordAuthentication yes
[ec2-user@ip-172-31-17-111 ~]$ cat /etc/ssh/sshd_config
$OpenBSD: sshd_config,v 1.93
05:59:19 djm Exp $
# This is the sshd server system-wide configuration file.
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.
Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
#PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.
Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox
# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp
/usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server
[ec2-user@ip-172-31-17-111 ~]$
参考
http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php?page=2&part=1
使用xl2tp和ipsec,ppp让iphone和mac上网
注意的地方
1.尽量用新版本
2.配置的vpn用户名密码要是系统能登录的
3.http://pkgs.org/centos-7/nux-dextop-x86_64/xl2tpd-1.3.6-2.el7.nux.x86_64.rpm.html
下载对应的系统对应的rpm包 xl2tpd
rpm -ivh xl2tpd-1.3.6-8.el7.x86_64.rpm
4.yum install ppp openswan
openswan就是ipsec
5.我linode的ip是106.187.44.20，要替换下面的ip到你的ip
for each in /proc/sys/net/ipv4/conf/*
echo 0 & $each/accept_redirects
echo 0 & $each/send_redirects
[root@localhost ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file:
/etc/ipsec.conf
# Enable when using this configuration file with openswan instead of libreswan
#version 2
ipsec.conf.5
# basic configuration
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
# For MacOSX use "bsd"
protostack=netkey
# The interfaces= line is only required for the klips/mast stack
#interfaces="%defaultroute"
#interfaces="ipsec0=eth0 ipsec1=ppp0"
# If you want to limit listening on a single IP - not required for
# normal operation
#listen=127.0.0.1
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
# Note: "crypt" is not included with "all", as it can show confidential
information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#plutodebug=none
#klipsdebug=none
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
an unusual location.
#plutostderrlog=/var/log/pluto.log
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
unusual locations
dumpdir=/var/run/pluto/
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has not been announced via BGP (at least upto )
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# Add connections here
# For example connections, see your distribution's documentation directory,
# or the documentation which could be located at
/usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/
# There is also a lot of information in the manual page, "man ipsec.conf"
# You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory
# by uncommenting this line
#include /etc/ipsec.d/*.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
keyingtries=3
ikelifetime=8h
keylife=1h
type=transport
left=172.31.17.111
leftid=52.74.143.66
leftprotoport=17/1701
leftprotoport=17/%any
right=%any
right=%any
17/%any 和ifconfig得到的内网ip，这里注意一下
[root@localhost ~]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
106.187.44.20 %any: PSK "haha"
[root@localhost ~]# cat /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/&name&.conf file
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
验证
sysctl -p
service ipsec start
ipsec verify
可用的时候是这样的
[root@localhost ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path
Libreswan 3.8 (netkey) on 3.15.4-x86_64-linode45
Checking for IPsec support in kernel
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects
ICMP default/accept_redirects
XFRM larval drop
Pluto ipsec.conf syntax
Hardware random device
Two or more interfaces found, checking IP forwarding
Checking rp_filter
Checking that pluto is running
Pluto listening for IKE on udp 500
Pluto listening for IKE/NAT-T on udp 4500
Pluto ipsec.secret syntax
Checking NAT and MASQUERADEing
[TEST INCOMPLETE]
Checking 'ip' command
Checking 'iptables' command
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options
Opportunistic Encryption
[DISABLED]
[root@localhost ~]#
[color=red]listen-addr 注意这里的ip如果外网不通就用内网的[/color]
[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.
A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
listen-addr = 106.187.44.20
ipsec saref = no
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
; force userspace = yes
; debug tunnel = yes
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[root@localhost ~]# cat
/etc/ppp/options.xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
106.187.36.20
192.168.1.1
192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
nodefaultroute
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# You need to join the domain on the server, for example using samba:
# /ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
[root@localhost ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
IP addresses
[root@localhost ~]# cat /etc/sysconfig/iptables
vim /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
:PREROUTING ACCEPT [39:3503]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
:OUTPUT ACCEPT [121:13264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT 注意要有换行
xl2tpd -D &
service iptables restart
ipsec restart
----------------ubuntu14.04 aws
设置root的ssh
ssh出现permission denied (publickey)问题:
修改/etc/ssh/sshd-config文件.
将其中的PermitRootLogin no修改为yes
PubkeyAuthentication yes修改为no
AuthorizedKeysFile .ssh/authorized_keys前面加上#屏蔽掉，
PasswordAuthentication no修改为yes就可以了。
重启sshd即可：service sshd restart
------------------------------------------------------------
------------------------------------------------------------
ubuntu14.04参考
https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html
apt-get install iptables-persistent
apt-get install ppp openswan& xl2tpd
也没好使
http://crazyof.me/blog/archives/610.html
http://ubuntuforums.org/showthread.php?t=2211939
"I also make it my habit to make leftprotoport 17/%any instead of 17/1701"
vim /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
keyingtries=3
ikelifetime=8h
keylife=1h
type=transport
left=172.31.30.234
leftprotoport=17/%any
right=%any
rightprotoport=17/%any
注意，left为内网ifconfig的ip，leftprotoport=17/%any 一定要这么写，写成1701会报错
cat /etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 & /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
echo 0 & $each/accept_redirects
echo 0 & $each/send_redirects
cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Mon Nov 24 04:44:08 2014
#:INPUT ACCEPT [0:0]
#:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
# Completed on Mon Nov 24 04:44:08 2014
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
:PREROUTING ACCEPT [39:3503]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
:OUTPUT ACCEPT [121:13264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.3.0/24 -j ACCEPT
-A FORWARD -s 192.168.3.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
cat /etc/xl2tpd/xl2tpd.conf
ipsec saref = no
[lns default]
ip range = 192.168.3.128-192.168.3.254
local ip = 192.168.3.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
网段和iptables配置的网段要一样，不能是已经存在的网段
cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
IP addresses
hey * heyman *
useradd hey
passwd hey
heyman
cat /etc/ipsec.secrets
root@ip-172-31-30-234:/home/ubuntu# cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.
See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically created RSA keys
#include /var/lib/openswan/ipsec.secrets.inc
172.31.30.234 %any: PSK "haha"
root@ip-172-31-30-234:/data/meatspace-chat# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
asyncmap 0
hide-password
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
ip为ifconfig的内网ip
设置
/etc/sysctl.conf& 上面
sysctl -p
/etc/init.d/iptables-persistent restart
service ipsec restart
servcie xl2tpd restart
tailf /var/log/secure& 看访问的log
r如果有尝试密码的使用
/etc/hosts.deny
all:218.87.111.110
禁止
iphone访问的话
haoningabc
浏览: 512634 次
来自: 北京
感谢您的分享，给我提供了很大的帮助，在使用过程中发现了一个问题 ...
leebyte 写道太NB了，期待早日用上Killinux！么 ...
太NB了，期待早日用上Killinux！
位大神有木有WebRTC的视频资料网站么？文字的有时候不太看得 ...
看看这个文章吧，写的也不错http://blog.yemou. ...CENTOS/UBUNTU一键安装IPSEC/IKEV2 VPN服务器
1、在azure上创建ubuntu虚拟机 选择v15.04 server 版本
2、添加端口号
3、远程桌面到ubuntu
命令行 输入 sudo su& 输入创建 ubuntu虚拟机 时候的 密码
切换到root身份。
4、开始创建 ipsec/ikev2 vpn 服务器
【注】 我选择的是& Xen、KVM 的vps类型
【注】修改后 文件 不生效 则重新启动虚拟机
【注】win7客户端连接vpn 需要证书安装到& 计算机账户的 受信任的根证书颁发机构
具体如下：
1.下载脚本:
wget /quericy/one-key-ikev2-vpn/master/one-key-ikev2.sh
2.运行(如果有需要使用自己已有的根证书，请将私钥命名为ca.cert，将根证书命名为ca.cert.pem，放到脚本的相同目录下再运行该脚本，没有证书的话将自动生成自签名证书咯)：
chmod +x one-key-ikev2.sh
bash one-key-ikev2.sh
3.等待自动配置部分内容后，选择vps类型（OpenVZ还是Xen、KVM），选错将无法成功连接，请务必核实服务器的类型。输入服务器ip或者绑定的域名(连接vpn时服务器地址将需要与此保持一致)，以及证书的相关信息(C,O,CN)，使用自己的根证书的话，C,O,CN的值需要与根证书一致，为空将使用默认值(default value)，确认无误后按任意键继续
4.输入两次pkcs12证书的密码(可以为空)
5.看到install success字样即表示安装成功。默认用户名密码将以黄字显示，可根据提示自行修改文件中的用户名密码。(WindowsPhone8.1的用户请将用户名myUserNames修改为%any ,否则可能会由于域的问题无法连接，具体参见http://quericy.me/blog/512文章中的说明)
6.将提示信息中的证书文件ca.cert.pem拷贝到客户端，修改后缀名为.cer后导入。ios设备使用Ikev1无需导入证书，而是需要在连接时输入共享密钥，共享密钥即是提示信息中的黄字PSK.
服务器重启后默认ipsec不会自启动，请自行添加，或使用命令手动开启：
ipsec start
连上服务器后无法链接外网：
vim /etc/sysctl.conf
修改net.ipv4.ip_forward=1后保存并关闭文件 然后使用以下指令刷新sysctl：
如遇报错信息，请重新打开/etc/syctl并将报错的那些代码用#号注释，保存后再刷新sysctl直至不会报错为止。
bash脚本源码(点击展开)
#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
#===============================================================================================
#&& System Required:& CentOS6.x (32bit/64bit) or Ubuntu
#&& Description:& Install IKEV2 VPN for CentOS and Ubuntu
#&& Author: quericy
#&& Intro:& http://quericy.me/blog/699
#===============================================================================================
echo &#############################################################&
echo &# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu&
echo &# Intro: http://quericy.me/blog/699&
echo &# Author:quericy&
echo &#############################################################&
# Install IKEV2
function install_ikev2(){
disable_selinux
get_system
yum_install
pre_install
download_files
setup_strongswan
configure_ipsec
configure_strongswan
configure_secrets
iptables_set
ipsec start
success_info
# Make sure only root can run our script
function rootness(){
if [[ $EUID -ne 0 ]]; then
echo &Error:This script must be run as root!& 1&&2
# Disable selinux
function disable_selinux(){
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/ then
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
# Get IP address of the server
function get_my_ip(){
echo &Preparing, Please wait a moment...&
IP=`curl -s
| cut -d' ' -f 6& | cut -d'&' -f 1`
if [ -z $IP ]; then
IP=`curl -s ifconfig.me/ip`
# Ubuntu or CentOS
function get_system(){
get_system_str=`cat /etc/issue`
echo &$get_system_str& |grep -q &CentOS&
if& [ $? -eq 0 ]
system_str=&0&
echo &$get_system_str& |grep -q &Ubuntu&
if [ $? -eq 0 ]
system_str=&1&
echo &This Script must be running at the CentOS or Ubuntu!&
# Pre-installation settings
function pre_install(){
echo &#############################################################&
echo &# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu&
echo &# Intro: http://quericy.me/blog/699&
echo &# Author:quericy&
echo &#############################################################&
echo &please choose the type of your VPS(Xen、KVM: 1& ,& OpenVZ: 2):&
read -p &your choice(1 or 2):& os_choice
if [ &$os_choice& = &1& ]; then
os_str=&Xen、KVM&
if [ &$os_choice& = &2& ]; then
os_str=&OpenVZ&
echo &wrong choice!&
echo &please input the ip (or domain) of your VPS:&
read -p &ip or domain(default_vale:${IP}):& vps_ip
if [ &$vps_ip& = && ]; then
vps_ip=$IP
echo &please input the cert country(C):&
read -p &C(default value:com):& my_cert_c
if [ &$my_cert_c& = && ]; then
my_cert_c=&com&
echo &please input the cert organization(O):&
read -p &O(default value:myvpn):& my_cert_o
if [ &$my_cert_o& = && ]; then
my_cert_o=&myvpn&
echo &please input the cert common name(CN):&
read -p &CN(default value:VPN CA):& my_cert_cn
if [ &$my_cert_cn& = && ]; then
my_cert_cn=&VPN CA&
echo &####################################&
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2& /dev/null
stty $SAVEDSTTY
echo &Please confirm the information:&
echo -e &the type of your server: [\033[32;1m$os_str\033[0m]&
echo -e &the ip(or domain) of your server: [\033[32;1m$vps_ip\033[0m]&
echo -e &the cert_info:[\033[32;1mC=${my_cert_c}, O=${my_cert_o}\033[0m]&
echo &Press any key to start...or Press Ctrl+C to cancel&
char=`get_char`
#Current folder
cur_dir=`pwd`
cd $cur_dir
#install necessary lib
function yum_install(){
if [ &$system_str& = &0& ]; then
yum -y update
yum -y install pam-devel openssl-devel make gcc
apt-get -y update
apt-get -y install libpam0g-dev libssl-dev make gcc
# Download strongswan
function download_files(){
if [ -f strongswan.tar.gz ];then
echo -e &strongswan.tar.gz [\033[32;1mfound\033[0m]&
if ! wget http://download.strongswan.org/strongswan.tar.then
echo &Failed to download strongswan.tar.gz&
tar xzf strongswan.tar.gz
if [ $? -eq 0 ];then
cd $cur_dir/strongswan-*/
echo &Unzip strongswan.tar.gz failed! Please visit http://quericy.me/blog/699 and contact.&
# configure and install strongswan
function setup_strongswan(){
if [ &$os& = &1& ]; then
./configure& --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap& \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap& \
--enable-xauth-pam& --enable-dhcp& --enable-openssl& --enable-addrblock --enable-unity& \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
./configure& --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap& \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap& \
--enable-xauth-pam& --enable-dhcp& --enable-openssl& --enable-addrblock --enable-unity& \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
make install
# configure cert and key
function get_key(){
cd $cur_dir
if [ -f ca.pem ];then
echo -e &ca.pem [\033[32;1mfound\033[0m]&
echo -e &ca.pem [\033[32;1mauto create\032[0m]&
echo &auto create ca.pem ...&
ipsec pki --gen --outform pem & ca.pem
if [ -f ca.cert.pem ];then
echo -e &ca.cert.pem [\033[32;1mfound\033[0m]&
echo -e &ca.cert.pem [\032[33;1mauto create\032[0m]&
echo &auto create ca.cert.pem ...&
ipsec pki --self --in ca.pem --dn &C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}& --ca --outform pem &ca.cert.pem
if [ ! -d my_key ];then
mkdir my_key
mv ca.pem my_key/ca.pem
mv ca.cert.pem my_key/ca.cert.pem
ipsec pki --gen --outform pem & server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn &C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}& \
--san=&${vps_ip}& --flag serverAuth --flag ikeIntermediate \
--outform pem & server.cert.pem
ipsec pki --gen --outform pem & client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn &C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client& --outform pem & client.cert.pem
echo &configure the pkcs12 cert password(Can be empty):&
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name &client& -certfile ca.cert.pem -caname &${my_cert_cn}&& -out client.cert.p12
echo &####################################&
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2& /dev/null
stty $SAVEDSTTY
echo &Press any key to install ikev2 VPN cert&
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r server.pem /usr/local/etc/ipsec.d/private/
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r client.pem& /usr/local/etc/ipsec.d/private/
# configure the ipsec.conf
function configure_ipsec(){
&cat & /usr/local/etc/ipsec.conf&&-EOF
config setup
uniqueids=never
conn iOS_cert
keyexchange=ikev1
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
conn android_xauth_psk
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.31.2.0/24
conn networkmanager-strongswan
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%any
# configure the strongswan.conf
function configure_strongswan(){
&cat & /usr/local/etc/strongswan.conf&&-EOF
load_modular = yes
duplicheck.enable = no
compress = yes
include strongswan.d/charon/*.conf
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
include strongswan.d/*.conf
# configure the ipsec.secrets
function configure_secrets(){
cat & /usr/local/etc/ipsec.secrets&&-EOF
: RSA server.pem
: PSK &myPSKkey&
: XAUTH &myXAUTHPass&
myUserName %any : EAP &myUserPass&
# iptables set
function iptables_set(){
sysctl -w net.ipv4.ip_forward=1
if [ &$os& = &1& ]; then
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24& -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24& -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24& -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24& -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24& -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24& -j ACCEPT
iptables -A INPUT -i venet0 -p esp -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE
if [ &$system_str& = &0& ]; then
service iptables save
iptables-save & /etc/iptables.rules
cat & /etc/network/if-up.d/iptables&&EOF
iptables-restore & /etc/iptables.rules
chmod +x /etc/network/if-up.d/iptables
# echo the success info
function success_info(){
echo &#############################################################&
echo -e &#&
echo -e &# [\033[32;1mInstall Successful\033[0m]&
echo -e &# There is the default login info of your VPN&
echo -e &# UserName:\033[33;1m myUserName\033[0m&
echo -e &# PassWord:\033[33;1m myUserPass\033[0m&
echo -e &# PSK:\033[33;1m myPSKkey\033[0m&
echo -e &# you can change UserName and PassWord in\033[32;1m /usr/local/etc/ipsec.secrets\033[0m&
echo -e &# you must copy the cert \033[32;1m ${cur_dir}/my_key/ca.cert.pem \033[0m to the client and install it.&
echo -e &#&
echo -e &#############################################################&
echo -e &&
# Initialization step
install_ikev2
如需Debian系统的IKEV2一键安装脚本，可参考magic282童鞋的一键脚本：
/magic282/One-Key-L2TP-IKEV2-Setup
CentOS/Debian/Ubuntu系统一键安装LNMP/LAMP/LNMPA网站环境：
centos6.5 lnmp、lamp、lnmpa一键安装包：
------分隔线----------------------------}