CentOS7.3 下 ipsec

标签：chap   directly   md5   服务器ip   any   -shared   1.0   short   ret   

2.wget http://download.strongswan.org/strongswan.tar.gz

3.tar zxvf strongswan*

4.cd strongswan*

5.yum install -y make gcc gmp-devel openssl openssl-devel

6.make && sudo make install

7../configure --sysconfdir=/etc --disable-sql --disable-mysql --disable-ldap --enable-dhcp --enable-eap-identity --enable-eap-mschapv2 -enable-md4 --enable-xauth-eap --enable-eap-peap --enable-eap-md5 --enable-openssl --enable-shared --enable-unity --enable-eap-tls --enable-eap-ttls --enable-eap-tnc --enable-eap-dynamic --enable-addrblock --enable-radattr --enable-nat-transport --enable-kernel-netlink --enable-kernel-libipsec

8.vi /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        uniqueids = no

# Add connections here.

# Sample ××× connections

conn IPsec_xauth_psk
     keyexchange=ikev1
     left=192.168.0.8
     leftauth=psk
     leftsubnet=0.0.0.0/0
     right=%any
     rightauth=psk
     rightauth2=xauth
     rightsourceip=10.0.0.0/24
     auto=add

conn %default
     keyexchange=ikev1
     dpdaction=hold
     dpddelay=600s
     dpdtimeout=5s
     lifetime=24h
     ikelifetime=240h
     rekey=no
     left=192.168.0.8
     leftsubnet=0.0.0.0/0
     leftcert=***HostCert.pem   ###***被过滤的，自行脑补
     leftsendcert=always
     right=%any
     rightdns=8.8.8.8
     rightsourceip=10.0.0.0/24

其中的两处left=192.168.0.8需要修改为你的服务器IP地址

9.vi /etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file
: PSK "SECRET"      ##SECRET 为Secret 的密码
username : XAUTH "userpassword"

10.检查防火墙配置
vi /usr/lib/firewalld/services/ipsec.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>IPsec</short>
  <description>Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a ***c server or FreeS/WAN, do not disable this option.</description>
  <port protocol="ah" port=""/>
  <port protocol="esp" port=""/>
  <port protocol="udp" port="500"/>
  <port protocol="udp" port="4500"/>
</service>
~

11.firewall-cmd --permanent --add-service=ipsec
12.firewall-cmd --permanent --add-masquerade
13.firewall-cmd --reload

-

-

CentOS7.3 下 ipsec

标签：chap   directly   md5   服务器ip   any   -shared   1.0   short   ret   

原文地址：https://blog.51cto.com/14142757/2391024