apt-get install strongswan
apt-get install strongswan-plugin-eap-mschapv2
#建立ca證書
(01)生成ca私鑰
ipsec pki --gen --outform pem > ca.key
(02)生成ca證書
ipsec pki --self --in ca.key --dn "C=TW, O=IT, CN=TSC CA" --ca --lifetime 3650 --outform pem > ca.crt#建立server證書
(01)生成server私鑰
ipsec pki --gen --outform pem > server.key
(02)生成server證書
ipsec pki --pub --in server.key | ipsec pki --issue --lifetime 365 --cakey ca.key --cacert ca.crt --dn "C=TW, O=IT, CN=mail.tscgg.com" --san="mail.tscgg.com" --san="202.39.169.33" --flag serverAuth --flag ikeIntermediate --outform pem > server.crt#證書存到指定的位置
mv ca.crt /etc/ipsec.d/cacerts/
mv server.crt /etc/ipsec.d/certs/
mv ca.key /etc/ipsec.d/private/
mv server.key /etc/ipsec.d/private/#配罝連線設定檔
vi /etc/ipsec.conf
config setup
uniqueids=never
charondebug=ike 1, knl 1, cfg 1
conn %default
auto=add
rightdns=168.95.1.1
conn IKEv1-PSK
keyexchange=ikev1
authby=xauthpsk
xauth=server
dpdaction=clear
left=%any
leftsubnet=0.0.0.0/0
rightsourceip=10.3.1.223-10.3.1.224
conn IKEv2-EAP
keyexchange=ikev2
eap_identity=%identity
rekey=no
fragmentation=yes
dpdaction=clear
left=%any
leftid=mail.tscgg.com
leftsubnet=0.0.0.0/0
leftcert=server.crt
rightsourceip=10.3.1.223-10.3.1.224
rightauth=eap-mschapv2#配置帳密檔
vi /etc/ipsec.secrets
%any : RSA server.key
user1 %any : EAP "pass"
%any : PSK "pskpass"
user2 %any : XAUTH "pass"#允許轉發
sudo echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.accept_redirects = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.send_redirects = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.rp_filter = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.accept_source_route = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.send_redirects = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p#重啟服務
ipsec restart
#連線端必須安裝ca憑證
ca.crt
