Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- apt-get install strongswan strongswan-plugin-eap-mschapv2 moreutils iptables-persistent -y
- IP=`dig +short myip.opendns.com @resolver1.opendns.com`
- echo -e "\nServer IP is $IP\n"
- mkdir -p private && mkdir -p cacerts && mkdir -p certs
- ipsec pki --gen --type rsa --size 4096 --outform pem > private/caPrivateKey.pem
- ipsec pki --self --ca --lifetime 3650 --in private/caPrivateKey.pem --type rsa --dn "C=CH, O=VPS, CN=$IP" --outform pem > cacerts/caCert.pem
- echo -e "generating server private key and server cert ...\n"
- ipsec pki --gen --type rsa --size 2048 --outform pem > private/serverPrivateKey.pem
- ipsec pki --pub --in private/serverPrivateKey.pem --type rsa | \
- ipsec pki --issue --lifetime 730 \
- --cacert cacerts/caCert.pem \
- --cakey private/caPrivateKey.pem \
- --dn "C=CH, O=VPS, CN=$IP" \
- --san $IP \
- --flag serverAuth --flag ikeIntermediate \
- --outform pem > certs/serverCert.pem
- echo -e "generating client private key and client cert ...\n"
- keyfile="private/clientPrivateKey.pem"
- certfile="certs/clientCert.pem"
- ipsec pki --gen --type rsa --size 2048 --outform pem > private/clientPrivateKey.pem
- ipsec pki --pub --in $keyfile --type rsa | ipsec pki --issue --lifetime 730 \
- --cacert cacerts/caCert.pem \
- --cakey private/caPrivateKey.pem \
- --dn "C=CH, O=VPS, CN=strongSwan client" \
- --outform pem > $certfile
- openssl pkcs12 -export -inkey $keyfile \
- -in $certfile -name "strongSwan client" \
- -certfile cacerts/caCert.pem \
- -caname "strongSwan Root CA" \
- -out client.p12
- cp -f cacerts/caCert.pem /etc/ipsec.d/cacerts
- cp -f private/* /etc/ipsec.d/private
- cp -f certs/* /etc/ipsec.d/certs
- cp /etc/ipsec.conf /etc/ipsec.conf.original
- echo '' | sudo tee /etc/ipsec.conf
- cat > /etc/ipsec.conf<<-EOF
- config setup
- charondebug="ike 1, knl 1, cfg 0"
- uniqueids=no
- conn ikev2-vpn
- auto=add
- compress=no
- type=tunnel
- keyexchange=ikev2
- fragmentation=yes
- forceencaps=yes
- ike=aes256-sha1-modp1024,3des-sha1-modp1024!
- esp=aes256-sha1,3des-sha1!
- dpdaction=clear
- dpddelay=300s
- rekey=no
- left=%any
- leftid=${IP}
- leftcert=/etc/ipsec.d/certs/serverCert.pem
- leftsendcert=always
- leftsubnet=0.0.0.0/0
- right=%any
- rightid=%any
- rightauth=eap-mschapv2
- rightdns=8.8.8.8,8.8.4.4
- rightsourceip=10.10.10.0/24
- rightsendcert=never
- eap_identity=%identity
- EOF
- echo '' | sudo tee /etc/strongswan.conf
- cat > /etc/strongswan.conf<<-EOF
- charon {
- load_modular = yes
- duplicheck.enable = no
- compress = yes
- plugins {
- include strongswan.d/charon/*.conf
- }
- dns1 = 8.8.8.8
- dns2 = 8.8.4.4
- nbns1 = 8.8.8.8
- nbns2 = 8.8.4.4
- filelog {
- /var/log/strongswan.log {
- time_format = %b %e %T
- default = 2
- append = no
- flush_line = yes
- }
- }
- }
- include strongswan.d/*.conf
- EOF
- cat > /etc/ipsec.secrets<<-EOF
- ${IP} : RSA "/etc/ipsec.d/private/serverPrivateKey.pem"
- ikev2user %any : EAP "ikev2pass"
- EOF
- cat > /etc/sysctl.conf<<-EOF
- net.ipv4.ip_forward=1
- EOF
- sysctl -p
- my_interface=$(ip route get 8.8.8.8 | awk '/dev/ {f=NR} f&&NR-1==f' RS=" ")
- ipsec reload
- ufw disable
- iptables -P INPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -F
- iptables -Z
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A INPUT -p udp --dport 500 -j ACCEPT
- iptables -A INPUT -p udp --dport 4500 -j ACCEPT
- iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
- iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
- iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ${my_interface} -m policy --pol ipsec --dir out -j ACCEPT
- iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ${my_interface} -j MASQUERADE
- iptables-save > /etc/iptables.rules
- cat > /etc/network/if-up.d/iptables<<-EOF
- #!/bin/sh
- iptables-restore < /etc/iptables.rules
- EOF
- chmod +x /etc/network/if-up.d/iptables
- ipsec restart
- ipsec status
- chmod +x /etc/rc.local && echo "/usr/local/sbin/ipsec start" >> /etc/rc.local
- echo "scp root@${IP}:cacerts/caCert.pem ."
- echo "tail -f /var/log/strongswan.log"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement