API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 11th, 2017
259
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.37 KB | None | 0 0
raw download clone embed print report
  1. apt-get install strongswan strongswan-plugin-eap-mschapv2 moreutils iptables-persistent -y
  2.  
  3. IP=`dig +short myip.opendns.com @resolver1.opendns.com`
  4. echo  -e "\nServer IP is $IP\n"
  5.  
  6. mkdir -p private && mkdir -p cacerts && mkdir -p certs
  7. ipsec pki --gen --type rsa --size 4096 --outform pem > private/caPrivateKey.pem
  8. ipsec pki --self --ca --lifetime 3650 --in private/caPrivateKey.pem --type rsa --dn "C=CH, O=VPS, CN=$IP" --outform pem > cacerts/caCert.pem
  9.  
  10.  
  11. echo -e "generating server private key and server cert ...\n"
  12. ipsec  pki --gen --type rsa --size 2048 --outform pem > private/serverPrivateKey.pem
  13. ipsec pki --pub --in private/serverPrivateKey.pem --type rsa | \
  14.         ipsec  pki --issue --lifetime 730 \
  15.         --cacert cacerts/caCert.pem \
  16.         --cakey private/caPrivateKey.pem \
  17.         --dn "C=CH, O=VPS, CN=$IP" \
  18.         --san $IP \
  19.         --flag serverAuth --flag ikeIntermediate \
  20.         --outform pem > certs/serverCert.pem
  21.  
  22.  
  23. echo -e "generating client private key and client cert ...\n"
  24. keyfile="private/clientPrivateKey.pem"
  25. certfile="certs/clientCert.pem"
  26. ipsec pki --gen --type rsa --size 2048 --outform pem > private/clientPrivateKey.pem
  27. ipsec pki --pub --in $keyfile --type rsa | ipsec  pki --issue --lifetime 730 \
  28.         --cacert cacerts/caCert.pem \
  29.         --cakey private/caPrivateKey.pem \
  30.         --dn "C=CH, O=VPS, CN=strongSwan client" \
  31.         --outform pem > $certfile
  32.  
  33.  
  34. openssl pkcs12 -export -inkey $keyfile \
  35.     -in $certfile -name "strongSwan client" \
  36.     -certfile cacerts/caCert.pem \
  37.     -caname "strongSwan Root CA" \
  38.     -out client.p12
  39.  
  40. cp -f cacerts/caCert.pem /etc/ipsec.d/cacerts
  41. cp -f private/*  /etc/ipsec.d/private
  42. cp -f certs/* /etc/ipsec.d/certs
  43.  
  44.  
  45. cp /etc/ipsec.conf /etc/ipsec.conf.original
  46. echo '' | sudo tee /etc/ipsec.conf
  47. cat > /etc/ipsec.conf<<-EOF
  48. config setup
  49.     charondebug="ike 1, knl 1, cfg 0"
  50.     uniqueids=no
  51. conn ikev2-vpn
  52.     auto=add
  53.     compress=no
  54.     type=tunnel
  55.     keyexchange=ikev2
  56.     fragmentation=yes
  57.     forceencaps=yes
  58.     ike=aes256-sha1-modp1024,3des-sha1-modp1024!
  59.     esp=aes256-sha1,3des-sha1!
  60.     dpdaction=clear
  61.     dpddelay=300s
  62.     rekey=no
  63.     left=%any
  64.     leftid=${IP}
  65.     leftcert=/etc/ipsec.d/certs/serverCert.pem
  66.     leftsendcert=always
  67.     leftsubnet=0.0.0.0/0
  68.     right=%any
  69.     rightid=%any
  70.     rightauth=eap-mschapv2
  71.     rightdns=8.8.8.8,8.8.4.4
  72.     rightsourceip=10.10.10.0/24
  73.     rightsendcert=never
  74.     eap_identity=%identity
  75. EOF
  76.  
  77. echo '' | sudo tee /etc/strongswan.conf
  78. cat > /etc/strongswan.conf<<-EOF
  79.  charon {
  80.         load_modular = yes
  81.         duplicheck.enable = no
  82.         compress = yes
  83.         plugins {
  84.                 include strongswan.d/charon/*.conf
  85.         }
  86.         dns1 = 8.8.8.8
  87.         dns2 = 8.8.4.4
  88.         nbns1 = 8.8.8.8
  89.         nbns2 = 8.8.4.4
  90.  
  91.         filelog {
  92.         /var/log/strongswan.log {
  93.            time_format = %b %e %T
  94.            default = 2
  95.            append = no
  96.            flush_line = yes
  97.         }
  98. }
  99. }
  100. include strongswan.d/*.conf
  101. EOF
  102.  
  103.  
  104. cat > /etc/ipsec.secrets<<-EOF
  105. ${IP} : RSA "/etc/ipsec.d/private/serverPrivateKey.pem"
  106. ikev2user %any : EAP "ikev2pass"
  107. EOF
  108.  
  109. cat > /etc/sysctl.conf<<-EOF
  110. net.ipv4.ip_forward=1
  111. EOF
  112. sysctl -p
  113. my_interface=$(ip route get 8.8.8.8 | awk '/dev/ {f=NR} f&&NR-1==f' RS=" ")
  114.  
  115. ipsec reload
  116. ufw disable
  117. iptables -P INPUT ACCEPT
  118. iptables -P FORWARD ACCEPT
  119. iptables -F
  120. iptables -Z
  121.  
  122. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  123. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  124. iptables -A INPUT -i lo -j ACCEPT
  125. iptables -A INPUT -p udp --dport  500 -j ACCEPT
  126. iptables -A INPUT -p udp --dport 4500 -j ACCEPT
  127. iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.10.10.0/24 -j ACCEPT
  128. iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
  129. iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ${my_interface} -m policy --pol ipsec --dir out -j ACCEPT
  130. iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ${my_interface} -j MASQUERADE
  131.  
  132. iptables-save > /etc/iptables.rules
  133.    cat > /etc/network/if-up.d/iptables<<-EOF
  134. #!/bin/sh
  135. iptables-restore < /etc/iptables.rules
  136. EOF
  137.    chmod +x /etc/network/if-up.d/iptables
  138.  
  139. ipsec restart
  140. ipsec status
  141. chmod +x /etc/rc.local && echo "/usr/local/sbin/ipsec start" >> /etc/rc.local
  142. echo "scp root@${IP}:cacerts/caCert.pem ."
  143. echo "tail -f /var/log/strongswan.log"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!