# Title Language Pasted on Will expire on Paste type
2020 text 2022-03-22 @ 17:09:25 UTC 2022-06-20 @ 17:09:25 UTC Public
View raw
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/bash
###192.168.59.130 это ip адрес ВМ в vmware
apt install strongswan strongswan-pki libcharon-extra-plugins net-tools -y

ipsec pki --gen --size 4096 --type rsa --outform pem > /etc/ipsec.d/private/ca.key.pem
ipsec pki --self --in /etc/ipsec.d/private/ca.key.pem --type rsa --dn "CN=192.168.59.130" --ca --lifetime 3650 --outform pem > /etc/ipsec.d/cacerts/ca.cert.pem
ipsec pki --gen --size 4096 --type rsa --outform pem > /etc/ipsec.d/private/server.key.pem

ipsec pki --pub --in /etc/ipsec.d/private/server.key.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert /etc/ipsec.d/cacerts/ca.cert.pem --cakey /etc/ipsec.d/private/ca.key.pem --dn "CN=192.168.59.130" -san=”192.168.59.130” --san="192.168.59.130" --flag serverAuth --flag ikeIntermediate --outform pem > /etc/ipsec.d/certs/server.cert.pem

HOST_NAME="192.168.59.130"
read -e -i "$HOST_NAME" -p "VPN host name: " HOST_NAME
HOST_NAME="${input:-$HOST_NAME}"

VPN_USER="VPN"
read -e -i "$VPN_USER" -p "VPN user name: " VPN_USER
VPN_USER="${input:-$VPN_USER}"

VPN_PASS="PASSWORD"
read -e -i "$VPN_PASS" -p "VPN password: " VPN_PASS
VPN_PASS="${input:-$VPN_PASS}"

DEFAULT_IP="$(ip -o route get to 1.1.1.1 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')"
DEFAULT_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')"

cat > /etc/ipsec.secrets<<-EOF
: RSA "/etc/ipsec.d/private/server.key.pem"
${VPN_USER} : EAP "${VPN_PASS}"
EOF


cat > /etc/ipsec.conf<<-EOF
config setup
        charondebug="ike 1, knl 1, cfg 0, net 1"
        strictcrlpolicy=no
        uniqueids=yes
        cachecrls=no

conn ipsec-ikev2-vpn
      auto=add
      compress=no
      type=tunnel
      keyexchange=ikev2
      fragmentation=yes
      forceencaps=yes
      dpdaction=clear
      dpddelay=300s
      rekey=no
      left=%any
      leftid=$HOST_NAME
      leftcert=server.cert.pem
      leftsendcert=always
      leftsubnet=0.0.0.0/0
      right=%any
      rightid=%any
      rightauth=eap-mschapv2
      rightsourceip=0.0.0.0/0
      rightdns=8.8.8.8
      rightsendcert=never
      eap_identity=%identity
      ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
      esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
EOF

cat > /etc/sysctl.conf<<-EOF
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
EOF

sysctl -p
systemctl restart strongswan
systemctl status strongswan