https://pcvogel.sarakura.net/2024/05/01/42720
阿里云重装系统ubuntu22.04
必须更新,不然找不到最新包
apt update
apt install charon-systemd strongswan-swanctl
apt install libcharon-extra-plugins libcharon-extauth-plugins
apt install unzip
cp/root/www.moneyslow.com_nginx/www.moneyslow.com_bundle.pem /etc/swanctl/x509/fullchain.pem
cp /root/www.moneyslow.com_nginx/www.moneyslow.com.key /etc/swanctl/private/privkey.pem
编辑配置文件:
# cat /etc/swanctl/swanctl.conf
connections {
con-ikev2 {
version = 2
proposals = default,aes256gcm16-sha256-modp1024
unique = never
dpd_delay = 30s
send_cert = always
pools = pool-ipv4
fragmentation = yes
local {
id = www.moneyslow.cn
certs = fullchain.pem
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
children-ikev2 {
local_ts = ::/0,0.0.0.0/0
}
}
}
}
pools {
pool-ipv4 {
addrs = 192.168.11.128-192.168.11.254
dns = 8.8.8.8, 8.8.4.4
}
}
secrets {
eap-1 {
id=user1
secret="123456"
}
eap-2 {
id=user2
secret="123456"
}
}
保存文件并减少文件权限:
chmod 600 swanctl.conf
systemctl enable strongswan
将以下内容添加到 /etc/sysctl.conf 文件末尾:
/etc/sysctl.conf
net.ipv4.ip_forward = 1
使用以下命令应用设置。
sysctl -p
ufw enable
ufw allow to any port 4500
ufw allow to any port 500
ufw allow to any proto esp
ufw allow to any proto ah
/etc/ufw/before.rules 末尾追加:
*nat
-A POSTROUTING -s 192.168.11.128/25 -j MASQUERADE
COMMIT
*mangle
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -s 192.168.11.128/25 -m tcpmss --mss 1351:1536 -j TCPMSS --set-mss 1350
COMMIT
对于文件:/etc/default/ufw
将 DEFAULT_FORWARD_POLICY 设置为 ACCEPT。
执行命令:
ufw reload
客户端设置,可以连接了。
以下是查询状态命令:
# swanctl --version
strongSwan swanctl 5.9.5
# 客户端连接后,可以查看如下:
# 查看所有活跃SA(替代 ipsec status)
# swanctl --list-sas
# 查看已加载连接
# swanctl --list-conns