Strongswan

Submitted by lepton on Thu, 09/14/2017 - 16:31

site_ip_url="kkk.com"
ipsec pki --gen --outform pem >ca.pem
ipsec pki --self  --in ca.pem  --dn "C=AU,O=Internet Widgits Pty Ltd,CN=My CA" --ca --outform pem >ca.cert.pem

ipsec pki --gen --outform pem> server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=AU,O=Internet Widgits Pty Ltd,CN=$site_ip_url" --san="$site_ip_url" --flag serverAuth --flag ikeIntermediate --outform pem >server.cert.pem

ipsec pki --gen --outform pem > client.pem

ipsec pki --pub --in server.pem 

ipsec pki --pub --in client.pem | ipsec pki --issue --cacert /etc/ipsec.d/cacerts/ca.cert.pem  --cakey /etc/ipsec.d/private/ca.pem --dn "C=AU,O=Internet Widgits Pty Ltd,CN=my ikev2 client"  --outform pem > client.cert.pem

openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "my ikev2 client" -certfile /etc/ipsec.d/cacerts/ca.cert.pem -caname "$site_ip_url" -out client.cert.p12

 

//transform

cat client.cert.p12 |base64

cat kk.base64 |base64 -D >client.cert.p12

 

 

这句话的意思是从私钥里把公钥提取出来

 

--issue /--cacert/--cakey就是表明用刚才自签的CA证书来签这个服务器证书

--db/--san /--flag是一些客户端的特殊要求

Ios客户端要求CN(通用名)必须是你的服务器的URLIP地址

Windows7不但要求了上面,还要求必须显示说明这个服务器证书的用途(用于服务器证书)--flag serverAuth;

iOS Mac OS X要求了「IP安全网络密钥互换居间(IP Security IKE Intermediate)」这种增强型密钥用法(EKU),--flag ikdeIntermediate;

Android和 iOS 都要求服务器别名(serverAltName)就是服务器的 URL或 IP 地址,--san。

 

cp -r ca.cert.pem /etc/ipsec.d/cacerts

cp -r server.pem /etc/ipsec.d/private

cp -r ca.pem /etc/ipsec.d/private

cp -r server.cert.pem   /etc/ipsec.d/certs 

 

 

 

vi /etc/ipsec.conf

conn iOS_ikev2
        keyexchange=ikev2
        ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
        esp = aes256-sha256,3des-sha1,aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        mobike=yes
        fragmentation=yes
     #left
        left=%any
        leftsubnet=0.0.0.0/0
        leftauth=psk
        leftid=forum.org.cn(与服务器证书的CN和san 一致)
        #right

        right=%any
        rightsourceip=%config
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        auto=add

conn Android_ikev2
        keyexchange=ikev2
        ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
        esp = aes256-sha256,3des-sha1,aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        mobike=yes
        fragmentation=yes
     #left
        left=%any
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
        leftcert=server.cert.pem

       leftsendcert=always
       leftid=emmdemo.jianq.com
        #right
        right=%any
        rightsourceip=%config
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        auto=add

 

 

site_url=xxx.com
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=CN, O=MyNetCompany, CN=My CA" --ca --lifetime 3650 --outform pem >ca.cert.pem
 
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem --outform pem > server.pub.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --lifetime 365 --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=MyNetCompany, CN=$site_url" --san="$site_url" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
 
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=MyNetCompany, CN=My Client" --outform pem > client.cert.pem
 
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "My Client" -certfile ca.cert.pem -caname "$site_url"  -out client.cert.p12
cat client.cert.p12 | base64 > client.b64
#cat client.b64 | base64 -D > client.cert.p12
 
cp -r ca.cert.pem       /etc/ipsec.d/cacerts/
cp -r ca.pem            /etc/ipsec.d/private/
cp -r server.cert.pem   /etc/ipsec.d/certs/
cp -r server.pub.pem    /etc/ipsec.d/certs/
cp -r server.pem        /etc/ipsec.d/private/
cp -r client.cert.pem   /etc/ipsec.d/certs/
cp -r client.pem        /etc/ipsec.d/private/

 

conn windows7
    keyexchange=ikev2
    leftfirewall=yes
    ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
    esp=aes256-sha256,3des-sha1,aes256-sha1!


    rekey=no
    #left=%defaultroute
    left=%any
    #leftid=45.33.40.241
    leftid=xxx.com
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    leftsigkey=server.pub.pem


    right=%any
    rightauth=eap-mschapv2
    rightsubnet=192.168.0.1/24
    rightsourceip=10.31.2.0/24
    rightsendcert=never
    eap_identity=%any
    dpdaction=clear
    fragmentation=yes
    auto=add

 

    : RSA server.pem
%any    : PSK "12keifu"
name    : EAP "1234567890"

Comments

Add new comment

About text formats

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.