tools and script for deploy strongswan iKev2/IPsec ##install
- download strongswan on VPS server
- apt-get install build-essential libssl-dev libgmp-dev
- build strongswan source, make, make install
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var CFLAGS=-O2 --enable-dnscert --enable-ccm --enable-chapoly --enable-ctr --enable-gcm --enable-rdrand --enable-aesni
##iKev2 & IPsec config
- update IP variable in Makefile
- make cert
- make conf
- make install
- ipsec service start
ipsec start
- update /etc/sysctl.conf, then 'sysctl -p'
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
- update iptables rules for amazon ec2
iptables -A INPUT -p udp --dport 500 --j ACCEPT
iptables -A INPUT -p udp --dport 4500 --j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source <vps_eth0_IP>
- update iptables rules for linode (10.8.0.0/24 or 10.7.0.0/24 is rightsourceip in /etc/ipsec.conf)
iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
##Android setup
- download strongswan
- import $(CID).client.cert.p12
- New profile for VPN
Gateway: VPS_IP
Type: IKEv2 Certificate
User certificate: 选择刚才导入的证书
CA certificate: 取消自动选择,选择刚才导入的证书