September 15, 2016

configure linux strongswan vpn client

1. generate a vpn client cert, and its private key
2. /etc/ipsec.conf
conn %default
    keyexchange=ikev2
    dpdaction=clear
    dpddelay=300s
    rekey=no
    ikelifetime=24h
    lifetime=24h

conn iosIKE2
     keyexchange=ikev2
     left=%defaultroute
     leftcert=vpncert.cert
     leftsourceip=%config
     right=vpnserver.myserver.com
     rightid=%any
     rightsubnet=0.0.0.0/0
     leftauth=rsa
     rightauth=rsa
     rekey=no
     reauth=no
     dpdtimeout=30
     dpdaction=hold
     auto=start

/etc/strongswan.conf : add logging
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
    filelog {
        /var/log/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # prepend connection name, simplifies grepping
            ike_name = yes
            # overwrite existing files
            append = no
            # increase default loglevel for all daemon subsystems
            #default = 1
            # flush each line to disk
            flush_line = yes
        }
        }
}

/etc/ipsec.secrets:
: RSA vpncert.key

Then 
copy the cert file to /etc/ipsec.d/certs
copy the CA certs file to /etc/ipsec.d/cacerts, one CA cert per file
copy the private key file to /etc/ipsec.d/private

use ipsec start to start
check file /var/log/charon.log to see logs
ipsec stop to stop 
ipsec status  (or statusall) to status.

The above will make the linux client computer not accessible locally.
If you need split tunnel, add the following:
ip rule add from all pref 100 table 100
ip route add 192.168.140.0/24 dev eth0 table 100

192.168.140.0 is your local subnet
eth0 is your local network interface.

No comments:

Post a Comment