最近我的手机Windows Phone 8.1 DP支援了IKEv2协定的VPN,
所以我就想在CentOS 6.5上架IKEv2的VPN server,使得手机也能连上。
我用的VPN server软件是strongswan。
我试了一天才试出来。网络上有些资料,但有的没讲很清楚,只能try and error。
以下我就把设定IKEv2 VPN server的指令步骤写出来,也有写一些注解(英文),
有问题再问我,我有空再回应。
yum install strongswan openssl
# Create CA
## See:
http://www.topdog.za.net/2012/08/23/iphone-ipad-mac-osx-ipsec-vpn-with-strongswan-5-on-centos-rhel-6/
cd /etc/pki/tls/misc
## Common Name is arbitray, e.g. My CA.
./CA -newca
echo 00 > /etc/pki/CA/crlnumber
openssl ca -gencrl -out /etc/pki/CA/crl.pem
ln -s /etc/pki/CA/cacert.pem /etc/strongswan/ipsec.d/cacerts/
ln -s /etc/pki/CA/crl.pem /etc/strongswan/ipsec.d/crls/
# Create the server certificate
## Add extendedKeyUsage and subjectAltName lines under [ usr_cert ] in
openssl.cnf.
## See: http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
## E.g:
## extendedKeyUsage = serverAuth
## subjectAltName=IP:your.vpn.server.ip
## or subjectAltName=DNS:your.vpn.server.dns
vim ../openssl.cnf
## Common Name must be equal to the IP or the DNS set in subjectAltName!
## E.g Common Name is your.vpn.server.ip
## Please remeber the password. You will use it later in ipsec.secrets.
./CA -newreq
./CA -sign
mv newcert.pem /etc/strongswan/ipsec.d/certs/your.vpn.server.ip.pem
mv newkey.pem /etc/strongswan/ipsec.d/private/your.vpn.server.ip.key
## Add this line to ipsec.secrets:
## : RSA your.vpn.server.ip.key "password of your.vpn.server.ip.key"
vim /etc/strongswan/ipsec.secrets
## If you want to use EAP-MSCHAPV2 for a client "jack" and his password
"passwd",
## add this line to ipsec.secrets:
## jack : EAP "passwd"
# Create the client certificate
## Uncomment extendedKeyUsage and subjectAltName in openssl.cnf!
## Common Name is arbitray, e.g. Client Test.
./CA -newreq
./CA -sign
## Export for Windows.
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile /etc/pki/CA/cacert.pem -out client.p12
# Import the certificate to Windows 7 tutorial:
## http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
# NAT
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -s 10.71.132.0/24 -o eth0 -j MASQUERADE
# Import client.p12 to Windows Phone 8.1 DP.
## Import through IE or OneDrive.
## Then: go to Windows Phone/Settings/VPN/On/add/Connect using/user
name+password/fill "jack" and "passwd"/...
# Example setting files