2. /etc/ipsec.conf
conn %default
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
rekey=no
ikelifetime=24h
lifetime=24h
conn iosIKE2
keyexchange=ikev2
left=%defaultroute
leftcert=vpncert.cert
leftsourceip=%config
right=vpnserver.myserver.com
rightid=%any
rightsubnet=0.0.0.0/0
leftauth=rsa
rightauth=rsa
rekey=no
reauth=no
dpdtimeout=30
dpdaction=hold
auto=start
/etc/strongswan.conf : add logging
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
#default = 1
# flush each line to disk
flush_line = yes
}
}
}
/etc/ipsec.secrets:
: RSA vpncert.key
Then
copy the cert file to /etc/ipsec.d/certs
copy the CA certs file to /etc/ipsec.d/cacerts, one CA cert per file
copy the private key file to /etc/ipsec.d/private
use ipsec start to start
check file /var/log/charon.log to see logs
ipsec stop to stop
ipsec status (or statusall) to status.
The above will make the linux client computer not accessible locally.
If you need split tunnel, add the following:
ip rule add from all pref 100 table 100
ip route add 192.168.140.0/24 dev eth0 table 100
192.168.140.0 is your local subnet
eth0 is your local network interface.
No comments:
Post a Comment