September 15, 2016

configure linux strongswan vpn client

1. generate a vpn client cert, and its private key
2. /etc/ipsec.conf
conn %default

conn iosIKE2

/etc/strongswan.conf : add logging
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
    filelog {
        /var/log/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # prepend connection name, simplifies grepping
            ike_name = yes
            # overwrite existing files
            append = no
            # increase default loglevel for all daemon subsystems
            #default = 1
            # flush each line to disk
            flush_line = yes

: RSA vpncert.key

copy the cert file to /etc/ipsec.d/certs
copy the CA certs file to /etc/ipsec.d/cacerts, one CA cert per file
copy the private key file to /etc/ipsec.d/private

use ipsec start to start
check file /var/log/charon.log to see logs
ipsec stop to stop 
ipsec status  (or statusall) to status.

The above will make the linux client computer not accessible locally.
If you need split tunnel, add the following:
ip rule add from all pref 100 table 100
ip route add dev eth0 table 100 is your local subnet
eth0 is your local network interface.

No comments:

Post a Comment