ipsec-vpn-server

ipsec.d/
├── buyfakett.mobileconfig
├── buyfakett.p12
├── buyfakett.sswan
├── cert9.db
├── ikev2.conf
├── ikev2setup.log
├── key4.db
├── passwd
├── pkcs11.txt
├── policies
│   ├── block
│   ├── clear
│   ├── clear-or-private
│   ├── portexcludes.conf
│   ├── private
│   └── private-or-clear
├── vpnclient.mobileconfig
├── vpnclient.p12
├── vpnclient.sswan
└── vpn-gen.env

安装

#!/bin/bash

echo "Asia/Shanghai" > /etc/timezone

if [ ! -d ./ipsec.d ];then
        docker run \
        --name copyconfig \
        --restart=always \
        -p 500:500/udp \
        -p 4500:4500/udp \
        -d --privileged \
        buyfakett/hwdsl2-ipsec-vpn-server && sleep 10 && docker cp copyconfig:/etc/ipsec.d ./ipsec.d
docker rm -f copyconfig
fi

docker kill ipsec-vpn-server
docker rm ipsec-vpn-server
docker run \
    --name ipsec-vpn-server \
    --restart=always \
    --env-file ./ipsec.d/vpn-gen.env \
    -v $(pwd)/ipsec.d:/etc/ipsec.d \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --privileged \
    buyfakett/hwdsl2-ipsec-vpn-server

# 帮助命令
# docker exec -it ipsec-vpn-server /opt/src/ikev2.sh --help
# 添加用户
# docker exec -it ipsec-vpn-server /opt/src/ikev2.sh --addclient [client name]
# 删除用户
# docker exec -it ipsec-vpn-server /opt/src/ikev2.sh --revokeclient [client name]
# docker exec -it ipsec-vpn-server /opt/src/ikev2.sh --deleteclient [client name]
# 检查 IPsec VPN 服务器状态
# docker exec -it ipsec-vpn-server ipsec status
# 查看当前已建立的 VPN 连接
# docker exec -it ipsec-vpn-server ipsec trafficstatus

客户端导入教程

# win7 导入p12
# certutil -f -importpfx "C:/Users/Administrator/Desktop/chenliming.p12" NoExport

# win8、win10 、win11
powershell -command "Add-VpnConnection -ServerAddress '服务器IP' -Name 'vpn名字' -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru"

powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'vpn名字' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"

linux命令行连接

使用networkmanager来控制网络

Tip

由于linux原生不支持默认的加密方式

在ipsec.d/ikev2.conf中增加authby=rsa-sha1配置

yum install epel-release -y
yum --enablerepo=epel install strongswan xl2tpd net-tools -y

openssl pkcs12 -in test.p12 -cacerts -nokeys -out ca.cer
openssl pkcs12 -in test.p12 -clcerts -nokeys -out client.cer
openssl pkcs12 -in test.p12 -nocerts -nodes  -out client.key

nmcli c add type vpn ifname -- vpn-type strongswan connection.id VPN-test connection.autoconnect no vpn.data 'address = xx.xx.xx.xx, certificate = /data/ca.cer, encap = no, esp = aes128gcm16, ipcomp = no, method = key, proposal = yes, usercert = /data/client.cer, userkey = /data/client.key, virtual = yes'

nmcli c up VPN-test

ipsec-vpn-server

ipsec.d/
├── buyfakett.mobileconfig
├── buyfakett.p12
├── buyfakett.sswan
├── cert9.db
├── ikev2.conf
├── ikev2setup.log
├── key4.db
├── passwd
├── pkcs11.txt
├── policies
│   ├── block
│   ├── clear
│   ├── clear-or-private
│   ├── portexcludes.conf
│   ├── private
│   └── private-or-clear
├── vpnclient.mobileconfig
├── vpnclient.p12
├── vpnclient.sswan
└── vpn-gen.env

安装

#!/bin/bash

echo "Asia/Shanghai" > /etc/timezone

if [ ! -d ./ipsec.d ];then
        docker run \
        --name copyconfig \
        --restart=always \
        -p 500:500/udp \
        -p 4500:4500/udp \
        -d --privileged \
        buyfakett/hwdsl2-ipsec-vpn-server && sleep 10 && docker cp copyconfig:/etc/ipsec.d ./ipsec.d
docker rm -f copyconfig
fi

docker kill ipsec-vpn-server
docker rm ipsec-vpn-server
docker run \
    --name ipsec-vpn-server \
    --restart=always \
    --env-file ./ipsec.d/vpn-gen.env \
    -v $(pwd)/ipsec.d:/etc/ipsec.d \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --privileged \
    buyfakett/hwdsl2-ipsec-vpn-server

# 帮助命令
# docker exec -it ipsec-vpn-server /opt/src/ikev2.sh --help
# 添加用户
# docker exec -it ipsec-vpn-server /opt/src/ikev2.sh --addclient [client name]
# 删除用户
# docker exec -it ipsec-vpn-server /opt/src/ikev2.sh --revokeclient [client name]
# docker exec -it ipsec-vpn-server /opt/src/ikev2.sh --deleteclient [client name]
# 检查 IPsec VPN 服务器状态
# docker exec -it ipsec-vpn-server ipsec status
# 查看当前已建立的 VPN 连接
# docker exec -it ipsec-vpn-server ipsec trafficstatus

客户端导入教程

# win7 导入p12
# certutil -f -importpfx "C:/Users/Administrator/Desktop/chenliming.p12" NoExport

# win8、win10 、win11
powershell -command "Add-VpnConnection -ServerAddress '服务器IP' -Name 'vpn名字' -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru"

powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'vpn名字' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"

linux命令行连接

使用networkmanager来控制网络

Tip

由于linux原生不支持默认的加密方式

在ipsec.d/ikev2.conf中增加authby=rsa-sha1配置

yum install epel-release -y
yum --enablerepo=epel install strongswan xl2tpd net-tools -y

openssl pkcs12 -in test.p12 -cacerts -nokeys -out ca.cer
openssl pkcs12 -in test.p12 -clcerts -nokeys -out client.cer
openssl pkcs12 -in test.p12 -nocerts -nodes  -out client.key

nmcli c add type vpn ifname -- vpn-type strongswan connection.id VPN-test connection.autoconnect no vpn.data 'address = xx.xx.xx.xx, certificate = /data/ca.cer, encap = no, esp = aes128gcm16, ipcomp = no, method = key, proposal = yes, usercert = /data/client.cer, userkey = /data/client.key, virtual = yes'

nmcli c up VPN-test

#ipsec-vpn-server

#安装

#客户端导入教程

#linux命令行连接

#ipsec-vpn-server

#安装

#客户端导入教程

#linux命令行连接

ipsec-vpn-server

安装

客户端导入教程

linux命令行连接

ipsec-vpn-server

安装

客户端导入教程

linux命令行连接