CentOS架IKEv2 VPN Server - Linux

最近我的手機Windows Phone 8.1 DP支援了IKEv2協定的VPN，
所以我就想在CentOS 6.5上架IKEv2的VPN server，使得手機也能連上。
我用的VPN server軟體是strongswan。
我試了一天才試出來。網路上有些資料，但有的沒講很清楚，只能try and error。
以下我就把設定IKEv2 VPN server的指令步驟寫出來，也有寫一些註解(英文)，
有問題再問我，我有空再回應。

yum install strongswan openssl

# Create CA
## See:
http://www.topdog.za.net/2012/08/23/iphone-ipad-mac-osx-ipsec-vpn-with-strongswan-5-on-centos-rhel-6/
cd /etc/pki/tls/misc
## Common Name is arbitray, e.g. My CA.
./CA -newca
echo 00 > /etc/pki/CA/crlnumber
openssl ca -gencrl -out /etc/pki/CA/crl.pem
ln -s /etc/pki/CA/cacert.pem /etc/strongswan/ipsec.d/cacerts/
ln -s /etc/pki/CA/crl.pem /etc/strongswan/ipsec.d/crls/

# Create the server certificate
## Add extendedKeyUsage and subjectAltName lines under [ usr_cert ] in
openssl.cnf.
## See: http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
## E.g:
## extendedKeyUsage = serverAuth
## subjectAltName=IP:your.vpn.server.ip
## or subjectAltName=DNS:your.vpn.server.dns
vim ../openssl.cnf

## Common Name must be equal to the IP or the DNS set in subjectAltName!
## E.g Common Name is your.vpn.server.ip
## Please remeber the password. You will use it later in ipsec.secrets.
./CA -newreq
./CA -sign
mv newcert.pem /etc/strongswan/ipsec.d/certs/your.vpn.server.ip.pem
mv newkey.pem /etc/strongswan/ipsec.d/private/your.vpn.server.ip.key

## Add this line to ipsec.secrets:
## : RSA your.vpn.server.ip.key "password of your.vpn.server.ip.key"
vim /etc/strongswan/ipsec.secrets
## If you want to use EAP-MSCHAPV2 for a client "jack" and his password
"passwd",
## add this line to ipsec.secrets:
## jack : EAP "passwd"

# Create the client certificate
## Uncomment extendedKeyUsage and subjectAltName in openssl.cnf!
## Common Name is arbitray, e.g. Client Test.
./CA -newreq
./CA -sign
## Export for Windows.
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile /etc/pki/CA/cacert.pem -out client.p12

# Import the certificate to Windows 7 tutorial:
## http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

# NAT
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -s 10.71.132.0/24 -o eth0 -j MASQUERADE

# Import client.p12 to Windows Phone 8.1 DP.
## Import through IE or OneDrive.
## Then: go to Windows Phone/Settings/VPN/On/add/Connect using/user
name+password/fill "jack" and "passwd"/...

# Example setting files
--------------------------- ipsec.conf -------------------------
# basic configuration
config setup

# Add connections here.
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
leftfirewall=yes
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=your.vpn.server.ip.pem
[email protected]
right=%any
rightsourceip=10.71.132.1/24
auto=add

conn win-pubkey
rightauth=pubkey
eap_identity=%any

conn win-eap-mschapv2
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any

--------------------------- ipsec.secrets -------------------------
: RSA your.vpn.server.ip.key "password of your.vpn.server.ip.key"
jack : EAP "passwd"

--------------------------- strongswan.conf -------------------------
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
# Set the DNS server.
dns1 = 8.8.8.8
#dns2 = x.x.x.x
}

include strongswan.d/*.conf

--
楞嚴咒(附注音)：
http://sdrv.ms/130iapv

--