- A domain name: for example xyz.wuruxu.cn and resolve to VPS public IP
- VPS: Linode VPS
- Ports 4500/UDP, 500/UDP, 51/UDP and 50/UDP opened in the firewall
openssl >= 1.0.2 is required for enable ECP521/ECP384/ECP256 & ECDSA support
# apt-get install libssl-dev
#./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-af-alg --enable-ccm --enable-chapoly --enable-ctr --enable-gcm --enable-newhope --enable-openssl --enable-aesni --enable-sqlite --enable-dhcp --enable-eap-identity --enable-eap-tls --enable-eap-ttls --enable-eap-mschapv2 --enable-systemd CFLAGS=-O2 --disable-ikev1
1.2.1 clone acme.sh to issue certificate
# git clone https://github.com/Neilpang/acme.sh
ECDSA certiifcate - recommend
# ./acme.sh --issue --standalone -d xyz.wuruxu.cn --keylength ec-384 --server letsencrypt
# ./acme.sh --issue --standalone -d xyz.wuruxu.cn --keylength 4096 --server letsencrypt
# cp ca.cer /etc/ipsec.d/cacerts/
# cp fullchain.cer /etc/ipsec.d/certs/acme_xyz_server.cert.pem
# cp xyz.wuruxu.cn.key /etc/ipsec.d/private/acme_xyz_ecc.pem
###1.3 Configure strongswan server in ipsec.conf, left as 'local', right as 'remote'
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
conn %default
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftfirewall=yes
right=%any
mobike=yes
compress=no
ike=chacha20poly1305-sha512-newhope128,chacha20poly1305-sha512-x25519,aes256-sha512-modp2048,aes128-sha512-modp2048,aes256ccm96-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp2048,aes128-sha1-modp2048!
esp=chacha20poly1305,aes256gcm128,aes128gcm128,aes256ccm128,aes256
# IPv4 connection server config
conn ec4
leftsendcert=always
leftcert=acme_xyz_server.cert.pem
leftid=xyz.wuruxu.cn //same as certificate domain name
leftsubnet=0.0.0.0/0
rightauth=eap-mschapv2
rightsourceip=10.18.0.0/24
rightsendcert=never
eap_identity=%any
auto=add
# IPv6 connection server config
conn ec6
leftsendcert=always
leftcert=nginx.ssl.ipv6.wuruxu.ecc.cer
[email protected]
leftsubnet=0.0.0.0/0,::/0
rightauth=eap-mschapv2
rightsourceip=2001:0909:1818:2d18:1::/80,10.128.0.0/24
rightdns=2001:4860:4860::8888,1.1.1.1
rightsendcert=never
eap_identity=%identity
auto=add
: ECDSA acme_xyz_ecc.pem
user : EAP "userpasswd"
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
enable sysctl rules
# sysctl -p
###1.4 Start strongswan
# iptables -A INPUT -p udp --dport 500 --j ACCEPT
# iptables -A INPUT -p udp --dport 4500 --j ACCEPT
# iptables -A INPUT -p esp -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.18.0.0/24 -o eth0 -j MASQUERADE
# ipsec start
- Linux
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-af-alg --enable-ccm --enable-chapoly --enable-ctr --enable-gcm --enable-newhope --enable-openssl --enable-aesni --enable-sqlite --enable-dhcp --enable-eap-identity --enable-eap-tls --enable-eap-ttls --enable-eap-mschapv2 --enable-systemd CFLAGS=-O2 --disable-ikev1
$ cp /etc/ssl/certs/DST_Root_CA_X3.pem /etc/ipsec.d/cacerts/
# /etc/ipsec.secrets - strongSwan IPsec secrets file
user : EAP "userpasswd"
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
uniqueids = never
conn %default
ikelifetime=3h
keylife=60m
rekeymargin=9m
keyingtries=3
keyexchange=ikev2
ike=chacha20poly1305-sha512-x25519,aes256-sha512-modp4096,aes128-sha512-modp4096,aes256ccm96-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp2048,aes128-sha1-modp2048!
esp=aes256gcm128,aes128gcm128,aes256ccm128,aes256
conn ec4
left=%any
leftfirewall=yes
leftauth=eap-mschapv2
leftid=debian # specifiy the client ID
leftsourceip=%config4
leftikeport = 4500
eap_identity=wuruxu # user in /etc/ipsec.secrets
right=xyz.wuruxu.cn
rightauth=pubkey
rightid=xyz.wuruxu.cn
rightsubnet=0.0.0.0/0
auto=add
conn net0
leftsubnet=192.168.0.0/16
rightsubnet=192.168.0.0/16
authby=never
type=pass
auto=route
conn net1
leftsubnet=10.0.0.0/8
rightsubnet=10.0.0.0/8
authby=never
type=pass
auto=route
# ipsec start
# ipsec up ec4
edit /etc/strongswan.d/charon/kernel-netlink.conf to change mtu size from 0 to 1280
mtu = 1280