![\"\"\/](\"https:\/\/cdn.aeink.com\/\/content\/uploadfile\/202208\/AEimg-1660791160-14.png\")
<\/a><\/figure>\n\n\n\n\u670d\u52a1\u5668\u91cd\u542f\u540e\u9ed8\u8ba4ipsec\u4e0d\u4f1a\u81ea\u542f\u52a8\uff0c\u8bf7\u81ea\u884c\u6dfb\u52a0\uff0c\u6216\u4f7f\u7528\u547d\u4ee4\u624b\u52a8\u5f00\u542f\uff1a<\/p>\n\n\n\n
\u542f\u52a8\u65f6\u95f4<\/p>\n\n\n\n
ipsec start<\/pre>\n\n\n\n\u8fde\u4e0a\u670d\u52a1\u5668\u540e\u65e0\u6cd5\u94fe\u63a5\u5916\u7f51\uff1a<\/p>\n\n\n\n
vim \/etc\/sysctl.conf<\/p>\n\n\n\n
vim \/etc\/sysctl.conf\n\n\u4fee\u6539net.ipv4.ip_forward=1\u540e\u4fdd\u5b58\u5e76\u5173\u95ed\u6587\u4ef6 \u7136\u540e\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\u5237\u65b0sysctl\uff1a\n\nsysctl -p<\/pre>\n\n\n\n\u5982\u9047\u62a5\u9519\u4fe1\u606f\uff0c\u8bf7\u91cd\u65b0\u6253\u5f00\/etc\/syctl\u5e76\u5c06\u62a5\u9519\u7684\u90a3\u4e9b\u4ee3\u7801\u7528#\u53f7\u6ce8\u91ca\uff0c\u4fdd\u5b58\u540e\u518d\u5237\u65b0sysctl\u76f4\u81f3\u4e0d\u4f1a\u62a5\u9519\u4e3a\u6b62\u3002<\/p>\n\n\n\n
bash\u811a\u672c\u6e90\u7801\uff08\u70b9\u51fb\u5c55\u5f00\uff09<\/p>\n\n\n\n
\n
#! \/bin\/bash\nPATH=\/bin:\/sbin:\/usr\/bin:\/usr\/sbin:\/usr\/local<\/strong>\/bin:\/usr\/local<\/strong>\/sbin:~\/bin\nexport PATH\n#===============================================================================================\n# System Required: CentOS6.x (32bit\/64bit) or Ubuntu\n# Description: Install IKEV2 VPN for CentOS and Ubuntu\n# Author: quericy\n# Intro: http:\/\/quericy.me\/blog\/699\n#===============================================================================================\n \nclear\necho \"#############################################################\"\necho \"# Install IKEV2 VPN for CentOS6.x (32bit\/64bit) or Ubuntu\"\necho \"# Intro: http:\/\/quericy.me\/blog\/699\"\necho \"#\"\necho \"# Author:quericy\"\necho \"#\"\necho \"#############################################################\"\necho \"\"\n \n# Install IKEV2\nfunction<\/strong> install_ikev2(){\n\trootness\n\tdisable_selinux\n\tget_my_ip\n\tget_system\n\tyum_install\n\tpre_install\n\tdownload_files\n\tsetup_strongswan\n\tget_key\n\tconfigure_ipsec\n\tconfigure_strongswan\n\tconfigure_secrets\n\tiptables_set\n\tipsec start\n\tsuccess_info\n}\n \n# Make sure only root can run our script\nfunction<\/strong> rootness(){\nif<\/strong> [[ $EUID -ne 0 ]]; then<\/strong>\n echo \"Error:This script must be run as root!\" 1>&2\n exit 1\nfi<\/strong>\n}\n \n# Disable selinux\nfunction<\/strong> disable_selinux(){\nif<\/strong> [ -s \/etc\/selinux\/config ] && grep 'SELINUX=enforcing' \/etc\/selinux\/config; then<\/strong>\n sed -i 's\/SELINUX=enforcing\/SELINUX=disabled\/g' \/etc\/selinux\/config\n setenforce 0\nfi<\/strong>\n}\n \n# Get IP address of the server\nfunction<\/strong> get_my_ip(){\n echo \"Preparing, Please wait a moment...\"\n IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6 | cut -d'<' -f 1`\n if<\/strong> [ -z $IP ]; then<\/strong>\n IP=`curl -s ifconfig.me\/ip`\n fi<\/strong>\n}\n \n# Ubuntu or CentOS\nfunction<\/strong> get_system(){\n\tget_system_str=`cat \/etc\/issue`\n\techo \"$get_system_str\" |grep -q \"CentOS\"\n\tif<\/strong> [ $? -eq 0 ]\n\tthen<\/strong>\n\t\tsystem_str=\"0\"\n\telse<\/strong>\n\t\techo \"$get_system_str\" |grep -q \"Ubuntu\"\n\t\tif<\/strong> [ $? -eq 0 ]\n\t\tthen<\/strong>\n\t\t\tsystem_str=\"1\"\n\t\telse<\/strong>\n\t\t\techo \"This Script must be running at the CentOS or Ubuntu!\"\n\t\t\texit 1\n\t\tfi<\/strong>\n\tfi<\/strong>\n \n}\n \n# Pre-installation settings\nfunction<\/strong> pre_install(){\n\techo \"#############################################################\"\n\techo \"# Install IKEV2 VPN for CentOS6.x (32bit\/64bit) or Ubuntu\"\n\techo \"# Intro: http:\/\/quericy.me\/blog\/699\"\n\techo \"#\"\n\techo \"# Author:quericy\"\n\techo \"#\"\n\techo \"#############################################################\"\n\techo \"\"\n echo \"please choose the type of your VPS(Xen\u3001KVM: 1 , OpenVZ: 2):\"\n read -p \"your choice(1 or 2):\" os_choice\n if<\/strong> [ \"$os_choice\" = \"1\" ]; then<\/strong>\n os=\"1\"\n\t\tos_str=\"Xen\u3001KVM\"\n\t\telse<\/strong>\n\t\t\tif<\/strong> [ \"$os_choice\" = \"2\" ]; then<\/strong>\n\t\t\t\tos=\"2\"\n\t\t\t\tos_str=\"OpenVZ\"\n\t\t\t\telse<\/strong>\n\t\t\t\techo \"wrong choice!\"\n\t\t\t\texit 1\n\t\t\tfi<\/strong>\n fi<\/strong>\n\techo \"please input the ip (or domain) of your VPS:\"\n read -p \"ip or domain(default_vale:${IP}):\" vps_ip\n\tif<\/strong> [ \"$vps_ip\" = \"\" ]; then<\/strong>\n\t\tvps_ip=$IP\n\tfi<\/strong>\n\techo \"please input the cert country(C):\"\n read -p \"C(default value:com):\" my_cert_c\n\tif<\/strong> [ \"$my_cert_c\" = \"\" ]; then<\/strong>\n\t\tmy_cert_c=\"com\"\n\tfi<\/strong>\n\techo \"please input the cert organization(O):\"\n read -p \"O(default value:myvpn):\" my_cert_o\n\tif<\/strong> [ \"$my_cert_o\" = \"\" ]; then<\/strong>\n\t\tmy_cert_o=\"myvpn\"\n\tfi<\/strong>\n\techo \"please input the cert common name(CN):\"\n read -p \"CN(default value:VPN CA):\" my_cert_cn\n\tif<\/strong> [ \"$my_cert_cn\" = \"\" ]; then<\/strong>\n\t\tmy_cert_cn=\"VPN CA\"\n\tfi<\/strong>\n\techo \"####################################\"\n get_char(){\n SAVEDSTTY=`stty -g`\n stty -echo\n stty cbreak\n dd if<\/strong>=\/dev\/tty bs=1 count=1 2> \/dev\/null\n stty -raw\n stty echo\n stty $SAVEDSTTY\n }\n echo \"Please confirm the information:\"\n\techo \"\"\n\techo -e \"the type of your server: [\\033[32;1m$os_str\\033[0m]\"\n\techo -e \"the ip(or domain) of your server: [\\033[32;1m$vps_ip\\033[0m]\"\n\techo -e \"the cert_info:[\\033[32;1mC=${my_cert_c}, O=${my_cert_o}\\033[0m]\"\n\techo \"\"\n echo \"Press any key to start...or Press Ctrl+C to cancel\"\n\tchar=`get_char`\n\t#Current folder\n cur_dir=`pwd`\n cd $cur_dir\n}\n \n#install necessary lib\nfunction<\/strong> yum_install(){\n\tif<\/strong> [ \"$system_str\" = \"0\" ]; then<\/strong>\n\tyum -y update\n\tyum -y install pam-devel openssl-devel make gcc\n\telse<\/strong>\n\tapt-get -y update\n\tapt-get -y install libpam0g-dev libssl-dev make gcc\n\tfi<\/strong>\n}\n \n# Download strongswan\nfunction<\/strong> download_files(){\n if<\/strong> [ -f strongswan.tar.gz ];then<\/strong>\n echo -e \"strongswan.tar.gz [\\033[32;1mfound\\033[0m]\"\n else<\/strong>\n if<\/strong> ! wget http:\/\/download.strongswan.org\/strongswan.tar.gz;then<\/strong>\n echo \"Failed to download strongswan.tar.gz\"\n exit 1\n fi<\/strong>\n fi<\/strong>\n tar xzf strongswan.tar.gz\n if<\/strong> [ $? -eq 0 ];then<\/strong>\n cd $cur_dir\/strongswan-*\/\n else<\/strong>\n echo \"\"\n echo \"Unzip strongswan.tar.gz failed! Please visit http:\/\/quericy.me\/blog\/699 and contact.\"\n exit 1\n fi<\/strong>\n}\n \n# configure and install strongswan\nfunction<\/strong> setup_strongswan(){\n\tif<\/strong> [ \"$os\" = \"1\" ]; then<\/strong>\n\t\t.\/configure --enable-eap-identity --enable-eap-md5 \\\n--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \\\n--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \\\n--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \\\n--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp\n \n\telse<\/strong>\n\t\t.\/configure --enable-eap-identity --enable-eap-md5 \\\n--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \\\n--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \\\n--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \\\n--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec\n \n\tfi<\/strong>\n\tmake; make install\n}\n \n# configure cert and key\nfunction<\/strong> get_key(){\n\tcd $cur_dir\n if<\/strong> [ -f ca.pem ];then<\/strong>\n echo -e \"ca.pem [\\033[32;1mfound\\033[0m]\"\n else<\/strong>\n echo -e \"ca.pem [\\033[32;1mauto create\\032[0m]\"\n\t\techo \"auto create ca.pem ...\"\n\t\tipsec pki --gen --outform pem > ca.pem\n fi<\/strong>\n \n\tif<\/strong> [ -f ca.cert.pem ];then<\/strong>\n echo -e \"ca.cert.pem [\\033[32;1mfound\\033[0m]\"\n else<\/strong>\n echo -e \"ca.cert.pem [\\032[33;1mauto create\\032[0m]\"\n\t\techo \"auto create ca.cert.pem ...\"\n\t\tipsec pki --self --in<\/strong> ca.pem --dn \"C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}\" --ca --outform pem >ca.cert.pem\n fi<\/strong>\n\tif<\/strong> [ ! -d my_key ];then<\/strong>\n mkdir my_key\n fi<\/strong>\n\tmv ca.pem my_key\/ca.pem\n\tmv ca.cert.pem my_key\/ca.cert.pem\n\tcd my_key\n\tipsec pki --gen --outform pem > server.pem\n\tipsec pki --pub --in<\/strong> server.pem | ipsec pki --issue --cacert ca.cert.pem \\\n--cakey ca.pem --dn \"C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}\" \\\n--san=\"${vps_ip}\" --flag serverAuth --flag ikeIntermediate \\\n--outform pem > server.cert.pem\n\tipsec pki --gen --outform pem > client.pem\n\tipsec pki --pub --in<\/strong> client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn \"C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client\" --outform pem > client.cert.pem\n\techo \"configure the pkcs12 cert password(Can be empty):\"\n\topenssl pkcs12 -export -inkey client.pem -in<\/strong> client.cert.pem -name \"client\" -certfile ca.cert.pem -caname \"${my_cert_cn}\" -out client.cert.p12\n\techo \"####################################\"\n get_char(){\n SAVEDSTTY=`stty -g`\n stty -echo\n stty cbreak\n dd if<\/strong>=\/dev\/tty bs=1 count=1 2> \/dev\/null\n stty -raw\n stty echo\n stty $SAVEDSTTY\n }\n echo \"Press any key to install ikev2 VPN cert\"\n\tcp -r ca.cert.pem \/usr\/local<\/strong>\/etc\/ipsec.d\/cacerts\/\n\tcp -r server.cert.pem \/usr\/local<\/strong>\/etc\/ipsec.d\/certs\/\n\tcp -r server.pem \/usr\/local<\/strong>\/etc\/ipsec.d\/private\/\n\tcp -r client.cert.pem \/usr\/local<\/strong>\/etc\/ipsec.d\/certs\/\n\tcp -r client.pem \/usr\/local<\/strong>\/etc\/ipsec.d\/private\/\n \n}\n \n# configure the ipsec.conf\nfunction<\/strong> configure_ipsec(){\n cat > \/usr\/local<\/strong>\/etc\/ipsec.conf<<-EOF\nconfig setup\n uniqueids=never \n \nconn iOS_cert\n keyexchange=ikev1\n fragmentation=yes\n left=%defaultroute\n leftauth=pubkey\n leftsubnet=0.0.0.0\/0\n leftcert=server.cert.pem\n right=%any\n rightauth=pubkey\n rightauth2=xauth\n rightsourceip=10.31.2.0\/24\n rightcert=client.cert.pem\n auto=add\n \nconn android_xauth_psk\n keyexchange=ikev1\n left=%defaultroute\n leftauth=psk\n leftsubnet=0.0.0.0\/0\n right=%any\n rightauth=psk\n rightauth2=xauth\n rightsourceip=10.31.2.0\/24\n auto=add\n \nconn networkmanager-strongswan\n keyexchange=ikev2\n left=%defaultroute\n leftauth=pubkey\n leftsubnet=0.0.0.0\/0\n leftcert=server.cert.pem\n right=%any\n rightauth=pubkey\n rightsourceip=10.31.2.0\/24\n rightcert=client.cert.pem\n auto=add\n \nconn windows7\n keyexchange=ikev2\n ike=aes256-sha1-modp1024!\n rekey=no\n left=%defaultroute\n leftauth=pubkey\n leftsubnet=0.0.0.0\/0\n leftcert=server.cert.pem\n right=%any\n rightauth=eap-mschapv2\n rightsourceip=10.31.2.0\/24\n rightsendcert=never\n eap_identity=%any\n auto=add\n \nEOF\n}\n \n# configure the strongswan.conf\nfunction<\/strong> configure_strongswan(){\n cat > \/usr\/local<\/strong>\/etc\/strongswan.conf<<-EOF\n charon {\n load_modular = yes\n duplicheck.enable = no\n compress = yes\n plugins {\n include strongswan.d\/charon\/*.conf\n }\n dns1 = 8.8.8.8\n dns2 = 8.8.4.4\n nbns1 = 8.8.8.8\n nbns2 = 8.8.4.4\n}\ninclude strongswan.d\/*.conf\nEOF\n}\n \n# configure the ipsec.secrets\nfunction<\/strong> configure_secrets(){\n\tcat > \/usr\/local<\/strong>\/etc\/ipsec.secrets<<-EOF\n: RSA server.pem\n: PSK \"myPSKkey\"\n: XAUTH \"myXAUTHPass\"\nmyUserName %any : EAP \"myUserPass\"\n\tEOF\n}\n \n# iptables set\nfunction<\/strong> iptables_set(){\n sysctl -w net.ipv4.ip_forward=1\n if<\/strong> [ \"$os\" = \"1\" ]; then<\/strong>\n\t\tiptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n\t\tiptables -A FORWARD -s 10.31.0.0\/24 -j ACCEPT\n\t\tiptables -A FORWARD -s 10.31.1.0\/24 -j ACCEPT\n\t\tiptables -A FORWARD -s 10.31.2.0\/24 -j ACCEPT\n\t\tiptables -A INPUT -i eth0 -p esp -j ACCEPT\n\t\tiptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT\n\t\tiptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT\n\t\tiptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT\n\t\tiptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT\n\t\tiptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT\n\t\tiptables -A FORWARD -j REJECT\n\t\tiptables -t nat -A POSTROUTING -s 10.31.0.0\/24 -o eth0 -j MASQUERADE\n\t\tiptables -t nat -A POSTROUTING -s 10.31.1.0\/24 -o eth0 -j MASQUERADE\n\t\tiptables -t nat -A POSTROUTING -s 10.31.2.0\/24 -o eth0 -j MASQUERADE\n\telse<\/strong>\n\t\tiptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n\t\tiptables -A FORWARD -s 10.31.0.0\/24 -j ACCEPT\n\t\tiptables -A FORWARD -s 10.31.1.0\/24 -j ACCEPT\n\t\tiptables -A FORWARD -s 10.31.2.0\/24 -j ACCEPT\n\t\tiptables -A INPUT -i venet0 -p esp -j ACCEPT\n\t\tiptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT\n\t\tiptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT\n\t\tiptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT\n\t\tiptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT\n\t\tiptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT\n\t\tiptables -A FORWARD -j REJECT\n\t\tiptables -t nat -A POSTROUTING -s 10.31.0.0\/24 -o venet0 -j MASQUERADE\n\t\tiptables -t nat -A POSTROUTING -s 10.31.1.0\/24 -o venet0 -j MASQUERADE\n\t\tiptables -t nat -A POSTROUTING -s 10.31.2.0\/24 -o venet0 -j MASQUERADE\n fi<\/strong>\n\tif<\/strong> [ \"$system_str\" = \"0\" ]; then<\/strong>\n\t\tservice iptables save\n\telse<\/strong>\n\t\tiptables-save > \/etc\/iptables.rules\n\t\tcat > \/etc\/network\/if<\/strong>-up.d\/iptables<<EOF\n#!\/bin\/sh\niptables-restore < \/etc\/iptables.rules\nEOF\n\t\tchmod +x \/etc\/network\/if<\/strong>-up.d\/iptables\n\tfi<\/strong>\n}\n \n# echo the success info\nfunction<\/strong> success_info(){\n\techo \"#############################################################\"\n\techo -e \"#\"\n\techo -e \"# [\\033[32;1mInstall Successful\\033[0m]\"\n\techo -e \"# There is the default login info of your VPN\"\n\techo -e \"# UserName:\\033[33;1m myUserName\\033[0m\"\n\techo -e \"# PassWord:\\033[33;1m myUserPass\\033[0m\"\n\techo -e \"# PSK:\\033[33;1m myPSKkey\\033[0m\"\n\techo -e \"# you can change UserName and PassWord in\\033[32;1m \/usr\/local\/etc\/ipsec.secrets\\033[0m\"\n\techo -e \"# you must copy the cert \\033[32;1m ${cur_dir}\/my_key\/ca.cert.pem \\033[0m to the client and install it.\"\n\techo -e \"#\"\n\techo -e \"#############################################################\"\n\techo -e \"\"\n}\n \n# Initialization step\ninstall_ikev2<\/code><\/pre>\n<\/div><\/div>\n\n\n\n\u5982\u9700Debian\u7cfb\u7edf\u7684IKEV2\u4e00\u952e\u5b89\u88c5\u811a\u672c\uff0c\u53ef\u53c2\u8003magic282\u7ae5\u978b\u7684\u4e00\u952e\u811a\u672c\uff1a
https:\/\/github.com\/magic282\/One-Key-L2TP-IKEV2-Setup<\/p>\n\n\n\n
\u8f6c\u8f7d\u81ea\u66f2\u745e\u65af Eden*\u7684\u535a\u5ba2<\/p>\n","protected":false},"excerpt":{"rendered":"
1\u3001\u5728azure\u4e0a\u521b\u5efaubuntu\u865a\u62df\u673a \u9009\u62e9v15.04 server \u7248\u672c 2\u3001\u6dfb\u52a0\u7aef\u53e3\u53f7 3\u3001\u8fdc\u7a0b\u684c\u9762\u5230 \u547d\u4ee4\u884c \u8f93\u5165 su …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-171","post","type-post","status-publish","format-standard","hentry","category-sort"],"_links":{"self":[{"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/posts\/171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/comments?post=171"}],"version-history":[{"count":1,"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/posts\/171\/revisions"}],"predecessor-version":[{"id":172,"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/posts\/171\/revisions\/172"}],"wp:attachment":[{"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/media?parent=171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/categories?post=171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yiyuanlt.cn\/index.php\/wp-json\/wp\/v2\/tags?post=171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"\/](\"https:\/\/cdn.aeink.com\/\/content\/uploadfile\/202208\/AEimg-1660791159-4.png\")
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n
<\/a><\/figure>\n\n\n\n