苹果手机开源×××-StrongSwan【新任帮主】

使用StrongSwan 搭建IPSec ×××支持IOS 6.0 & 6.0+
1.背景：
此次研究StrongSwan搭建IPsec主要是因为IPhone手机升级到10.0版本后，原来公司搭建的PPTP ×××已经不再支持，所以需要立即采取其他的×××接入方式，于是在网上就了解这个StrongSwan，并开始部署和使用了

2.StrongSwan 安装
我的底层是centos6.6，安装方式有两种，yum 和源码包的安装，可从网上down些文档

wget http://download.strongswan.org/strongswan.tar.gz
tar xzf strongswan.tar.gz
cd strongswan-*

./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \ --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec

./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \ --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp

make; make install

3）.生成证书和密钥
strongswan pki --gen --outform pem > ca.pem

yum install openssl

strongswan pki --gen --outform pem > ca.pem

strongswan pki --self --in ca.pem --dn "C=com, O=IPSec×××, CN=×××CA" --ca --outform pem>ca.cert.pem

strongswan pki --gen --outform pem > server.pem

strongswan pki --pub --in server.pem | strongswan pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com,O=IPSec×××,CN=123.58.230.60" --san="123.58.230.60" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem

strongswan pki --gen --outform pem > client.pem
strongswan pki --pub --in client.pem | strongswan pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com,O=IPSec×××,CN=××× Client" --outform pem > client.cert.pem

openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client " -certfile ca.cert.pem -caname "×××CA" -out client.cert.p12

mv -f ca.cert.pem /etc/strongswan/ipsec.d/cacerts/
mv -f server.cert.pem /etc/strongswan/ipsec.d/certs/
mv -f server.pem /etc/strongswan/ipsec.d/private/

4. 配置IPsec.conf 文件
   vi /etc/strongswan/ipsec.conf

conn iOS_cert
keyexchange=ikev2
fragmentation=yes
left=�faultroute
leftauth=pubkey
leftsubnet=10.130.0.0/16
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.4.2.2/16
rightcert=client.cert.pem
auto=add

conn android_xauth_psk #红色字体表示可以任意的定义，但是要确保唯一
keyexchange=ikev1 #ipsec ***目前使用的是ike1
left=%any #letf相对于right，letf代表server端，rigth代表client端，%any代表server端
地址是任意的！
#type = tunnel 这个是隧道模式tunnel 可选的还有transparent
leftauth=psk #这个是使用预共享密钥做认证
leftsubnet=0.0.0.0/0 # client should be told to route through the tunnel
right=%any # client IP is unkown
rightauth=psk
rightauth2=xauth
rightsourceip=172.28.0.66/16 #client vip to access leftsubnet
auto=add

conn networkmanager-strongswan
keyexchange=ikev2
left=�faultroute
leftauth=pubkey
leftsubnet=10.130.0.0/16
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=10.4.2.2/16
rightcert=client.cert.pem
auto=add

conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=�faultroute
leftauth=pubkey
leftsubnet=10.130.0.0/16
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.4.250.160/27
rightsendcert=never
eap_identity=%any
auto=add
#绿色部分代表是我当前在用的配置文件

5.配置strongswan.conf 文件
cat /etc/strongswan/strongswan.conf

strongswan.conf - strongSwan configuration file

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
}

include strongswan.d/*.conf

6.配置/etc/strongswan/ipsec.secrets
: RSA server.pem
: PSK "xxxxx"
: XAUTH "xxxxx"
zhanglong : EAP "xxxx2"

7.IPhone手机连接
雪飘人间带你走进StrongSwan