add strongswan

2025-06-04 23:17:31 +02:00 · 2016-06-28 03:16:42 +08:00 · 2016-06-28 03:16:42 +08:00 · e7f692539b
commit e7f692539b
parent f481ed97c3
5 changed files with 370 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -117,6 +117,7 @@ A collection of delicious docker recipes.
 - [x] shadowvpn
 - [x] snort :beetle:
 - [x] squid
 - [x] strongswan :+1:
 - [x] swarm-arm
 - [x] taskd
 - [x] telegraf
--- a/strongswan/Dockerfile
+++ b/strongswan/Dockerfile
@ -0,0 +1,25 @@
 #
 # Dockerfile for ipsec
 #
 FROM alpine
 MAINTAINER kev <noreply@easypi.info>
 RUN set -xe \
    && apk add --no-cache iptables openssl strongswan util-linux \
    && ln -sf /etc/ipsec.d/ipsec.conf /etc/ipsec.conf \
    && ln -sf /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
 COPY init.sh /
 VOLUME /etc/ipsec.d /etc/strongswan.d
 ENV VPN_SUBNET=10.20.30.0/24
 EXPOSE 500/udp 4500/udp
 CMD set -xe \
    && /init.sh \
    && sysctl -w net.ipv4.ip_forward=1 \
    && iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o eth0 -j MASQUERADE \
    && ipsec start --nofork
--- a/strongswan/README.md
+++ b/strongswan/README.md
@ -0,0 +1,45 @@
 strongswan
 ==========
 ![](https://badge.imagelayers.io/vimagick/strongswan:latest.svg)
 [strongSwan][1] is an Open Source IPsec-based VPN solution for Linux and other
 UNIX based operating systems implementing both the IKEv1 and IKEv2 key exchange
 protocols.
 > :warning: This docker image only support IKEv2!
 ### docker-compose.yml
 ```yaml
 strongswan:
  image: vimagick/strongswan
  ports:
    - 500:500/udp
    - 4500:4500/udp
  volumes:
    - ./log:/var/log
    - /lib/modules:/lib/modules
    - /etc/localtime:/etc/localtime
  environment:
    - VPN_DOMAIN=vpn.easypi.info
    - VPN_DNS=8.8.8.8
    - VPN_SUBNET=10.20.30.0/24
    - VPN_P12_PASSWORD=secret
  cap_add:
    - NET_ADMIN
  privileged: yes
  restart: always
 ```
 ### up and running
 ```bash
 docker-compose up -d
 docker cp strongswan_strongswan_1:/etc/ipsec.d/client.mobileconfig .
 tail -f log/charon.log
 ```
 > File `client.mobileconfig` can be imported into MacOSX as `VPN (IKEv2)`.
 [1]: https://strongswan.org/
--- a/strongswan/docker-compose.yml
+++ b/strongswan/docker-compose.yml
@ -0,0 +1,18 @@
 strongswan:
  image: vimagick/strongswan
  ports:
    - 500:500/udp
    - 4500:4500/udp
  volumes:
    - ./log:/var/log
    - /lib/modules:/lib/modules
    - /etc/localtime:/etc/localtime
  environment:
    - VPN_DOMAIN=vpn.easypi.info
    - VPN_DNS=8.8.8.8
    - VPN_SUBNET=10.20.30.0/24
    - VPN_P12_PASSWORD=secret
  cap_add:
    - NET_ADMIN
  privileged: yes
  restart: always
--- a/strongswan/init.sh
+++ b/strongswan/init.sh
@ -0,0 +1,281 @@
 #!/bin/sh
 #
 # gen config files for strongswan
 #
 # - VPN_SUBNET
 # - VPN_DOMAIN
 # - VPN_DNS
 # - VPN_P12_PASSWORD
 #
 if [ -e /etc/ipsec.d/ipsec.conf ]
 then
    echo "Already Initialized!"
    exit 0
 fi
 cat > /etc/ipsec.d/ipsec.conf <<_EOF_
 config setup
    uniqueids=never
 conn %default
    keyexchange=ike
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    right=%any
 conn IKE-BASE
    leftca=ca.cert.pem
    leftcert=server.cert.pem
    rightsourceip=${VPN_SUBNET}
 conn IPSec-IKEv2
    also=IKE-BASE
    keyexchange=ikev2
    ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
    esp=aes256-sha256,3des-sha1,aes256-sha1!
    leftid="${VPN_DOMAIN}"
    leftsendcert=always
    leftauth=pubkey
    rightauth=pubkey
    rightid="client.${VPN_DOMAIN}"
    rightcert=client.cert.pem
    auto=add
 _EOF_
 cat > /etc/ipsec.d/ipsec.secrets <<_EOF_
 : RSA server.pem
 _EOF_
 cat > /etc/strongswan.d/charon.conf <<_EOF_
 charon {
    duplicheck.enable = no
    dns1 = ${VPN_DNS}
    filelog {
        /var/log/charon.log {
            time_format = %b %e %T
            ike_name = yes
            append = yes
            default = 1
            flush_line = yes
        }
    }
    user = root
 }
 _EOF_
 # gen ca key and cert
 ipsec pki --gen --outform pem > /etc/ipsec.d/private/ca.pem
 ipsec pki --self \
          --in /etc/ipsec.d/private/ca.pem \
          --dn "C=CN, O=ING, CN=StrongSwan CA" \
          --ca \
          --lifetime 3650 \
          --outform pem > /etc/ipsec.d/cacerts/ca.cert.pem
 # gen server key and cert
 ipsec pki --gen --outform pem > /etc/ipsec.d/private/server.pem  
 ipsec pki --pub --in /etc/ipsec.d/private/server.pem |
    ipsec pki --issue --lifetime 1200 --cacert /etc/ipsec.d/cacerts/ca.cert.pem \
              --cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=ING, CN=${VPN_DOMAIN}" \
              --san="${VPN_DOMAIN}" --flag serverAuth --flag ikeIntermediate \
              --outform pem > /etc/ipsec.d/certs/server.cert.pem
 # gen client key and cert
 ipsec pki --gen --outform pem > /etc/ipsec.d/private/client.pem
 ipsec pki --pub --in /etc/ipsec.d/private/client.pem |
    ipsec pki --issue \
              --cacert /etc/ipsec.d/cacerts/ca.cert.pem \
              --cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=ING, CN=client.${VPN_DOMAIN}" \
              --san="client.${VPN_DOMAIN}" \
              --outform pem > /etc/ipsec.d/certs/client.cert.pem
 openssl pkcs12 -export \
               -inkey /etc/ipsec.d/private/client.pem \
               -in /etc/ipsec.d/certs/client.cert.pem \
               -name "client.${VPN_DOMAIN}" \
               -certfile /etc/ipsec.d/cacerts/ca.cert.pem \
               -caname "StrongSwan CA" \
               -out /etc/ipsec.d/client.cert.p12 \
               -passout pass:${VPN_P12_PASSWORD}
 # gen mobileconfig for mac
 UUID1=$(uuidgen)
 UUID2=$(uuidgen)
 UUID3=$(uuidgen)
 UUID4=$(uuidgen)
 UUID5=$(uuidgen)
 UUID6=$(uuidgen)
 cat > /etc/ipsec.d/client.mobileconfig <<_EOF_
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 <key>PayloadContent</key>
 <array>
  <dict>
   <key>Password</key>
   <string>${VPN_P12_PASSWORD}</string>
   <key>PayloadCertificateFileName</key>
   <string>client.cert.p12</string>
   <key>PayloadContent</key>
   <data>
 $(base64 /etc/ipsec.d/client.cert.p12)
   </data>
   <key>PayloadDescription</key>
   <string>添加 PKCS#12 格式的证书</string>
   <key>PayloadDisplayName</key>
   <string>client.cert.p12</string>
   <key>PayloadIdentifier</key>
   <string>com.apple.security.pkcs12.${UUID1}</string>
   <key>PayloadType</key>
   <string>com.apple.security.pkcs12</string>
   <key>PayloadUUID</key>
   <string>${UUID1}</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
  </dict>
  <dict>
   <key>PayloadCertificateFileName</key>
   <string>ca.cer</string>
   <key>PayloadContent</key>
   <data>
 $(base64 /etc/ipsec.d/cacerts/ca.cert.pem)
   </data>
   <key>PayloadDescription</key>
   <string>添加 CA 根证书</string>
   <key>PayloadDisplayName</key>
   <string>StrongSwan CA</string>
   <key>PayloadIdentifier</key>
   <string>com.apple.security.root.${UUID2}</string>
   <key>PayloadType</key>
   <string>com.apple.security.root</string>
   <key>PayloadUUID</key>
   <string>${UUID2}</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
  </dict>
  <dict>
   <key>IKEv2</key>
   <dict>
    <key>AuthenticationMethod</key>
    <string>Certificate</string>
    <key>ChildSecurityAssociationParameters</key>
    <dict>
     <key>DiffieHellmanGroup</key>
     <integer>2</integer>
     <key>EncryptionAlgorithm</key>
     <string>3DES</string>
     <key>IntegrityAlgorithm</key>
     <string>SHA1-96</string>
     <key>LifeTimeInMinutes</key>
     <integer>1440</integer>
    </dict>
    <key>DeadPeerDetectionRate</key>
    <string>Medium</string>
    <key>DisableMOBIKE</key>
    <integer>0</integer>
    <key>DisableRedirect</key>
    <integer>0</integer>
    <key>EnableCertificateRevocationCheck</key>
    <integer>0</integer>
    <key>EnablePFS</key>
    <integer>0</integer>
    <key>IKESecurityAssociationParameters</key>
    <dict>
     <key>DiffieHellmanGroup</key>
     <integer>2</integer>
     <key>EncryptionAlgorithm</key>
     <string>3DES</string>
     <key>IntegrityAlgorithm</key>
     <string>SHA1-96</string>
     <key>LifeTimeInMinutes</key>
     <integer>1440</integer>
    </dict>
    <key>LocalIdentifier</key>
    <string>client.${VPN_DOMAIN}</string>
    <key>PayloadCertificateUUID</key>
    <string>${UUID1}</string>
    <key>RemoteAddress</key>
    <string>${VPN_DOMAIN}</string>
    <key>RemoteIdentifier</key>
    <string>${VPN_DOMAIN}</string>
    <key>UseConfigurationAttributeInternalIPSubnet</key>
    <integer>0</integer>
   </dict>
   <key>IPv4</key>
   <dict>
    <key>OverridePrimary</key>
    <integer>1</integer>
   </dict>
   <key>PayloadDescription</key>
   <string>Configures VPN settings</string>
   <key>PayloadDisplayName</key>
   <string>VPN</string>
   <key>PayloadIdentifier</key>
   <string>com.apple.vpn.managed.${UUID4}</string>
   <key>PayloadType</key>
   <string>com.apple.vpn.managed</string>
   <key>PayloadUUID</key>
   <string>${UUID4}</string>
   <key>PayloadVersion</key>
   <real>1</real>
   <key>Proxies</key>
   <dict>
    <key>HTTPEnable</key>
    <integer>0</integer>
    <key>HTTPSEnable</key>
    <integer>0</integer>
   </dict>
   <key>UserDefinedName</key>
   <string>VPN (IKEv2)</string>
   <key>VPNType</key>
   <string>IKEv2</string>
  </dict>
  <dict>
   <key>PayloadCertificateFileName</key>
   <string>server.cer</string>
   <key>PayloadContent</key>
   <data>
 $(base64 /etc/ipsec.d/certs/server.cert.pem)
   </data>
   <key>PayloadDescription</key>
   <string>添加 PKCS#1 格式的证书</string>
   <key>PayloadDisplayName</key>
   <string>${VPN_DOMAIN}</string>
   <key>PayloadIdentifier</key>
   <string>com.apple.security.pkcs1.${UUID5}</string>
   <key>PayloadType</key>
   <string>com.apple.security.pkcs1</string>
   <key>PayloadUUID</key>
   <string>${UUID5}</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
  </dict>
 </array>
 <key>PayloadDisplayName</key>
 <string>VPN</string>
 <key>PayloadIdentifier</key>
 <string>com.github.vimagick.strongswan</string>
 <key>PayloadRemovalDisallowed</key>
 <false/>
 <key>PayloadType</key>
 <string>Configuration</string>
 <key>PayloadUUID</key>
 <string>${UUID6}</string>
 <key>PayloadVersion</key>
 <integer>1</integer>
 </dict>
 </plist>
 _EOF_