#!/bin/sh -e # # gen config files for strongswan # # - VPN_DNS # - VPN_DOMAIN # - VPN_NETWORK # - LAN_NETWORK # - VPN_P12_PASSWORD # if [ -e /etc/ipsec.d/ipsec.conf ] then echo "Initialized!" exit 0 else echo "Initializing..." fi cat > /etc/ipsec.d/ipsec.conf <<_EOF_ config setup uniqueids=never charondebug="cfg 2, dmn 2, ike 2, net 2" conn %default keyexchange=ike dpdaction=clear dpddelay=300s rekey=no left=%any leftca=ca.cert.pem leftcert=server.cert.pem leftsubnet=0.0.0.0/0 right=%any rightdns=${VPN_DNS} rightsourceip=${VPN_NETWORK} rightsubnets=${LAN_NETWORK} conn IPSec-IKEv2 keyexchange=ikev2 ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024! esp=aes256-sha256,3des-sha1,aes256-sha1! leftid="${VPN_DOMAIN}" leftsendcert=always leftauth=pubkey rightauth=pubkey rightid="client@${VPN_DOMAIN}" rightcert=client.cert.pem auto=add _EOF_ cat > /etc/ipsec.d/ipsec.secrets <<_EOF_ : RSA server.pem _EOF_ # gen ca key and cert ipsec pki --gen --outform pem > /etc/ipsec.d/private/ca.pem ipsec pki --self \ --in /etc/ipsec.d/private/ca.pem \ --dn "C=CN, O=strongSwan, CN=strongSwan Root CA" \ --ca \ --lifetime 3650 \ --outform pem > /etc/ipsec.d/cacerts/ca.cert.pem # gen server key and cert ipsec pki --gen --outform pem > /etc/ipsec.d/private/server.pem ipsec pki --pub --in /etc/ipsec.d/private/server.pem | ipsec pki --issue --lifetime 1200 --cacert /etc/ipsec.d/cacerts/ca.cert.pem \ --cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=strongSwan, CN=${VPN_DOMAIN}" \ --san="${VPN_DOMAIN}" --flag serverAuth --flag ikeIntermediate \ --outform pem > /etc/ipsec.d/certs/server.cert.pem # gen client key and cert ipsec pki --gen --outform pem > /etc/ipsec.d/private/client.pem ipsec pki --pub --in /etc/ipsec.d/private/client.pem | ipsec pki --issue \ --cacert /etc/ipsec.d/cacerts/ca.cert.pem \ --cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=strongSwan, CN=client@${VPN_DOMAIN}" \ --san="client@${VPN_DOMAIN}" \ --outform pem > /etc/ipsec.d/certs/client.cert.pem openssl pkcs12 -export \ -inkey /etc/ipsec.d/private/client.pem \ -in /etc/ipsec.d/certs/client.cert.pem \ -name "client@${VPN_DOMAIN}" \ -certfile /etc/ipsec.d/cacerts/ca.cert.pem \ -caname "strongSwan Root CA" \ -out /etc/ipsec.d/client.cert.p12 \ -passout pass:${VPN_P12_PASSWORD} # gen mobileconfig for mac UUID1=$(uuidgen) UUID2=$(uuidgen) UUID3=$(uuidgen) UUID4=$(uuidgen) UUID5=$(uuidgen) UUID6=$(uuidgen) cat > /etc/ipsec.d/client.mobileconfig <<_EOF_ PayloadContent Password ${VPN_P12_PASSWORD} PayloadCertificateFileName client.cert.p12 PayloadContent $(base64 /etc/ipsec.d/client.cert.p12) PayloadDescription 添加 PKCS#12 格式的证书 PayloadDisplayName client.cert.p12 PayloadIdentifier com.apple.security.pkcs12.${UUID1} PayloadType com.apple.security.pkcs12 PayloadUUID ${UUID1} PayloadVersion 1 PayloadCertificateFileName ca.cer PayloadContent $(base64 /etc/ipsec.d/cacerts/ca.cert.pem) PayloadDescription 添加 CA 根证书 PayloadDisplayName strongSwan Root CA PayloadIdentifier com.apple.security.root.${UUID2} PayloadType com.apple.security.root PayloadUUID ${UUID2} PayloadVersion 1 IKEv2 AuthenticationMethod Certificate ChildSecurityAssociationParameters DiffieHellmanGroup 2 EncryptionAlgorithm 3DES IntegrityAlgorithm SHA1-96 LifeTimeInMinutes 1440 DeadPeerDetectionRate Medium DisableMOBIKE 0 DisableRedirect 0 EnableCertificateRevocationCheck 0 EnablePFS 0 IKESecurityAssociationParameters DiffieHellmanGroup 2 EncryptionAlgorithm 3DES IntegrityAlgorithm SHA1-96 LifeTimeInMinutes 1440 LocalIdentifier client@${VPN_DOMAIN} PayloadCertificateUUID ${UUID1} RemoteAddress ${VPN_DOMAIN} RemoteIdentifier ${VPN_DOMAIN} UseConfigurationAttributeInternalIPSubnet 0 IPv4 OverridePrimary 1 PayloadDescription Configures VPN settings PayloadDisplayName VPN PayloadIdentifier com.apple.vpn.managed.${UUID4} PayloadType com.apple.vpn.managed PayloadUUID ${UUID4} PayloadVersion 1 Proxies HTTPEnable 0 HTTPSEnable 0 UserDefinedName VPN (IKEv2) VPNType IKEv2 PayloadCertificateFileName server.cer PayloadContent $(base64 /etc/ipsec.d/certs/server.cert.pem) PayloadDescription 添加 PKCS#1 格式的证书 PayloadDisplayName ${VPN_DOMAIN} PayloadIdentifier com.apple.security.pkcs1.${UUID5} PayloadType com.apple.security.pkcs1 PayloadUUID ${UUID5} PayloadVersion 1 PayloadDisplayName VPN PayloadIdentifier com.github.vimagick.strongswan PayloadRemovalDisallowed PayloadType Configuration PayloadUUID ${UUID6} PayloadVersion 1 _EOF_