最近我的手機Windows Phone 8.1 DP支援了IKEv2協定的VPN， 所以我就想在CentOS 6.5上架IKEv2的VPN server，使得手機也能連上。 我用的VPN server軟體是strongswan。 我試了一天才試出來。網路上有些資料，但有的沒講很清楚，只能try and error。 以下我就把設定IKEv2 VPN server的指令步驟寫出來，也有寫一些註解(英文)， 有問題再問我，我有空再回應。 yum install strongswan openssl # Create CA ## See: http://www.topdog.za.net/2012/08/23/iphone-ipad-mac-osx-ipsec-vpn-with-strongswan-5-on-centos-rhel-6/ cd /etc/pki/tls/misc ## Common Name is arbitray, e.g. My CA. ./CA -newca echo 00 > /etc/pki/CA/crlnumber openssl ca -gencrl -out /etc/pki/CA/crl.pem ln -s /etc/pki/CA/cacert.pem /etc/strongswan/ipsec.d/cacerts/ ln -s /etc/pki/CA/crl.pem /etc/strongswan/ipsec.d/crls/ # Create the server certificate ## Add extendedKeyUsage and subjectAltName lines under [ usr_cert ] in openssl.cnf. ## See: http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq ## E.g: ## extendedKeyUsage = serverAuth ## subjectAltName=IP:your.vpn.server.ip ## or subjectAltName=DNS:your.vpn.server.dns vim ../openssl.cnf ## Common Name must be equal to the IP or the DNS set in subjectAltName! ## E.g Common Name is your.vpn.server.ip ## Please remeber the password. You will use it later in ipsec.secrets. ./CA -newreq ./CA -sign mv newcert.pem /etc/strongswan/ipsec.d/certs/your.vpn.server.ip.pem mv newkey.pem /etc/strongswan/ipsec.d/private/your.vpn.server.ip.key ## Add this line to ipsec.secrets: ## : RSA your.vpn.server.ip.key "password of your.vpn.server.ip.key" vim /etc/strongswan/ipsec.secrets ## If you want to use EAP-MSCHAPV2 for a client "jack" and his password "passwd", ## add this line to ipsec.secrets: ## jack : EAP "passwd" # Create the client certificate ## Uncomment extendedKeyUsage and subjectAltName in openssl.cnf! ## Common Name is arbitray, e.g. Client Test. ./CA -newreq ./CA -sign ## Export for Windows. openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile /etc/pki/CA/cacert.pem -out client.p12 # Import the certificate to Windows 7 tutorial: ## http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs # NAT echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/iptables -t nat -A POSTROUTING -s 10.71.132.0/24 -o eth0 -j MASQUERADE # Import client.p12 to Windows Phone 8.1 DP. ## Import through IE or OneDrive. ## Then: go to Windows Phone/Settings/VPN/On/add/Connect using/user name+password/fill "jack" and "passwd"/... # Example setting files --------------------------- ipsec.conf ------------------------- # basic configuration config setup # Add connections here. conn %default keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no leftfirewall=yes left=%any leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=your.vpn.server.ip.pem [email protected] right=%any rightsourceip=10.71.132.1/24 auto=add conn win-pubkey rightauth=pubkey eap_identity=%any conn win-eap-mschapv2 rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any --------------------------- ipsec.secrets ------------------------- : RSA your.vpn.server.ip.key "password of your.vpn.server.ip.key" jack : EAP "passwd" --------------------------- strongswan.conf ------------------------- charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } # Set the DNS server. dns1 = 8.8.8.8 #dns2 = x.x.x.x } include strongswan.d/*.conf -- 楞嚴咒(附注音)： http://sdrv.ms/130iapv -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 140.115.71.32 ※ 文章網址: http://www.ptt.cc/bbs/Linux/M.1397749338.A.7E6.html ※ zxvc:轉錄至看板 WindowsPhone 04/17 23:44