for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o venet0 -j MASQUERADE

Basic Strongswan ikev2 server setup

• paltform: atlantic.net ubuntu 14.04 x64
• the commands below are run with root account

Strongswan

apt-get install strongswanapt-get install iptables iptables-persistent

ca

root ca

cd ~mkdir swancd swanipsec pki --gen --outform pem > ca_key.pemipsec pki --self --in ca_key.pem --dn "C=CN, O=strongswan, CN=strongswan ca" --ca --outform pem > ca_cert.pem

server ca

ipsec pki --gen --outform pem > server_key.pemipsec pki --pub --in server_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongswan, CN=vpn.strong.com" --san="vpn.strong.com" --outform pem > server_cert.pem

client ca

ipsec pki --gen --outform pem > client_key.pemipsec pki --pub --in client_key.pem | ipsec pki --issue --cacert ca_cert.pem --cakey ca_key.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > client_cert.pem

implement ca

cp ca_cert.pem /etc/ipsec.d/cacerts/cp server_cert.pem /etc/ipsec.d/certs/cp server_key.pem /etc/ipsec.d/private/

conf

• /etc/ipsec.conf

config setup	# strictcrlpolicy=yes	# uniqueids = noconn %default        leftcert=server_cert.pem        auto=add        dpdaction=clear        dpddelay=300s        dpdtimeout=1hconn rw        leftfirewall=yes        leftsubnet=0.0.0.0/0        right=%any        rightsourceip=10.0.0.0/24

• /etc/ipsec.secerts

: RSA server_key.pem

• /etc/strongswan.conf

charon {	load_modular = yes	install_virtual_ip = yes	dns1 = 8.8.8.8	dns2 = 8.8.4.4 	# use the dns provided by vps	plugins {		include strongswan.d/charon/*.conf	}}

system conf

net.ipv4.ip_forward = 1

*nat:PREROUTING ACCEPT [0:0]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADECOMMIT# Completed on Mon Jul 22 14:53:31 2013# Generated by iptables-save v1.4.18 on Mon Jul 22 14:53:31 2013*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [432:67301]-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -p udp -m udp --dport 500 -j ACCEPT-A INPUT -p udp -m udp --dport 4500 -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -p esp -j ACCEPT-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A INPUT -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT-A INPUT -p tcp -j REJECT --reject-with tcp-reset-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable-A INPUT -j REJECT --reject-with icmp-proto-unreachableCOMMIT

client settings

• ss_cert.pem
• client_key.pem
• client_cert.pem

Download these files to client, with scp or ftp. Use them for Strongswan vpn connection.

Referenece