/
ikev2.sh
353 lines (329 loc) · 10.9 KB
/
ikev2.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
clear
echo "#############################################################"
echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit)"
echo "#############################################################"
echo ""
# Install IKEV2
function install_ikev2(){
rootness
disable_selinux
get_my_ip
yum_install
pre_install
download_files
setup_strongswan
get_key
configure_ipsec
configure_strongswan
configure_secrets
iptables_set
ipsec start
success_info
}
# Make sure only root can run our script
function rootness(){
if [[ $EUID -ne 0 ]]; then
echo "Error:This script must be run as root!" 1>&2
exit 1
fi
}
# Disable selinux
function disable_selinux(){
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
fi
}
# Get IP address of the server
function get_my_ip(){
echo "Preparing, Please wait a moment..."
IP=`curl ipv4.icanhazip.com`
}
# Pre-installation settings
function pre_install(){
echo "#############################################################"
echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit)"
echo "#############################################################"
echo ""
echo "please choose the type of your VPS(Xen、KVM: 1 , OpenVZ: 2):"
read -p "your choice(1 or 2):" os_choice
if [ "$os_choice" = "1" ]; then
os="1"
os_str="Xen/KVM"
else
if [ "$os_choice" = "2" ]; then
os="2"
os_str="OpenVZ"
else
echo "wrong choice!"
exit 1
fi
fi
echo "please input the ip (or domain) of your VPS:"
read -p "ip or domain(default_vale:${IP}):" vps_ip
if [ "$vps_ip" = "" ]; then
vps_ip=$IP
fi
echo "please input the cert country(C):"
read -p "C(default value:cn):" my_cert_c
if [ "$my_cert_c" = "" ]; then
my_cert_c="cn"
fi
echo "please input the cert organization(O):"
read -p "O(default value:how2vpn):" my_cert_o
if [ "$my_cert_o" = "" ]; then
my_cert_o="how2vpn"
fi
echo "please input the cert common name(CN):"
read -p "CN(default value:VPN CA):" my_cert_cn
if [ "$my_cert_cn" = "" ]; then
my_cert_cn="VPN CA"
fi
echo "####################################"
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "Please confirm the information:"
echo ""
echo -e "the type of your server: [\033[32;1m$os_str\033[0m]"
echo -e "the ip(or domain) of your server: [\033[32;1m$vps_ip\033[0m]"
echo -e "the cert_info:[\033[32;1mC=${my_cert_c}, O=${my_cert_o}\033[0m]"
echo ""
echo "Press any key to start...or Press Ctrl+C to cancel"
char=`get_char`
#Current folder
cur_dir=`pwd`
cd $cur_dir
}
#install necessary lib
function yum_install(){
yum -y update
yum -y install pam-devel openssl-devel make gcc
}
# Download strongswan
function download_files(){
if [ -f strongswan.tar.gz ];then
echo -e "strongswan.tar.gz [\033[32;1mfound\033[0m]"
else
if ! wget https://download.strongswan.org/strongswan.tar.gz;then
echo "Failed to download strongswan.tar.gz"
exit 1
fi
fi
tar xzf strongswan*.tar.gz
if [ $? -eq 0 ];then
cd $cur_dir/strongswan-*/
else
echo ""
echo "Unzip strongswan.tar.gz failed!"
exit 1
fi
}
# configure and install strongswan
function setup_strongswan(){
if [ "$os" = "1" ]; then
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
else
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
fi
make; make install
}
# configure cert and key
function get_key(){
cd $cur_dir
if [ -f ca.pem ];then
echo -e "ca.pem [\033[32;1mfound\033[0m]"
else
echo -e "ca.pem [\033[32;1mauto create\032[0m]"
echo "auto create ca.pem ..."
ipsec pki --gen --outform pem > ca.pem
fi
if [ -f ca.cert.pem ];then
echo -e "ca.cert.pem [\033[32;1mfound\033[0m]"
else
echo -e "ca.cert.pem [\032[33;1mauto create\032[0m]"
echo "auto create ca.cert.pem ..."
ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem
fi
if [ ! -d my_key ];then
mkdir my_key
fi
mv ca.pem my_key/ca.pem
mv ca.cert.pem my_key/ca.cert.pem
cd my_key
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
--san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem
echo "configure the pkcs12 cert password(Can be empty):"
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}" -out client.cert.p12
echo "####################################"
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "Press any key to install ikev2 VPN cert"
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r server.pem /usr/local/etc/ipsec.d/private/
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r client.pem /usr/local/etc/ipsec.d/private/
}
# configure the ipsec.conf
function configure_ipsec(){
cat > /usr/local/etc/ipsec.conf<<-EOF
config setup
uniqueids=never
conn iOS_cert
keyexchange=ikev1
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
auto=add
conn android_xauth_psk
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.31.2.0/24
auto=add
conn networkmanager-strongswan
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%any
auto=add
EOF
}
# configure the strongswan.conf
function configure_strongswan(){
cat > /usr/local/etc/strongswan.conf<<-EOF
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
EOF
}
# configure the ipsec.secrets
function configure_secrets(){
cat > /usr/local/etc/ipsec.secrets<<-EOF
: RSA server.pem
: PSK "HOW2VPN"
: XAUTH "HOW2VPN"
Im_VIP %any : EAP "123"
EOF
}
# iptables set
function iptables_set(){
sysctl -w net.ipv4.ip_forward=1
if [ "$os" = "1" ]; then
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
else
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
iptables -A INPUT -i venet0 -p esp -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE
fi
service iptables save
}
# echo the success info
function success_info(){
echo "#############################################################"
echo -e "#"
echo -e "# [\033[32;1mInstall Successful\033[0m]"
echo -e "# There is the default login info of your VPN"
echo -e "# UserName:\033[33;1m Im_VIP\033[0m"
echo -e "# PassWord:\033[33;1m 123\033[0m"
echo -e "# PSK:\033[33;1m HOW2VPN\033[0m"
echo -e "# you can change UserName and PassWord in\033[32;1m /usr/local/etc/ipsec.secrets\033[0m"
echo -e "# you must copy the cert \033[32;1m ${cur_dir}/my_key/ca.cert.pem \033[0m to the client and install it."
echo -e "#"
echo -e "#############################################################"
echo -e ""
}
# Initialization step
install_ikev2