- apt install strongswan
- apt install certbot
- certbot certonly --standalone -d yourdomain.ru
- ln -s /etc/letsencrypt/live/yourdomain.ru/chain.pem /etc/ipsec.d/cacerts/ca.pem
- ln -s /etc/letsencrypt/live/yourdomain.ru/cert.pem /etc/ipsec.d/certs/certificate.pem
- ln -s /etc/letsencrypt/live/yourdomain.ru/privkey.pem /etc/ipsec.d/private/key.pem
- nano /lib/systemd/system/certbot.service
ExecStart=/usr/bin/certbot renew --deploy-hook "systemctl restart strongswan.service" - systemctl daemon-reload
- nano /etc/ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 1"
conn BASE
authby=psk
keyexchange=ikev2
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
pfs=no
dpdaction=restart
auto=add
conn Home
also=BASE
left=yourIP
leftprotoport=47
right=remoteIP
rightprotoport=47
type=transport
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024
esp=aes256-sha1
dpdaction=clear
dpddelay=30s
rekey=no
left=%any
leftid=@yourdomain
leftcert=certificate.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.1.1.0/24
rightdns=9.9.9.9,149.112.112.112
rightsendcert=never
eap_identity=%identity - nano /etc/ipsec.secrets
yourdomain : RSA key.pem
yourIP %any : PSK "P@SSW0RD"
USER %any% : EAP "PASSWORD" - ipsec rereadsecrets
- apparmor_status
if you see /usr/lib/ipsec/charon /usr/lib/ipsec/stroke
ln -s /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/
ln -s /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon
apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.stroke - ipsec start
- ipsec listcerts
- ipsec statusall
Заметки системного администратора