Setup IKEv2 IPSec VPN dùng strongSwan và Let’s Encrypt trên Alma Linux và Rocky 9

  • Prerequisites
  1. A server running Rocky Linux 9/Alma linux 9
  2. A fully qualified domain name (FQDN) like: vpn-dev.cloudzone.vn
  • Update server:
sudo dnf update
  • Tải các phần mềm cần thiết
sudo dnf install wget curl nano unzip yum-utils -y

Step 1 – Configure Networking and Firewall

$ echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.conf
$ sudo sysctl -p
  • Add IPSec service to Firewalld firewall.
sudo firewall-cmd --permanent --add-service=ipsec
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload

Step 2 – Install SSL

sudo dnf install -y epel-release
sudo dnf install -y snapd
sudo systemctl enable snapd --now
sudo snap install core && sudo snap refresh core
sudo ln -s /var/lib/snapd/snap /snap
echo 'export PATH=$PATH:/var/lib/snapd/snap/bin' | sudo tee -a /etc/profile.d/snapd.sh
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --key-type rsa certonly --standalone --agree-tos --no-eff-email --preferred-challenges http -m name@example.com -d vpn-dev.cloudzone.vn
sudo certbot renew --dry-run

Step 3 – Install strongSwan

sudo dnf install strongswan
sudo ln -s /etc/letsencrypt/live/vpn-dev.cloudzone.vn/fullchain.pem /etc/strongswan/swanctl/x509
sudo ln -s /etc/letsencrypt/live/vpn-dev.cloudzone.vn/privkey.pem /etc/strongswan/swanctl/private
sudo ln -s /etc/letsencrypt/live/vpn-dev.cloudzone.vn/chain.pem /etc/strongswan/swanctl/x509ca
sudo nano /etc/strongswan/swanctl/conf.d/my_vpn.conf
  • Chỉnh file cấu hình như sau:
connections {
    ikev2-eap-mschapv2 {
        version = 2
        proposals = aes256-sha256-modp4096,aes256-sha256-modp2048,aes256gcm16-sha256-modp1024
        rekey_time = 0s
        pools = pool-ipv4
        fragmentation = yes
        dpd_delay = 30s
        send_cert=always
        unique = never
        local {
            id = vpn-dev.clouzone.vn
            certs = fullchain.pem
        }
        remote {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            ikev2-eap-mschapv2 {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes256-sha256-sha1
            }
        }
    }
}

pools {
    pool-ipv4 {
        addrs = 10.1.1.0/24
        dns = 1.1.1.1, 8.8.8.8
    }
}

secrets {
    eap-User1 {
        id = cloudzone-test
        secret = "Cloudzone@@123654"
    }
}
  • Disable the OpenSSL plugin because OpenSSL on Rocky Linux 9 doesn’t allow RSA signatures with SHA-1 causing authentication failures.
sudo sed -i "s/load = yes/load = no/" /etc/strongswan/strongswan.d/charon/openssl.conf
$ sudo systemctl enable strongswan
$ sudo systemctl restart strongswan

Step 4 – Connecting via Windows

Was this article helpful?

Yes No

Hướng dẫn liên quan

Leave A Comment?