{"id":184,"date":"2023-03-28T11:28:19","date_gmt":"2023-03-28T03:28:19","guid":{"rendered":"http:\/\/idc.birk.cn\/?p=184"},"modified":"2023-04-20T14:34:13","modified_gmt":"2023-04-20T06:34:13","slug":"%e5%9c%a8-centos-7-%e4%b8%ad%e4%bd%bf%e7%94%a8-strongswan-%e6%90%ad%e5%bb%ba-ikev2-vpn","status":"publish","type":"post","link":"https:\/\/idc.birk.cn\/?p=184","title":{"rendered":"\u5728 CentOS 7 \u4e2d\u4f7f\u7528 strongSwan \u642d\u5efa IKEv2 VPN"},"content":{"rendered":"<header class=\"article-header\">\n<h1 class=\"article-title\">\u5728 CentOS 7 \u4e2d\u4f7f\u7528 strongSwan \u642d\u5efa IKEv2 VPN<\/h1>\n<\/header>\n<div class=\"article-entry\">\n<div class=\"markdown-body editormd-html-preview\">\n<div class=\"editormd-toc-menu\">\n<div class=\"markdown-toc editormd-markdown-toc\">\u672c\u6587\u4ecb\u7ecd\u5728 CentOS 7 \u7cfb\u7edf\u4e2d\u4f7f\u7528 strongSwan \u5f00\u6e90\u8f6f\u4ef6\u642d\u5efa IKEv2 \u65b9\u5f0f\u7684 VPN \u914d\u7f6e\u3002<\/div>\n<\/div>\n<p>\u672c\u6587\u6d89\u53ca\u5230\u7684\u5404\u9879\u7cfb\u7edf\u53ca\u8f6f\u4ef6\u7248\u672c\uff1a<\/p>\n<ul>\n<li>\u670d\u52a1\u7aef\u7cfb\u7edf\uff1aCentOS 7.4 64\u4f4d<\/li>\n<li>\u5ba2\u6237\u7aef\u7cfb\u7edf\uff1aWindows 10 \u4e13\u4e1a\u7248\uff0c\u7248\u672c\u53f7 1809<\/li>\n<li>\u8f6f\u4ef6\uff1astrongSwan \u7248\u672c 5.7.2<\/li>\n<\/ul>\n<h3><a class=\"reference-link\" name=\"\u4e00\u3001\u5b89\u88c5 strongSwan\"><\/a>\u4e00\u3001\u5b89\u88c5 strongSwan<\/h3>\n<hr \/>\n<p>\u4f7f\u7528 EPEL \u6e90\u5b89\u88c5 strongSwan\uff0c\u56e0\u4e3a EPEL \u5305\u542b strongSwan \u6700\u65b0\u7248\u672c\uff0cEPEL \u66f4\u65b0\u6bd4\u8f83\u5feb\uff0c\u5982\u679c\u7cfb\u7edf\u4e2d\u6ca1\u6709\uff0c\u5219\u6267\u884c\u4e0b\u9762\u547d\u4ee4\u5b89\u88c5 EPEL \u6e90\u3002<\/p>\n<h5><a class=\"reference-link\" name=\"1\u3001\u5b89\u88c5 EPEL \u6e90\"><\/a>1\u3001\u5b89\u88c5 EPEL \u6e90<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">yum <\/span><span class=\"pun\">-<\/span><span class=\"pln\">y install epel<\/span><span class=\"pun\">-<\/span><span class=\"pln\">release<\/span><\/code><\/li>\n<\/ol>\n<p><em>\u6ce8\u610f\uff0c\u8fd9\u4e0d\u662f\u5fc5\u987b\u7684\uff0c\u4f60\u4e5f\u53ef\u4ee5\u4f7f\u7528\u5176\u5b83\u6e90\u5b89\u88c5\u3002<\/em><\/p>\n<h5><a class=\"reference-link\" name=\"2\u3001\u5b89\u88c5 openssl\"><\/a>2\u3001\u5b89\u88c5 openssl<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">yum <\/span><span class=\"pun\">-<\/span><span class=\"pln\">y install openssl<\/span><\/code><\/li>\n<\/ol>\n<p><em>\u6ce8\u610f\uff0c\u8fd9\u4e0d\u662f\u5fc5\u987b\u7684\uff0c\u8bf7\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u8c03\u6574\u3002<\/em><\/p>\n<h5><a class=\"reference-link\" name=\"3\u3001\u5b89\u88c5 strongswan\"><\/a>3\u3001\u5b89\u88c5 strongswan<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">yum <\/span><span class=\"pun\">-<\/span><span class=\"pln\">y install strongswan<\/span><\/code><\/li>\n<\/ol>\n<p><em>\u6ce8\u610f\uff0c\u8fd9\u662f\u5fc5\u987b\u7684\u3002<\/em><\/p>\n<h5><a class=\"reference-link\" name=\"4\u3001\u8bbe\u7f6e\u5f00\u673a\u542f\u52a8\"><\/a>4\u3001\u8bbe\u7f6e\u5f00\u673a\u542f\u52a8<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">systemctl enable strongswan<\/span><\/code><\/li>\n<\/ol>\n<h3><a class=\"reference-link\" name=\"\u4e8c\u3001\u521b\u5efa\u8bc1\u4e66\"><\/a>\u4e8c\u3001\u521b\u5efa\u8bc1\u4e66<\/h3>\n<hr \/>\n<h4><a class=\"reference-link\" name=\"1\u3001\u521b\u5efa CA \u6839\u8bc1\u4e66\"><\/a>1\u3001\u521b\u5efa CA \u6839\u8bc1\u4e66<\/h4>\n<h5><a class=\"reference-link\" name=\"1.1 \u521b\u5efa\u4e00\u4e2a\u79c1\u94a5\uff1a\"><\/a>1.1 \u521b\u5efa\u4e00\u4e2a\u79c1\u94a5\uff1a<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">strongswan pki <\/span><span class=\"pun\">--<\/span><span class=\"pln\">gen <\/span><span class=\"pun\">--<\/span><span class=\"pln\">outform pem <\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"1.2 \u57fa\u4e8e\u8fd9\u4e2a\u79c1\u94a5\u81ea\u5df1\u7b7e\u4e00\u4e2a CA \u6839\u8bc1\u4e66\uff1a\"><\/a>1.2 \u57fa\u4e8e\u8fd9\u4e2a\u79c1\u94a5\u81ea\u5df1\u7b7e\u4e00\u4e2a CA \u6839\u8bc1\u4e66\uff1a<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">strongswan pki <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">self<\/span> <span class=\"pun\">--<\/span><span class=\"kwd\">in<\/span><span class=\"pln\"> ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"pln\">dn <\/span><span class=\"str\">\"C=CN, O=123si, CN=123si StrongSwan CA\"<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">ca <\/span><span class=\"pun\">--<\/span><span class=\"pln\">lifetime <\/span><span class=\"lit\">3650<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">outform pem <\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/li>\n<\/ol>\n<p>\u547d\u4ee4\u53c2\u6570\u4ecb\u7ecd\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th>\u53c2\u6570<\/th>\n<th>\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>--self<\/code><\/td>\n<td>\u8868\u793a\u81ea\u7b7e\u8bc1\u4e66<\/td>\n<\/tr>\n<tr>\n<td><code>--in<\/code><\/td>\n<td>\u662f\u8f93\u5165\u7684\u79c1\u94a5<\/td>\n<\/tr>\n<tr>\n<td><code>--dn<\/code><\/td>\n<td>\u662f\u5224\u522b\u540d<\/td>\n<\/tr>\n<tr>\n<td><code>C<\/code><\/td>\n<td>\u8868\u793a\u56fd\u5bb6\u540d\uff0c\u540c\u6837\u8fd8\u6709 ST \u5dde\/\u7701\u540d\uff0cL \u5730\u533a\u540d\uff0cSTREET\uff08\u5168\u5927\u5199\uff09\u8857\u9053\u540d<\/td>\n<\/tr>\n<tr>\n<td><code>O<\/code><\/td>\n<td>\u7ec4\u7ec7\u540d\u79f0<\/td>\n<\/tr>\n<tr>\n<td><code>CN<\/code><\/td>\n<td>\u53cb\u597d\u663e\u793a\u7684\u901a\u7528\u540d<\/td>\n<\/tr>\n<tr>\n<td><code>--ca<\/code><\/td>\n<td>\u8868\u793a\u751f\u6210 CA \u6839\u8bc1\u4e66<\/td>\n<\/tr>\n<tr>\n<td><code>--lifetime<\/code><\/td>\n<td>\u4e3a\u6709\u6548\u671f, \u5355\u4f4d\u662f\u5929<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><a class=\"reference-link\" name=\"2\u3001\u521b\u5efa\u670d\u52a1\u5668\u7aef\u8bc1\u4e66\"><\/a>2\u3001\u521b\u5efa\u670d\u52a1\u5668\u7aef\u8bc1\u4e66<\/h4>\n<h5><a class=\"reference-link\" name=\"2.1 \u521b\u5efa\u4e00\u4e2a\u79c1\u94a5\uff1a\"><\/a>2.1 \u521b\u5efa\u4e00\u4e2a\u79c1\u94a5\uff1a<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">strongswan pki <\/span><span class=\"pun\">--<\/span><span class=\"pln\">gen <\/span><span class=\"pun\">--<\/span><span class=\"pln\">outform pem <\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"2.2 \u7528\u6211\u4eec\u521a\u624d\u81ea\u7b7e\u7684 CA \u8bc1\u4e66\u7ed9\u81ea\u5df1\u53d1\u4e00\u4e2a\u670d\u52a1\u5668\u8bc1\u4e66\uff1a\"><\/a>2.2 \u7528\u6211\u4eec\u521a\u624d\u81ea\u7b7e\u7684 CA \u8bc1\u4e66\u7ed9\u81ea\u5df1\u53d1\u4e00\u4e2a\u670d\u52a1\u5668\u8bc1\u4e66\uff1a<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"com\"># \u7528\u79c1\u94a5\u521b\u5efa\u516c\u94a5<\/span><\/code><\/li>\n<li class=\"L1\"><code><span class=\"pln\">strongswan pki <\/span><span class=\"pun\">--<\/span><span class=\"pln\">pub <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">in<\/span><span class=\"pln\"> server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"pln\">outform pem <\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pub<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/li>\n<li class=\"L2\"><code><span class=\"com\"># \u7528\u521a\u521b\u5efa\u7684\u516c\u94a5\uff0c\u521b\u5efa\u670d\u52a1\u5668\u8bc1\u4e66<\/span><\/code><\/li>\n<li class=\"L3\"><code><span class=\"pln\">strongswan pki <\/span><span class=\"pun\">--<\/span><span class=\"pln\">issue <\/span><span class=\"pun\">--<\/span><span class=\"pln\">lifetime <\/span><span class=\"lit\">3650<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">cacert ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"pln\">cakey ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">in<\/span><span class=\"pln\"> server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pub<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"pln\">dn <\/span><span class=\"str\">\"C=CN, O=123si, CN=48.85.166.86\"<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">san<\/span><span class=\"pun\">=<\/span><span class=\"str\">\"48.85.166.86\"<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">flag serverAuth <\/span><span class=\"pun\">--<\/span><span class=\"pln\">flag ikeIntermediate <\/span><span class=\"pun\">--<\/span><span class=\"pln\">outform pem <\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/li>\n<\/ol>\n<p>\u547d\u4ee4\u53c2\u6570\u4ecb\u7ecd\uff1a<\/p>\n<p><code>--issue<\/code>\uff0c<code>--cacert<\/code>\u548c<code>--cakey<\/code>\u5c31\u662f\u8868\u660e\u8981\u7528\u521a\u624d\u81ea\u7b7e\u7684 CA \u8bc1\u4e66\u6765\u7b7e\u8fd9\u4e2a\u670d\u52a1\u5668\u8bc1\u4e66\u3002<\/p>\n<p><code>--dn<\/code>\uff0c<code>--san<\/code>\uff0c<code>--flag<\/code>\u662f\u4e00\u4e9b\u5ba2\u6237\u7aef\u65b9\u9762\u7684\u7279\u6b8a\u8981\u6c42\uff1a<\/p>\n<ul>\n<li>iOS \u5ba2\u6237\u7aef\u8981\u6c42 CN \u4e5f\u5c31\u662f\u901a\u7528\u540d\u5fc5\u987b\u662f\u4f60\u7684\u670d\u52a1\u5668\u7684 URL \u6216 IP \u5730\u5740\uff1b<\/li>\n<li>Windows 7 \u4e0d\u4f46\u8981\u6c42\u4e86\u4e0a\u9762\uff0c\u8fd8\u8981\u6c42\u5fc5\u987b\u663e\u5f0f\u8bf4\u660e\u8fd9\u4e2a\u670d\u52a1\u5668\u8bc1\u4e66\u7684\u7528\u9014\uff08\u7528\u4e8e\u4e0e\u670d\u52a1\u5668\u8fdb\u884c\u8ba4\u8bc1\uff09\uff0c<code>--flag serverAuth<\/code>\uff1b<\/li>\n<li>\u975e iOS \u7684 Mac OS X \u8981\u6c42\u4e86\u201cIP \u5b89\u5168\u7f51\u7edc\u5bc6\u94a5\u4e92\u6362\u5c45\u95f4\uff08IP Security IKE Intermediate\uff09\u201d\u8fd9\u79cd\u589e\u5f3a\u578b\u5bc6\u94a5\u7528\u6cd5\uff08EKU\uff09\uff0c<code>--flag ikdeIntermediate<\/code>\uff1b<\/li>\n<li>Android \u548c iOS \u90fd\u8981\u6c42\u670d\u52a1\u5668\u522b\u540d\uff08serverAltName\uff09\u5c31\u662f\u670d\u52a1\u5668\u7684 URL \u6216 IP \u5730\u5740\uff0c<code>--san<\/code>\uff1b<\/li>\n<\/ul>\n<h4><a class=\"reference-link\" name=\"3\u3001\u521b\u5efa\u5ba2\u6237\u7aef\u8bc1\u4e66\"><\/a>3\u3001\u521b\u5efa\u5ba2\u6237\u7aef\u8bc1\u4e66<\/h4>\n<h5><a class=\"reference-link\" name=\"3.1 \u521b\u5efa\u4e00\u4e2a\u79c1\u94a5\uff1a\"><\/a>3.1 \u521b\u5efa\u4e00\u4e2a\u79c1\u94a5\uff1a<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">strongswan pki <\/span><span class=\"pun\">--<\/span><span class=\"pln\">gen <\/span><span class=\"pun\">--<\/span><span class=\"pln\">outform pem <\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"3.2 \u7136\u540e\u7528\u521a\u624d\u81ea\u7b7e\u7684 CA \u8bc1\u4e66\u6765\u7b7e\u5ba2\u6237\u7aef\u8bc1\u4e66\uff1a\"><\/a>3.2 \u7136\u540e\u7528\u521a\u624d\u81ea\u7b7e\u7684 CA \u8bc1\u4e66\u6765\u7b7e\u5ba2\u6237\u7aef\u8bc1\u4e66\uff1a<\/h5>\n<p><code><span class=\"com\"># \u7528\u79c1\u94a5\u521b\u5efa\u516c\u94a5<\/span><\/code><\/p>\n<p><code><span class=\"pln\">strongswan pki <\/span><span class=\"pun\">--<\/span><span class=\"pln\">pub <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">in<\/span><span class=\"pln\"> client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"pln\">outform pem <\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pub<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/p>\n<p><code><span class=\"com\"># \u7528\u521a\u521b\u5efa\u7684\u516c\u94a5\uff0c\u521b\u5efa\u5ba2\u6237\u7aef\u8bc1\u4e66<\/span><\/code><\/p>\n<p><code><span class=\"pln\">strongswan pki <\/span><span class=\"pun\">--<\/span><span class=\"pln\">issue <\/span><span class=\"pun\">--<\/span><span class=\"pln\">lifetime <\/span><span class=\"lit\">3650<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">cacert ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"pln\">cakey ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">in<\/span><span class=\"pln\"> client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pub<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">--<\/span><span class=\"pln\">dn <\/span><span class=\"str\">\"C=CN, O=123si, CN=48.85.166.86\"<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">outform pem <\/span><span class=\"pun\">&gt;<\/span><span class=\"pln\"> client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/p>\n<h4><a class=\"reference-link\" name=\"4\u3001\u6253\u5305\u8bc1\u4e66\u4e3a pkcs12\"><\/a>4\u3001\u6253\u5305\u8bc1\u4e66\u4e3a pkcs12<\/h4>\n<p><code><span class=\"pln\">openssl pkcs12 <\/span><span class=\"pun\">-<\/span><span class=\"kwd\">export<\/span> <span class=\"pun\">-<\/span><span class=\"pln\">inkey client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">-<\/span><span class=\"kwd\">in<\/span><span class=\"pln\"> client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">-<\/span><span class=\"pln\">name <\/span><span class=\"str\">\"123si StrongSwan Client Cert\"<\/span> <span class=\"pun\">-<\/span><span class=\"pln\">certfile ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">-<\/span><span class=\"pln\">caname <\/span><span class=\"str\">\"123si StrongSwan CA\"<\/span> <span class=\"pun\">-<\/span><span class=\"kwd\">out<\/span><span class=\"pln\"> client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">p12<\/span><\/code><\/p>\n<p>\u6267\u884c\u547d\u4ee4\u540e\uff0c\u4f1a\u63d0\u793a\u8f93\u5165\u4e24\u6b21\u5bc6\u7801\uff0c\u8fd9\u4e2a\u5bc6\u7801\u662f\u5728\u5bfc\u5165\u8bc1\u4e66\u5230\u5176\u4ed6\u7cfb\u7edf\u65f6\u9700\u8981\u9a8c\u8bc1\u7684\u3002\u6ca1\u6709\u8fd9\u4e2a\u5bc6\u7801\u5373\u4f7f\u522b\u4eba\u62ff\u5230\u4e86\u8bc1\u4e66\u4e5f\u6ca1\u6cd5\u4f7f\u7528\u3002<\/p>\n<h3><a class=\"reference-link\" name=\"\u4e09\u3001\u5b89\u88c5\u8bc1\u4e66\"><\/a>\u4e09\u3001\u5b89\u88c5\u8bc1\u4e66<\/h3>\n<hr \/>\n<p><code><span class=\"pln\">cp <\/span><span class=\"pun\">-<\/span><span class=\"pln\">r ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">d<\/span><span class=\"pun\">\/<\/span><span class=\"kwd\">private<\/span><span class=\"pun\">\/<\/span><\/code><\/p>\n<p><code><span class=\"pln\">cp <\/span><span class=\"pun\">-<\/span><span class=\"pln\">r ca<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">d<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">cacerts<\/span><span class=\"pun\">\/<\/span><\/code><\/p>\n<p><code><span class=\"pln\">cp <\/span><span class=\"pun\">-<\/span><span class=\"pln\">r server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">d<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">certs<\/span><span class=\"pun\">\/<\/span><\/code><\/p>\n<p><code><span class=\"pln\">cp <\/span><span class=\"pun\">-<\/span><span class=\"pln\">r server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pub<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">d<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">certs<\/span><span class=\"pun\">\/<\/span><\/code><\/p>\n<p><code><span class=\"pln\">cp <\/span><span class=\"pun\">-<\/span><span class=\"pln\">r server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">d<\/span><span class=\"pun\">\/<\/span><span class=\"kwd\">private<\/span><span class=\"pun\">\/<\/span><\/code><\/p>\n<p><code><span class=\"pln\">cp <\/span><span class=\"pun\">-<\/span><span class=\"pln\">r client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">cert<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">d<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">certs<\/span><span class=\"pun\">\/<\/span><\/code><\/p>\n<p><code><span class=\"pln\">cp <\/span><span class=\"pun\">-<\/span><span class=\"pln\">r client<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">d<\/span><span class=\"pun\">\/<\/span><span class=\"kwd\">private<\/span><span class=\"pun\">\/<\/span><\/code><\/p>\n<p>\u628a CA \u8bc1\u4e66\uff08ca.cert.pem\uff09\u3001\u5ba2\u6237\u7aef\u8bc1\u4e66\uff08client.cert.pem\uff09\u548c .p12 \u8bc1\u4e66\uff08client.cert.p12\uff09\u7528 FTP \u590d\u5236\u51fa\u6765\u7ed9\u5ba2\u6237\u7aef\u7528\u3002<\/p>\n<h3><a class=\"reference-link\" name=\"\u56db\u3001\u914d\u7f6e VPN\"><\/a>\u56db\u3001\u914d\u7f6e VPN<\/h3>\n<hr \/>\n<h4><a class=\"reference-link\" name=\"1\u3001\u4fee\u6539\u4e3b\u914d\u7f6e\u6587\u4ef6 ipsec.conf\"><\/a>1\u3001\u4fee\u6539\u4e3b\u914d\u7f6e\u6587\u4ef6 ipsec.conf<\/h4>\n<p>\u914d\u7f6e\u6587\u4ef6<code>ipsec.conf<\/code>\u5b98\u65b9\u4ecb\u7ecd\u94fe\u63a5\uff1a<a title=\"ipsec.conf: conn Reference\" href=\"https:\/\/wiki.strongswan.org\/projects\/strongswan\/wiki\/ConnSection\" target=\"_blank\" rel=\"noopener\">ipsec.conf: conn Reference<\/a><\/p>\n<p>\u7f16\u8f91\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">vim <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">conf<\/span><\/code><\/li>\n<\/ol>\n<p>\u914d\u7f6e\u6587\u4ef6\u5e38\u7528\u8bbe\u7f6e\u8bf4\u660e\uff1a<\/p>\n<p>config setup<\/p>\n<p># \u662f\u5426\u7f13\u5b58\u8bc1\u4e66\u540a\u9500\u5217\u8868<\/p>\n<p># &lt;em&gt;cachecrls = yes&lt;\/em&gt;<\/p>\n<p># \u662f\u5426\u4e25\u683c\u6267\u884c\u8bc1\u4e66\u540a\u9500\u89c4\u5219<\/p>\n<p># strictcrlpolicy=yes<\/p>\n<p># \u5982\u679c\u540c\u4e00\u4e2a\u7528\u6237\u5728\u4e0d\u540c\u7684\u8bbe\u5907\u4e0a\u91cd\u590d\u767b\u5f55\uff0cyes \u65ad\u5f00\u65e7\u8fde\u63a5\uff0c\u521b\u5efa\u65b0\u8fde\u63a5\uff1bno \u4fdd\u6301\u65e7\u8fde\u63a5\uff0c\u5e76\u53d1\u9001\u901a\u77e5\uff1bnever \u540c no\uff0c\u4f46\u4e0d\u53d1\u9001\u901a\u77e5\u3002<br \/>\nuniqueids=no<br \/>\n# \u914d\u7f6e\u6839\u8bc1\u4e66\uff0c\u5982\u679c\u4e0d\u4f7f\u7528\u8bc1\u4e66\u540a\u9500\u5217\u8868\uff0c\u53ef\u4ee5\u4e0d\u7528\u8fd9\u6bb5\u3002\u547d\u540d\u4e3a %default \u6240\u6709\u914d\u7f6e\u8282\u90fd\u4f1a\u7ee7\u627f\u5b83<br \/>\n# ca %default<br \/>\n# \u8bc1\u4e66\u540a\u9500\u5217\u8868 URL\uff0c\u53ef\u4ee5\u662f LDAP\uff0cHTTP\uff0c\u6216\u6587\u4ef6\u8def\u5f84<br \/>\n# crluri = &lt;uri&gt;<br \/>\n# \u5b9a\u4e49\u8fde\u63a5\u9879\uff0c\u547d\u540d\u4e3a %default \u6240\u6709\u8fde\u63a5\u90fd\u4f1a\u7ee7\u627f\u5b83<br \/>\nconn %default<br \/>\n# \u662f\u5426\u542f\u7528\u538b\u7f29\uff0cyes \u8868\u793a\u5982\u679c\u652f\u6301\u538b\u7f29\u4f1a\u542f\u7528<br \/>\ncompress = yes<br \/>\n# \u5f53\u610f\u5916\u65ad\u5f00\u540e\u5c1d\u8bd5\u7684\u64cd\u4f5c\uff0chold\uff0c\u4fdd\u6301\u5e76\u91cd\u8fde\u76f4\u5230\u8d85\u65f6<br \/>\ndpdaction = hold<br \/>\n# \u610f\u5916\u65ad\u5f00\u540e\u5c1d\u8bd5\u91cd\u8fde\u65f6\u957f<br \/>\ndpddelay = 30s<br \/>\n# \u610f\u5916\u65ad\u5f00\u540e\u8d85\u65f6\u65f6\u957f\uff0c\u53ea\u5bf9 IKEv1 \u8d77\u4f5c\u7528<br \/>\ndpdtimeout = 60s<br \/>\n# \u95f2\u7f6e\u65f6\u957f\uff0c\u8d85\u8fc7\u540e\u65ad\u5f00\u8fde\u63a5<br \/>\ninactivity = 300s<br \/>\n# \u6570\u636e\u4f20\u8f93\u534f\u8bae\u52a0\u5bc6\u7b97\u6cd5\u5217\u8868<br \/>\nesp = aes256-sha256,aes256-sha1,3des-sha1!<br \/>\n# \u5bc6\u94a5\u4ea4\u6362\u534f\u8bae\u52a0\u5bc6\u7b97\u6cd5\u5217\u8868<br \/>\nike = aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!<br \/>\n# \u9ed8\u8ba4\u7684\u5bc6\u94a5\u4ea4\u6362\u7b97\u6cd5\uff0cike \u4e3a\u81ea\u52a8\uff0c\u4f18\u5148\u4f7f\u7528 IKEv2<br \/>\nkeyexchange = ike<br \/>\n# \u670d\u52a1\u7aef\u516c\u7f51 IP\uff0c\u53ef\u4ee5\u662f\u9b54\u672f\u5b57 %any\uff0c\u8868\u793a\u4ece\u672c\u5730 IP \u5730\u5740\u8868\u4e2d\u53d6<br \/>\nleft = %any<br \/>\n# \u5ba2\u6237\u7aef IP\uff0c\u540c\u4e0a<br \/>\nright = %any<br \/>\n# \u6307\u5b9a\u670d\u52a1\u7aef\u4e0e\u5ba2\u6237\u7aef\u7684 DNS\uff0c\u591a\u4e2a\u7528\u201c,\u201d\u5206\u9694<br \/>\nleftdns = 8.8.8.8,8.8.4.4<br \/>\nrightdns = 8.8.8.8,8.8.4.4<br \/>\n# \u670d\u52a1\u7aef\u7528\u4e8e ike \u8ba4\u8bc1\u65f6\u4f7f\u7528\u7684\u7aef\u53e3\uff0c\u9ed8\u8ba4\u4e3a 500\uff0c\u5982\u679c\u4f7f\u7528\u4e86 nat \u8f6c\u53d1\uff0c\u5219\u4f7f\u7528 4500<br \/>\n# leftikeport = &lt;port&gt;<br \/>\n# \u670d\u52a1\u5668\u7aef\u865a\u62df IP \u5730\u5740<br \/>\n# leftsourceip = %config<br \/>\n# \u5ba2\u6237\u7aef\u865a\u62df IP \u6bb5<br \/>\nrightsourceip = 10.0.0.0\/24<br \/>\n# \u670d\u52a1\u5668\u7aef\u5b50\u7f51\uff0c\u9b54\u672f\u5b57 0.0.0.0\/0 \u3002\u5982\u679c\u4e3a\u5ba2\u6237\u7aef\u5206\u914d\u865a\u62df IP \u5730\u5740\u7684\u8bdd\uff0c\u90a3\u8868\u793a\u4e4b\u540e\u8981\u505a iptables \u8f6c\u53d1\uff0c\u90a3\u4e48\u670d\u52a1\u5668\u7aef\u5c31\u5fc5\u987b\u662f\u7528\u9b54\u672f\u5b57<br \/>\nleftsubnet = 0.0.0.0\/0<br \/>\n# rightsubnet = &lt;ip subnet&gt;[[&lt;proto\/port&gt;]][,...]<br \/>\nconn IKEv2-BASE<br \/>\n# \u670d\u52a1\u5668\u7aef\u6839\u8bc1\u4e66 DN \u540d\u79f0<br \/>\nleftca = \"C=CN, O=123si, CN=123si StrongSwan CA\"<br \/>\n# \u670d\u52a1\u5668\u8bc1\u4e66\uff0c\u53ef\u4ee5\u662f PEM \u6216 DER \u683c\u5f0f<br \/>\nleftcert = server.cert.pem<br \/>\n# \u4e0d\u6307\u5b9a\u5ba2\u6237\u7aef\u8bc1\u4e66\u8def\u5f84<br \/>\n# rightcert = &lt;path&gt;<br \/>\n# \u6307\u5b9a\u670d\u52a1\u5668\u8bc1\u4e66\u7684\u516c\u94a5<br \/>\nleftsigkey = server.pub.pem<br \/>\n# rightsigkey = &lt;raw public key&gt; | &lt;path to public key&gt;<br \/>\n# \u662f\u5426\u53d1\u9001\u670d\u52a1\u5668\u8bc1\u4e66\u5230\u5ba2\u6237\u7aef<br \/>\nleftsendcert = always<br \/>\n# \u5ba2\u6237\u7aef\u4e0d\u53d1\u9001\u8bc1\u4e66<br \/>\nrightsendcert = never<br \/>\n# \u670d\u52a1\u7aef\u8ba4\u8bc1\u65b9\u6cd5\uff0c\u4f7f\u7528\u8bc1\u4e66<br \/>\nleftauth = pubkey<br \/>\n# \u5ba2\u6237\u7aef\u8ba4\u8bc1\u4f7f\u7528 EAP \u6269\u5c55\u8ba4\u8bc1\uff0c\u8c8c\u4f3c eap-mschapv2 \u6bd4\u8f83\u901a\u7528<br \/>\nrightauth = eap-mschapv2<br \/>\n# \u670d\u52a1\u7aef ID\uff0c\u53ef\u4ee5\u4efb\u610f\u6307\u5b9a\uff0c\u9ed8\u8ba4\u4e3a\u670d\u52a1\u5668\u8bc1\u4e66\u7684 subject\uff0c\u8fd8\u53ef\u4ee5\u662f\u9b54\u672f\u5b57 %any\uff0c\u8868\u793a\u4ec0\u4e48\u90fd\u884c<br \/>\nleftid = vpn.itnmg.net<br \/>\n# \u5ba2\u6237\u7aef id\uff0c\u4efb\u610f<br \/>\nrightid = %any<br \/>\n# ios, mac os, win7+, linux<br \/>\nconn IKEv2-EAP<br \/>\nalso = IKEv2-BASE<br \/>\n# \u6307\u5b9a\u5ba2\u6237\u7aef eap id<br \/>\neap_identity = %any<br \/>\n# \u4e0d\u81ea\u52a8\u91cd\u7f6e\u5bc6\u94a5<br \/>\nrekey = no<br \/>\n# \u5f00\u542f IKE \u6d88\u606f\u5206\u7247<br \/>\nfragmentation = yes<br \/>\n# \u5f53\u670d\u52a1\u542f\u52a8\u65f6\uff0c\u5e94\u8be5\u5982\u4f55\u5904\u7406\u8fd9\u4e2a\u8fde\u63a5\u9879\u3002add \u6dfb\u52a0\u5230\u8fde\u63a5\u8868\u4e2d\u3002<br \/>\nauto = add<\/p>\n<p>\u6211\u7684\u914d\u7f6e\uff1a<\/p>\n<p># ipsec.conf - strongSwan IPsec configuration file<br \/>\n# basic configuration<br \/>\nconfig setup<br \/>\n# strictcrlpolicy=yes<br \/>\nuniqueids = never<br \/>\n# Add connections here.<br \/>\n# Sample VPN connections<br \/>\n#conn sample-self-signed<br \/>\n# leftsubnet=10.1.0.0\/16<br \/>\n# leftcert=selfCert.der<br \/>\n# leftsendcert=never<br \/>\n# right=192.168.0.2<br \/>\n# rightsubnet=10.2.0.0\/16<br \/>\n# rightcert=peerCert.der<br \/>\n# auto=start<br \/>\n#conn sample-with-ca-cert<br \/>\n# leftsubnet=10.1.0.0\/16<br \/>\n# leftcert=myCert.pem<br \/>\n# right=192.168.0.2<br \/>\n# rightsubnet=10.2.0.0\/16<br \/>\n# rightid=\"C=CH, O=Linux strongSwan CN=peer name\"<br \/>\n# auto=start<br \/>\nconn %default<br \/>\ncompress = yes<br \/>\nesp = aes256-sha256,aes256-sha1,3des-sha1!<br \/>\nike = aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp2048,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!<br \/>\nkeyexchange = ike<br \/>\nkeyingtries = 1<br \/>\nleftdns = 8.8.8.8,8.8.4.4<br \/>\nrightdns = 8.8.8.8,8.8.4.4<br \/>\nconn IKEv2-BASE<br \/>\n# \u670d\u52a1\u5668\u7aef\u6839\u8bc1\u4e66 DN \u540d\u79f0<br \/>\nleftca = \"C=CN, O=123si, CN=123si StrongSwan CA\"<br \/>\n# \u662f\u5426\u53d1\u9001\u670d\u52a1\u5668\u8bc1\u4e66\u5230\u5ba2\u6237\u7aef<br \/>\nleftsendcert = always<br \/>\n# \u5ba2\u6237\u7aef\u4e0d\u53d1\u9001\u8bc1\u4e66<br \/>\nrightsendcert = never<br \/>\nconn IKEv2-EAP<br \/>\nleftca = \"C=CN, O=123si, CN=123si StrongSwan CA\"<br \/>\nleftcert = server.cert.pem<br \/>\nleftsendcert = always<br \/>\nrightsendcert = never<br \/>\nleftid = 48.85.166.86<br \/>\nleft = %any<br \/>\nright = %any<br \/>\nleftauth = pubkey<br \/>\nrightauth = eap-mschapv2<br \/>\nleftfirewall = yes<br \/>\nleftsubnet = 0.0.0.0\/0<br \/>\nrightsourceip = 10.1.0.0\/16<br \/>\nfragmentation = yes<br \/>\nrekey = no<br \/>\neap_identity = %any<br \/>\nauto = add<\/p>\n<p><a class=\"reference-link\" name=\"2\u3001\u4fee\u6539 DNS \u914d\u7f6e\"><\/a>2\u3001\u4fee\u6539 DNS \u914d\u7f6e<\/p>\n<p>strongSwan v5.1.2 \u4e4b\u540e\uff0c\u6240\u6709\u63d2\u4ef6\u914d\u7f6e\u90fd\u5206\u6563\u5728<code>\/etc\/strongswan\/strongswan.d\/<\/code>\u76ee\u5f55\u4e2d\u3002<\/p>\n<p>\u7f16\u8f91\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">vim <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">.<\/span><span class=\"pln\">d<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">charon<\/span><span class=\"pun\">.<\/span><span class=\"pln\">conf<\/span><\/code><\/li>\n<\/ol>\n<p>\u8bbe\u7f6e Windows \u516c\u7528 DNS\uff0c\u53bb\u6389<code>dns1<\/code>\u548c<code>dns2<\/code>\u524d\u9762\u7684\u4e95\u53f7\uff08#\uff09\u3002<\/p>\n<p>\u4fee\u6539\u5982\u4e0b\uff1a<\/p>\n<p># Options for the charon IKE daemon.<br \/>\ncharon {<br \/>\n# Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.<br \/>\n# accept_unencrypted_mainmode_messages = no<br \/>\n# Maximum number of half-open IKE_SAs for a single peer IP.<br \/>\n# block_threshold = 5<br \/>\n# Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP<br \/>\n# should be saved under a unique file name derived from the public key of<br \/>\n# the Certification Authority (CA) to \/etc\/ipsec.d\/crls (stroke) or<br \/>\n# \/etc\/swanctl\/x509crl (vici), respectively.<br \/>\n# cache_crls = no<br \/>\n# Whether relations in validated certificate chains should be cached in<br \/>\n# memory.<br \/>\n# cert_cache = yes<br \/>\n# Send Cisco Unity vendor ID payload (IKEv1 only).<br \/>\n# cisco_unity = no<br \/>\n# Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.<br \/>\n# close_ike_on_child_failure = no<br \/>\n# Number of half-open IKE_SAs that activate the cookie mechanism.<br \/>\n# cookie_threshold = 10<br \/>\n# Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).<br \/>\n# delete_rekeyed = no<br \/>\n# Delay in seconds until inbound IPsec SAs are deleted after rekeyings<br \/>\n# (IKEv2 only).<br \/>\n# delete_rekeyed_delay = 5<br \/>\n# Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic<br \/>\n# strength.<br \/>\n# dh_exponent_ansi_x9_42 = yes<br \/>\n# Use RTLD_NOW with dlopen when loading plugins and IMV\/IMCs to reveal<br \/>\n# missing symbols immediately.<br \/>\n# dlopen_use_rtld_now = no<br \/>\n# DNS server assigned to peer via configuration payload (CP).<br \/>\n# Windows \u516c\u7528 DNS<br \/>\ndns1 = 8.8.8.8<br \/>\n# DNS server assigned to peer via configuration payload (CP).<br \/>\n# Windows \u516c\u7528 DNS<br \/>\ndns2 = 8.8.4.4<br \/>\n# Enable Denial of Service protection using cookies and aggressiveness<br \/>\n# checks.<br \/>\n# dos_protection = yes<br \/>\n# Compliance with the errata for RFC 4753.<br \/>\n# ecp_x_coordinate_only = yes<br \/>\n# Free objects during authentication (might conflict with plugins).<br \/>\n# flush_auth_cfg = no<br \/>\n# Whether to follow IKEv2 redirects (RFC 5685).<br \/>\n# follow_redirects = yes<br \/>\n# Maximum size (complete IP datagram size in bytes) of a sent IKE fragment<br \/>\n# when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults<br \/>\n# to 1280 (use 0 for address family specific default values, which uses a<br \/>\n# lower value for IPv4). If specified this limit is used for both IPv4 and<br \/>\n# IPv6.<br \/>\n# fragment_size = 1280<br \/>\n# Name of the group the daemon changes to after startup.<br \/>\n# group =<br \/>\n# Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).<br \/>\n# half_open_timeout = 30<br \/>\n# Enable hash and URL support.<br \/>\n# hash_and_url = no<br \/>\n# Allow IKEv1 Aggressive Mode with pre-shared keys as responder.<br \/>\n# i_dont_care_about_security_and_use_aggressive_mode_psk = no<br \/>\n# Whether to ignore the traffic selectors from the kernel's acquire events<br \/>\n# for IKEv2 connections (they are not used for IKEv1).<br \/>\n# ignore_acquire_ts = no<br \/>\n# A space-separated list of routing tables to be excluded from route<br \/>\n# lookups.<br \/>\n# ignore_routing_tables =<br \/>\n# Maximum number of IKE_SAs that can be established at the same time before<br \/>\n# new connection attempts are blocked.<br \/>\n# ikesa_limit = 0<br \/>\n# Number of exclusively locked segments in the hash table.<br \/>\n# ikesa_table_segments = 1<br \/>\n# Size of the IKE_SA hash table.<br \/>\n# ikesa_table_size = 1<br \/>\n# Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.<br \/>\n# inactivity_close_ike = no<br \/>\n# Limit new connections based on the current number of half open IKE_SAs,<br \/>\n# see IKE_SA_INIT DROPPING in strongswan.conf(5).<br \/>\n# init_limit_half_open = 0<br \/>\n# Limit new connections based on the number of queued jobs.<br \/>\n# init_limit_job_load = 0<br \/>\n# Causes charon daemon to ignore IKE initiation requests.<br \/>\n# initiator_only = no<br \/>\n# Install routes into a separate routing table for established IPsec<br \/>\n# tunnels.<br \/>\n# install_routes = yes<br \/>\n# Install virtual IP addresses.<br \/>\n# install_virtual_ip = yes<br \/>\n# The name of the interface on which virtual IP addresses should be<br \/>\n# installed.<br \/>\n# install_virtual_ip_on =<br \/>\n# Check daemon, libstrongswan and plugin integrity at startup.<br \/>\n# integrity_test = no<br \/>\n# A comma-separated list of network interfaces that should be ignored, if<br \/>\n# interfaces_use is specified this option has no effect.<br \/>\n# interfaces_ignore =<br \/>\n# A comma-separated list of network interfaces that should be used by<br \/>\n# charon. All other interfaces are ignored.<br \/>\n# interfaces_use =<br \/>\n# NAT keep alive interval.<br \/>\n# keep_alive = 20s<br \/>\n# Plugins to load in the IKE daemon charon.<br \/>\n# load =<br \/>\n# Determine plugins to load via each plugin's load option.<br \/>\n# load_modular = no<br \/>\n# Initiate IKEv2 reauthentication with a make-before-break scheme.<br \/>\n# make_before_break = no<br \/>\n# Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about<br \/>\n# and track concurrently.<br \/>\n# max_ikev1_exchanges = 3<br \/>\n# Maximum packet size accepted by charon.<br \/>\n# max_packet = 10000<br \/>\n# Enable multiple authentication exchanges (RFC 4739).<br \/>\n# multiple_authentication = yes<br \/>\n# WINS servers assigned to peer via configuration payload (CP).<br \/>\n# nbns1 =<br \/>\n# WINS servers assigned to peer via configuration payload (CP).<br \/>\n# nbns2 =<br \/>\n# UDP port used locally. If set to 0 a random port will be allocated.<br \/>\n# port = 500<br \/>\n# UDP port used locally in case of NAT-T. If set to 0 a random port will be<br \/>\n# allocated. Has to be different from charon.port, otherwise a random port<br \/>\n# will be allocated.<br \/>\n# port_nat_t = 4500<br \/>\n# Whether to prefer updating SAs to the path with the best route.<br \/>\n# prefer_best_path = no<br \/>\n# Prefer locally configured proposals for IKE\/IPsec over supplied ones as<br \/>\n# responder (disabling this can avoid keying retries due to<br \/>\n# INVALID_KE_PAYLOAD notifies).<br \/>\n# prefer_configured_proposals = yes<br \/>\n# By default public IPv6 addresses are preferred over temporary ones (RFC<br \/>\n# 4941), to make connections more stable. Enable this option to reverse<br \/>\n# this.<br \/>\n# prefer_temporary_addrs = no<br \/>\n# Process RTM_NEWROUTE and RTM_DELROUTE events.<br \/>\n# process_route = yes<br \/>\n# Delay in ms for receiving packets, to simulate larger RTT.<br \/>\n# receive_delay = 0<br \/>\n# Delay request messages.<br \/>\n# receive_delay_request = yes<br \/>\n# Delay response messages.<br \/>\n# receive_delay_response = yes<br \/>\n# Specific IKEv2 message type to delay, 0 for any.<br \/>\n# receive_delay_type = 0<br \/>\n# Size of the AH\/ESP replay window, in packets.<br \/>\n# replay_window = 32<br \/>\n# Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION<br \/>\n# in strongswan.conf(5).<br \/>\n# retransmit_base = 1.8<br \/>\n# Maximum jitter in percent to apply randomly to calculated retransmission<br \/>\n# timeout (0 to disable).<br \/>\n# retransmit_jitter = 0<br \/>\n# Upper limit in seconds for calculated retransmission timeout (0 to<br \/>\n# disable).<br \/>\n# retransmit_limit = 0<br \/>\n# Timeout in seconds before sending first retransmit.<br \/>\n# retransmit_timeout = 4.0<br \/>\n# Number of times to retransmit a packet before giving up.<br \/>\n# retransmit_tries = 5<br \/>\n# Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if<br \/>\n# DNS resolution failed), 0 to disable retries.<br \/>\n# retry_initiate_interval = 0<br \/>\n# Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).<br \/>\n# reuse_ikesa = yes<br \/>\n# Numerical routing table to install routes to.<br \/>\n# routing_table =<br \/>\n# Priority of the routing table.<br \/>\n# routing_table_prio =<br \/>\n# Whether to use RSA with PSS padding instead of PKCS#1 padding by default.<br \/>\n# rsa_pss = no<br \/>\n# Delay in ms for sending packets, to simulate larger RTT.<br \/>\n# send_delay = 0<br \/>\n# Delay request messages.<br \/>\n# send_delay_request = yes<br \/>\n# Delay response messages.<br \/>\n# send_delay_response = yes<br \/>\n# Specific IKEv2 message type to delay, 0 for any.<br \/>\n# send_delay_type = 0<br \/>\n# Send strongSwan vendor ID payload<br \/>\n# send_vendor_id = no<br \/>\n# Whether to enable Signature Authentication as per RFC 7427.<br \/>\n# signature_authentication = yes<br \/>\n# Whether to enable constraints against IKEv2 signature schemes.<br \/>\n# signature_authentication_constraints = yes<br \/>\n# The upper limit for SPIs requested from the kernel for IPsec SAs.<br \/>\n# spi_max = 0xcfffffff<br \/>\n# The lower limit for SPIs requested from the kernel for IPsec SAs.<br \/>\n# spi_min = 0xc0000000<br \/>\n# Number of worker threads in charon.<br \/>\n# threads = 16<br \/>\n# Name of the user the daemon changes to after startup.<br \/>\n# user =<br \/>\ncrypto_test {<br \/>\n# Benchmark crypto algorithms and order them by efficiency.<br \/>\n# bench = no<br \/>\n# Buffer size used for crypto benchmark.<br \/>\n# bench_size = 1024<br \/>\n# Time in ms during which crypto algorithm performance is measured.<br \/>\n# bench_time = 50<br \/>\n# Test crypto algorithms during registration (requires test vectors<br \/>\n# provided by the test-vectors plugin).<br \/>\n# on_add = no<br \/>\n# Test crypto algorithms on each crypto primitive instantiation.<br \/>\n# on_create = no<br \/>\n# Strictly require at least one test vector to enable an algorithm.<br \/>\n# required = no<br \/>\n# Whether to test RNG with TRUE quality; requires a lot of entropy.<br \/>\n# rng_true = no<br \/>\n}<br \/>\nhost_resolver {<br \/>\n# Maximum number of concurrent resolver threads (they are terminated if<br \/>\n# unused).<br \/>\n# max_threads = 3<br \/>\n# Minimum number of resolver threads to keep around.<br \/>\n# min_threads = 0<br \/>\n}<br \/>\nleak_detective {<br \/>\n# Includes source file names and line numbers in leak detective output.<br \/>\n# detailed = yes<br \/>\n# Threshold in bytes for leaks to be reported (0 to report all).<br \/>\n# usage_threshold = 10240<br \/>\n# Threshold in number of allocations for leaks to be reported (0 to<br \/>\n# report all).<br \/>\n# usage_threshold_count = 0<br \/>\n}<br \/>\nprocessor {<br \/>\n# Section to configure the number of reserved threads per priority class<br \/>\n# see JOB PRIORITY MANAGEMENT in strongswan.conf(5).<br \/>\npriority_threads {<br \/>\n}<br \/>\n}<br \/>\n# Section containing a list of scripts (name = path) that are executed when<br \/>\n# the daemon is started.<br \/>\nstart-scripts {<br \/>\n}<br \/>\n# Section containing a list of scripts (name = path) that are executed when<br \/>\n# the daemon is terminated.<br \/>\nstop-scripts {<br \/>\n}<br \/>\ntls {<br \/>\n# List of TLS encryption ciphers.<br \/>\n# cipher =<br \/>\n# List of TLS key exchange methods.<br \/>\n# key_exchange =<br \/>\n# List of TLS MAC algorithms.<br \/>\n# mac =<br \/>\n# List of TLS cipher suites.<br \/>\n# suites =<br \/>\n}<br \/>\nx509 {<br \/>\n# Discard certificates with unsupported or unknown critical extensions.<br \/>\n# enforce_critical = yes<br \/>\n}<br \/>\n}<\/p>\n<p><code class=\"language-shell\"><\/code><code class=\"language-shell\"><\/code><\/p>\n<h4><a class=\"reference-link\" name=\"3\u3001\u914d\u7f6e\u7528\u6237\u540d\u4e0e\u5bc6\u7801\"><\/a>3\u3001\u914d\u7f6e\u7528\u6237\u540d\u4e0e\u5bc6\u7801<\/h4>\n<p>\u7f16\u8f91\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pln\">vim <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">strongswan<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">ipsec<\/span><span class=\"pun\">.<\/span><span class=\"pln\">secrets<\/span><\/code><\/li>\n<\/ol>\n<p>\u6dfb\u52a0\u7528\u6237\u540d\u548c\u5bc6\u7801\uff1a<\/p>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"com\"># ipsec.secrets - strongSwan IPsec secrets file<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"com\"># \u4f7f\u7528\u8bc1\u4e66\u9a8c\u8bc1\u65f6\u7684\u670d\u52a1\u5668\u7aef\u79c1\u94a5<\/span><\/code><\/li>\n<li class=\"L2\"><code class=\"language-shell\"><span class=\"com\"># \u683c\u5f0f : RSA &lt;private key file&gt; [ &lt;passphrase&gt; | %prompt ]<\/span><\/code><\/li>\n<li class=\"L3\"><code class=\"language-shell\"><span class=\"pun\">:<\/span><span class=\"pln\"> RSA server<\/span><span class=\"pun\">.<\/span><span class=\"pln\">key<\/span><span class=\"pun\">.<\/span><span class=\"pln\">pem<\/span><\/code><\/li>\n<li class=\"L4\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L5\"><code class=\"language-shell\"><span class=\"com\"># \u4f7f\u7528\u9884\u8bbe\u52a0\u5bc6\u5bc6\u94a5, \u8d8a\u957f\u8d8a\u597d<\/span><\/code><\/li>\n<li class=\"L6\"><code class=\"language-shell\"><span class=\"com\"># \u683c\u5f0f [ &lt;id selectors&gt; ] : PSK &lt;secret&gt;<\/span><\/code><\/li>\n<li class=\"L7\"><code class=\"language-shell\"><span class=\"pun\">%<\/span><span class=\"pln\">any <\/span><span class=\"pun\">%<\/span><span class=\"pln\">any <\/span><span class=\"pun\">:<\/span><span class=\"pln\"> PSK <\/span><span class=\"str\">\"abcdef123456\"<\/span><\/code><\/li>\n<li class=\"L8\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L9\"><code class=\"language-shell\"><span class=\"com\"># EAP \u65b9\u5f0f, \u683c\u5f0f\u540c psk \u76f8\u540c<\/span><\/code><\/li>\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"typ\">UserName1<\/span> <span class=\"pun\">%<\/span><span class=\"pln\">any <\/span><span class=\"pun\">:<\/span><span class=\"pln\"> EAP <\/span><span class=\"str\">\"UserPassword1\"<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"typ\">UserName2<\/span> <span class=\"pun\">%<\/span><span class=\"pln\">any <\/span><span class=\"pun\">:<\/span><span class=\"pln\"> EAP <\/span><span class=\"str\">\"UserPassword2\"<\/span><\/code><\/li>\n<li class=\"L2\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L3\"><code class=\"language-shell\"><span class=\"com\"># XAUTH \u65b9\u5f0f, \u53ea\u9002\u7528\u4e8e IKEv1<\/span><\/code><\/li>\n<li class=\"L4\"><code class=\"language-shell\"><span class=\"com\"># \u683c\u5f0f [ &lt;servername&gt; ] &lt;username&gt; : XAUTH \"&lt;password&gt;\"<\/span><\/code><\/li>\n<li class=\"L5\"><code class=\"language-shell\"><span class=\"typ\">UserName1<\/span> <span class=\"pun\">%<\/span><span class=\"pln\">any <\/span><span class=\"pun\">:<\/span><span class=\"pln\"> XAUTH <\/span><span class=\"str\">\"UserPassword1\"<\/span><\/code><\/li>\n<li class=\"L6\"><code class=\"language-shell\"><span class=\"typ\">UserName2<\/span> <span class=\"pun\">%<\/span><span class=\"pln\">any <\/span><span class=\"pun\">:<\/span><span class=\"pln\"> XAUTH <\/span><span class=\"str\">\"UserPassword2\"<\/span><\/code><\/li>\n<\/ol>\n<h4><a class=\"reference-link\" name=\"4\u3001\u5f00\u542f\u5185\u6838\u8f6c\u53d1\"><\/a>4\u3001\u5f00\u542f\u5185\u6838\u8f6c\u53d1<\/h4>\n<p>\u7f16\u8f91\u7cfb\u7edf\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">vim <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">etc<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">sysctl<\/span><span class=\"pun\">.<\/span><span class=\"pln\">conf<\/span><\/code><\/li>\n<\/ol>\n<p>\u5728\u672b\u5c3e\u5904\uff0c\u6dfb\u52a0\u5982\u4e0b\u914d\u7f6e\u9879\uff1a<\/p>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">net<\/span><span class=\"pun\">.<\/span><span class=\"pln\">ipv4<\/span><span class=\"pun\">.<\/span><span class=\"pln\">ip_forward <\/span><span class=\"pun\">=<\/span> <span class=\"lit\">1<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"pln\">net<\/span><span class=\"pun\">.<\/span><span class=\"pln\">ipv6<\/span><span class=\"pun\">.<\/span><span class=\"pln\">conf<\/span><span class=\"pun\">.<\/span><span class=\"pln\">all<\/span><span class=\"pun\">.<\/span><span class=\"pln\">forwarding <\/span><span class=\"pun\">=<\/span> <span class=\"lit\">1<\/span><\/code><\/li>\n<\/ol>\n<p>\u6216\u8005\uff0c\u6267\u884c\u4e0b\u9762\u547d\u4ee4\u6dfb\u52a0\u5230\u7cfb\u7edf\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">echo <\/span><span class=\"str\">\"net.ipv4.ip_forward = 1\"<\/span> <span class=\"pun\">&gt;&gt;<\/span> <span class=\"str\">\/etc\/<\/span><span class=\"pln\">sysctl<\/span><span class=\"pun\">.<\/span><span class=\"pln\">conf<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"pln\">echo <\/span><span class=\"str\">\"net.ipv6.conf.all.forwarding = 1\"<\/span> <span class=\"pun\">&gt;&gt;<\/span> <span class=\"str\">\/etc\/<\/span><span class=\"pln\">sysctl<\/span><span class=\"pun\">.<\/span><span class=\"pln\">conf<\/span><\/code><\/li>\n<\/ol>\n<p>\u6700\u540e\u91cd\u65b0\u52a0\u8f7d\u7cfb\u7edf\u53c2\u6570\uff0c\u4f7f\u4e0a\u9762\u7684\u914d\u7f6e\u751f\u6548\uff0c\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">sysctl <\/span><span class=\"pun\">-<\/span><span class=\"pln\">p<\/span><\/code><\/li>\n<\/ol>\n<h3><a class=\"reference-link\" name=\"\u4e94\u3001\u914d\u7f6e\u9632\u706b\u5899\"><\/a>\u4e94\u3001\u914d\u7f6e\u9632\u706b\u5899<\/h3>\n<hr \/>\n<p>\u914d\u7f6e CentOS 7 \u7cfb\u7edf\u9ed8\u8ba4\u9632\u706b\u5899 FirewallD\u3002<\/p>\n<p><em>\u6ce8\u610f\uff0c\u4ee5\u4e0b\u547d\u4ee4\u6ca1\u6709\u6307\u5b9a<code>--zone=public<\/code>\u53c2\u6570\uff0c\u90fd\u662f\u9488\u5bf9\u9ed8\u8ba4\u533a\u57df<code>public<\/code>\u3002<\/em><\/p>\n<h5><a class=\"reference-link\" name=\"1\u3001\u4e3a\u533a\u57df\u6dfb\u52a0\u670d\u52a1\"><\/a>1\u3001\u4e3a\u533a\u57df\u6dfb\u52a0\u670d\u52a1<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=<\/span><span class=\"str\">\"ipsec\"<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"2\u3001\u5141\u8bb8 AH \u548c ESP \u8eab\u4efd\u9a8c\u8bc1\u534f\u8bae\u548c\u52a0\u5bc6\u534f\u8bae\u901a\u8fc7\u9632\u706b\u5899\"><\/a>2\u3001\u5141\u8bb8 AH \u548c ESP \u8eab\u4efd\u9a8c\u8bc1\u534f\u8bae\u548c\u52a0\u5bc6\u534f\u8bae\u901a\u8fc7\u9632\u706b\u5899<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"com\"># ESP (the encrypted data packets)<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rich<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rule<\/span><span class=\"pun\">=<\/span><span class=\"str\">'rule protocol value=\"esp\" accept'<\/span><\/code><\/li>\n<li class=\"L2\"><code class=\"language-shell\"><span class=\"com\"># AH (authenticated headers)<\/span><\/code><\/li>\n<li class=\"L3\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rich<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rule<\/span><span class=\"pun\">=<\/span><span class=\"str\">'rule protocol value=\"ah\" accept'<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"3\u3001\u5f00\u653e 500 \u548c 4500 \u7aef\u53e3\"><\/a>3\u3001\u5f00\u653e 500 \u548c 4500 \u7aef\u53e3<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"com\"># IKE  (security associations)<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"lit\">500<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">udp<\/span><\/code><\/li>\n<li class=\"L2\"><code class=\"language-shell\"><span class=\"com\"># IKE NAT Traversal (IPsec between natted devices)<\/span><\/code><\/li>\n<li class=\"L3\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"lit\">4500<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">udp<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"4\u3001\u542f\u7528 IP \u4f2a\u88c5\"><\/a>4\u3001\u542f\u7528 IP \u4f2a\u88c5<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rich<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rule<\/span><span class=\"pun\">=<\/span><span class=\"str\">'rule family=\"ipv4\" source address=\"10.1.0.0\/16\" masquerade'<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"5\u3001\u6dfb\u52a0 nat \u8f6c\u53d1\"><\/a>5\u3001\u6dfb\u52a0 nat \u8f6c\u53d1<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanen <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rich<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rule<\/span><span class=\"pun\">=<\/span><span class=\"str\">'rule family=\"ipv4\" source address=\"10.1.0.0\/16\" forward-port port=\"4500\" protocol=\"udp\" to-port=\"4500\"'<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanen <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rich<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rule<\/span><span class=\"pun\">=<\/span><span class=\"str\">'rule family=\"ipv4\" source address=\"10.1.0.0\/16\" forward-port port=\"500\" protocol=\"udp\" to-port=\"500\"'<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"6\u3001\u91cd\u65b0\u52a0\u8f7d\u9632\u706b\u5899\u914d\u7f6e\"><\/a>6\u3001\u91cd\u65b0\u52a0\u8f7d\u9632\u706b\u5899\u914d\u7f6e<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">reload<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"7\u3001\u663e\u793a\u6240\u6709\u516c\u5171\u533a\u57df\uff08public\uff09\"><\/a>7\u3001\u663e\u793a\u6240\u6709\u516c\u5171\u533a\u57df\uff08public\uff09<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">list<\/span><span class=\"pun\">-<\/span><span class=\"pln\">all<\/span><\/code><\/li>\n<\/ol>\n<p>\u67e5\u770b\u4e0a\u9762\u547d\u4ee4\u6267\u884c\u7ed3\u679c\u3002<\/p>\n<h3><a class=\"reference-link\" name=\"\u516d\u3001strongSwan \u670d\u52a1\u64cd\u4f5c\"><\/a>\u516d\u3001strongSwan \u670d\u52a1\u64cd\u4f5c<\/h3>\n<hr \/>\n<h5><a class=\"reference-link\" name=\"1\u3001\u4f7f\u7528 strongswan \u81ea\u8eab\u7684\u547d\u4ee4\"><\/a>1\u3001\u4f7f\u7528 strongswan \u81ea\u8eab\u7684\u547d\u4ee4<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"com\"># \u505c\u6b62\u670d\u52a1<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"pln\">strongswan stop<\/span><\/code><\/li>\n<li class=\"L2\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L3\"><code class=\"language-shell\"><span class=\"com\"># \u67e5\u770b\u662f\u5426\u8fde\u63a5\u4e86\u5ba2\u6237\u7aef<\/span><\/code><\/li>\n<li class=\"L4\"><code class=\"language-shell\"><span class=\"pln\">strongswan status<\/span><\/code><\/li>\n<li class=\"L5\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L6\"><code class=\"language-shell\"><span class=\"com\"># \u67e5\u770b\u547d\u4ee4\u5e2e\u52a9<\/span><\/code><\/li>\n<li class=\"L7\"><code class=\"language-shell\"><span class=\"pln\">strongswan <\/span><span class=\"pun\">--<\/span><span class=\"pln\">help<\/span><\/code><\/li>\n<\/ol>\n<h5><a class=\"reference-link\" name=\"2\u3001\u4f7f\u7528 systemctl \u547d\u4ee4\"><\/a>2\u3001\u4f7f\u7528 systemctl \u547d\u4ee4<\/h5>\n<ol class=\"linenums\">\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"com\"># \u8bbe\u7f6e\u5f00\u673a\u542f\u52a8 strongswan \u670d\u52a1<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><span class=\"pln\">systemctl enable strongswan<\/span><\/code><\/li>\n<li class=\"L2\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L3\"><code class=\"language-shell\"><span class=\"com\"># \u542f\u52a8\u670d\u52a1<\/span><\/code><\/li>\n<li class=\"L4\"><code class=\"language-shell\"><span class=\"pln\">systemctl start strongswan<\/span><\/code><\/li>\n<li class=\"L5\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L6\"><code class=\"language-shell\"><span class=\"com\"># \u505c\u6b62\u670d\u52a1<\/span><\/code><\/li>\n<li class=\"L7\"><code class=\"language-shell\"><span class=\"pln\">systemctl stop strongswan<\/span><\/code><\/li>\n<li class=\"L8\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L9\"><code class=\"language-shell\"><span class=\"com\"># \u91cd\u542f\u670d\u52a1<\/span><\/code><\/li>\n<li class=\"L0\"><code class=\"language-shell\"><span class=\"pln\">systemctl restart strongswan<\/span><\/code><\/li>\n<li class=\"L1\"><code class=\"language-shell\"><\/code><\/li>\n<li class=\"L2\"><code class=\"language-shell\"><span class=\"com\"># \u67e5\u770b\u670d\u52a1\u72b6\u6001<\/span><\/code><\/li>\n<li class=\"L3\"><code class=\"language-shell\"><span class=\"pln\">systemctl status strongswan<\/span><\/code><\/li>\n<\/ol>\n<p><em>\u6ce8\u610f\uff0c\u5982\u679c\u4f7f\u7528<code>strongswan restart<\/code>\u547d\u4ee4\u91cd\u542f strongSwan \u540e\uff0c\u518d\u7528<code>systemctl status strongswan<\/code>\u547d\u4ee4\u5f97\u4e0d\u5230\u6b63\u786e\u7684\u8fd0\u884c\u72b6\u6001\u3002<\/em><\/p>\n<p>\u81f3\u6b64\uff0c\u670d\u52a1\u7aef\u914d\u7f6e\u5df2\u5b8c\u6210\u3002<\/p>\n<h3><a class=\"reference-link\" name=\"\u4e03\u3001\u5ba2\u6237\u7aef\u914d\u7f6e\"><\/a>\u4e03\u3001\u5ba2\u6237\u7aef\u914d\u7f6e<\/h3>\n<hr \/>\n<h4><a class=\"reference-link\" name=\"IOS \u7cfb\u7edf\"><\/a>IOS \u7cfb\u7edf<\/h4>\n<p>\u5148\u5bfc\u5165 CA \u8bc1\u4e66\uff0c\u5c06\u4e4b\u524d\u521b\u5efa\u7684<code>ca.cert.pem<\/code>\u7528 FTP \u5bfc\u51fa\uff0c\u5199\u90ae\u4ef6\u4ee5\u9644\u4ef6\u7684\u65b9\u5f0f\u53d1\u5230\u90ae\u7bb1, \u5728 IOS \u6d4f\u89c8\u5668\u767b\u5f55\u90ae\u7bb1\uff0c\u4e0b\u8f7d\u9644\u4ef6\uff0c\u5b89\u88c5 CA \u8bc1\u4e66\u3002<\/p>\n<h5><a class=\"reference-link\" name=\"1\u3001\u4f7f\u7528 IKEv2 + EAP \u8ba4\u8bc1\"><\/a>1\u3001\u4f7f\u7528 IKEv2 + EAP \u8ba4\u8bc1<\/h5>\n<p>\u627e\u5230\u624b\u673a\u4e0a\u201c\u8bbe\u7f6e-&gt;VPN-&gt;\u6dfb\u52a0\u914d\u7f6e\u201d\uff0c\u9009 IKEv2 \u3002<\/p>\n<ul>\n<li>\u63cf\u8ff0\uff1a\u968f\u4fbf\u586b<\/li>\n<li>\u670d\u52a1\u5668\uff1a\u586b URL \u6216 IP<\/li>\n<li>\u8fdc\u7a0b ID\uff1a<code>ipsec.conf<\/code>\u00a0\u4e2d\u7684\u00a0<code>leftid<\/code><\/li>\n<li>\u7528\u6237\u9274\u5b9a\uff1a\u7528\u6237\u540d<\/li>\n<li>\u7528\u6237\u540d\uff1aEAP \u9879\u7528\u6237\u540d<\/li>\n<li>\u5bc6\u7801\uff1aEAP \u9879\u5bc6\u7801<\/li>\n<\/ul>\n<h5><a class=\"reference-link\" name=\"2\u3001\u4f7f\u7528 IKEv2 + \u5ba2\u6237\u7aef\u8bc1\u4e66 \u8ba4\u8bc1\"><\/a>2\u3001\u4f7f\u7528 IKEv2 + \u5ba2\u6237\u7aef\u8bc1\u4e66 \u8ba4\u8bc1<\/h5>\n<p>\u628a\u4e4b\u524d\u7684 .p12 \u8bc1\u4e66\uff08\u91cc\u9762\u5305\u542b CA \u8bc1\u4e66\uff09\u53d1\u5230\u90ae\u7bb1\u5728\u624b\u673a\u4e0a\u6253\u5f00\u3002\u5bfc\u5165\u5230\u624b\u673a\uff08\u6b64\u65f6\u9700\u8981\u4e4b\u524d\u8bbe\u7f6e\u7684\u8bc1\u4e66\u5bc6\u7801\uff09\u3002<\/p>\n<p>\u627e\u5230\u624b\u673a\u4e0a\u201c\u8bbe\u7f6e-&gt;VPN-&gt;\u6dfb\u52a0\u914d\u7f6e\u2019\uff0c\u9009 IKEv2 \u3002<\/p>\n<ul>\n<li>\u63cf\u8ff0\uff1a\u968f\u4fbf\u586b<\/li>\n<li>\u670d\u52a1\u5668\uff1a\u586b URL \u6216 IP<\/li>\n<li>\u8fdc\u7a0bID\uff1a<code>ipsec.conf<\/code>\u00a0\u4e2d\u7684\u00a0<code>leftid<\/code><\/li>\n<li>\u7528\u6237\u9274\u5b9a\uff1a\u8bc1\u4e66<\/li>\n<li>\u8bc1\u4e66\uff1a\u9009\u62e9\u5b89\u88c5\u5b8c\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66<\/li>\n<\/ul>\n<h5><a class=\"reference-link\" name=\"3\u3001\u4f7f\u7528 IKEv2 + \u9884\u8bbe\u5bc6\u94a5 \u8ba4\u8bc1\"><\/a>3\u3001\u4f7f\u7528 IKEv2 + \u9884\u8bbe\u5bc6\u94a5 \u8ba4\u8bc1<\/h5>\n<p>\u627e\u5230\u624b\u673a\u4e0a\u201c\u8bbe\u7f6e-&gt;VPN-&gt;\u6dfb\u52a0\u914d\u7f6e\u201d\uff0c\u9009 IKEv2 \u3002<\/p>\n<ul>\n<li>\u63cf\u8ff0\uff1a\u968f\u4fbf\u586b<\/li>\n<li>\u670d\u52a1\u5668\uff1a\u586b URL \u6216 IP<\/li>\n<li>\u8fdc\u7a0bID\uff1a<code>ipsec.conf<\/code>\u00a0\u4e2d\u7684\u00a0<code>leftid<\/code><\/li>\n<li>\u7528\u6237\u9274\u5b9a\uff1a\u65e0<\/li>\n<li>\u4f7f\u7528\u8bc1\u4e66\uff1a\u5173<\/li>\n<li>\u5bc6\u94a5\uff1aPSK \u9879\u5bc6\u94a5<\/li>\n<\/ul>\n<h4><a class=\"reference-link\" name=\"Windows 10\"><\/a>Windows 10<\/h4>\n<p>\u5bfc\u5165\u8bc1\u4e66\uff1a<\/p>\n<ul>\n<li>\u5c06 CA \u6839\u8bc1\u4e66\u00a0<code>ca.cert.pem<\/code>\u00a0\u91cd\u547d\u540d\u4e3a\u00a0<code>ca.cert.crt<\/code>\uff1b<\/li>\n<li>\u53cc\u51fb\u00a0<code>ca.cert.crt<\/code>\u00a0\u5f00\u59cb\u5b89\u88c5\u8bc1\u4e66\uff1b<\/li>\n<li>\u70b9\u51fb\u5b89\u88c5\u8bc1\u4e66\uff1b<\/li>\n<li>\u201c\u5b58\u50a8\u4f4d\u7f6e\u201d\u9009\u62e9\u201c\u672c\u5730\u8ba1\u7b97\u673a\u201d\uff0c\u4e0b\u4e00\u6b65\uff1b<\/li>\n<li>\u9009\u62e9\u201c\u5c06\u6240\u6709\u7684\u8bc1\u4e66\u90fd\u653e\u5165\u4e0b\u5217\u5b58\u50a8\u533a\u201d\uff0c\u70b9\u6d4f\u89c8\uff0c\u9009\u62e9\u201c\u53d7\u4fe1\u4efb\u7684\u6839\u8bc1\u4e66\u9881\u53d1\u673a\u6784\u201d\uff0c\u786e\u5b9a\uff0c\u4e0b\u4e00\u6b65\uff0c\u5b8c\u6210\uff1b<\/li>\n<\/ul>\n<p>\u5efa\u7acb\u8fde\u63a5\uff1a<\/p>\n<ul>\n<li>\u201c\u63a7\u5236\u9762\u677f\u201d-\u201c\u7f51\u7edc\u548c\u5171\u4eab\u4e2d\u5fc3\u201d-\u201c\u8bbe\u7f6e\u65b0\u7684\u8fde\u63a5\u6216\u7f51\u7edc\u201d-\u201c\u8fde\u63a5\u5230\u5de5\u4f5c\u533a\u201d-\u201c\u4f7f\u7528\u6211\u7684 Internet \u8fde\u63a5\u201d\uff1b<\/li>\n<li>Internet \u5730\u5740\u5199\u670d\u52a1\u5668 IP \u6216 URL\uff1b<\/li>\n<li>\u63cf\u8ff0\u968f\u4fbf\u5199\uff1b<\/li>\n<li>\u7528\u6237\u540d\u5bc6\u7801\u5199\u4e4b\u524d\u914d\u7f6e\u7684 EAP \u7684\u90a3\u4e2a\uff1b<\/li>\n<li>\u786e\u5b9a\uff1b<\/li>\n<li>\u8f6c\u5230 \u63a7\u5236\u9762\u677f\u7f51\u7edc\u548c Internet \u7f51\u7edc\u8fde\u63a5\uff1b<\/li>\n<li>\u5728\u65b0\u5efa\u7684 VPN \u8fde\u63a5\u4e0a\u53f3\u952e\u5c5e\u6027\u7136\u540e\u5207\u6362\u5230\u201c\u5b89\u5168\u201d\u9009\u9879\u5361\uff1b<\/li>\n<li>VPN \u7c7b\u578b\u9009 IKEv2 \uff1b<\/li>\n<li>\u6570\u636e\u52a0\u5bc6\u9009\u201c\u9700\u8981\u52a0\u5bc6\u201d\uff1b<\/li>\n<li>\u8eab\u4efd\u8ba4\u8bc1\u8fd9\u91cc\u9700\u8981\u8bf4\u4e00\u4e0b\uff0c\u5982\u679c\u60f3\u8981\u4f7f\u7528 EAP \u8ba4\u8bc1\u7684\u8bdd\u5c31\u9009\u62e9\u201cMicrosoft : \u5b89\u5168\u5bc6\u7801(EAP-MSCHAP v2)\u201d\uff1b\u60f3\u8981\u4f7f\u7528\u79c1\u4eba\u8bc1\u4e66\u8ba4\u8bc1\u7684\u8bdd\u5c31\u9009\u62e9\u201c\u4f7f\u7528\u8ba1\u7b97\u673a\u8bc1\u4e66\u201d\uff1b<\/li>\n<li>\u518d\u5207\u6362\u5230\u201c\u7f51\u7edc\u201d\u9009\u9879\u5361\uff0c\u53cc\u51fb\u201cInternet \u534f\u8bae\u7248\u672c 4\u201d\u4ee5\u6253\u5f00\u5c5e\u6027\u7a97\u53e3\uff0c\u8fd9\u91cc\u8bf4\u4e00\u4e0b\uff0c\u5982\u679c\u4f60\u4f7f\u7528\u7684\u662f\u8001\u7248\u672c\u7684 Win10\uff0c\u53ef\u80fd\u4f1a\u6253\u4e0d\u5f00\u5c5e\u6027\u7a97\u53e3\uff0c\u8fd9\u662f\u5df2\u77e5\u7684 Bug\uff0c\u5347\u7ea7\u6700\u65b0\u7248\u672c\u5373\u53ef\u89e3\u51b3\uff1b<\/li>\n<li>\u70b9\u51fb\u201c\u9ad8\u7ea7\u201d\u6309\u94ae\uff0c\u52fe\u9009\u201c\u5728\u8fdc\u7a0b\u7f51\u7edc\u4e0a\u4f7f\u7528\u9ed8\u8ba4\u7f51\u5173\u201d\uff0c\u786e\u5b9a\u9000\u51fa\uff1b<\/li>\n<\/ul>\n<h4><a class=\"reference-link\" name=\"Windows 7 \u5bfc\u5165\u8bc1\u4e66\u7565\u6709\u4e0d\u540c\"><\/a>Windows 7 \u5bfc\u5165\u8bc1\u4e66\u7565\u6709\u4e0d\u540c<\/h4>\n<ul>\n<li>\u5f00\u59cb\u83dc\u5355\u641c\u7d22\u201ccmd\u201d\uff0c\u6253\u5f00\u540e\u8f93\u5165\u00a0<code>MMC<\/code>\uff08Microsoft \u7ba1\u7406\u63a7\u5236\u53f0\uff09\uff1b<\/li>\n<li>\u201c\u6587\u4ef6\u201d-\u201c\u6dfb\u52a0\/\u5220\u9664\u7ba1\u7406\u5355\u5143\u201d\uff0c\u6dfb\u52a0\u201c\u8bc1\u4e66\u201d\u5355\u5143\uff1b<\/li>\n<li>\u8bc1\u4e66\u5355\u5143\u7684\u5f39\u51fa\u7a97\u53e3\u4e2d\u4e00\u5b9a\u8981\u9009\u201c\u8ba1\u7b97\u673a\u8d26\u6237\u201d\uff0c\u4e4b\u540e\u9009\u201c\u672c\u5730\u8ba1\u7b97\u673a\u201d\uff0c\u786e\u5b9a\uff1b<\/li>\n<li>\u5728\u5de6\u8fb9\u7684\u201c\u63a7\u5236\u53f0\u6839\u8282\u70b9\u201d\u4e0b\u9009\u62e9\u201c\u8bc1\u4e66\u201d-\u201c\u53d7\u4fe1\u4efb\u7684\u6839\u8bc1\u4e66\u9881\u53d1\u673a\u6784\u201d-\u201c\u8bc1\u4e66\u201d\uff0c\u53f3\u952e\u201c\u6240\u6709\u4efb\u52a1\u201d-\u201c\u5bfc\u5165\u201d\u6253\u5f00\u8bc1\u4e66\u5bfc\u5165\u7a97\u53e3\uff1b<\/li>\n<li>\u9009\u62e9 CA \u8bc1\u4e66\u00a0<code>ca.cert.crt<\/code>\u00a0\u5bfc\u5165\u5373\u53ef\uff1b<\/li>\n<\/ul>\n<p><em>\u6ce8\u610f\uff0c\u5343\u4e07\u4e0d\u8981\u53cc\u51fb .p12 \u8bc1\u4e66\u5bfc\u5165\uff01\u56e0\u4e3a\u90a3\u6837\u4f1a\u5bfc\u5165\u5230\u5f53\u524d\u7528\u6237\u800c\u4e0d\u662f\u672c\u673a\u8ba1\u7b97\u673a\u4e2d\u3002<\/em><\/p>\n<h3><a class=\"reference-link\" name=\"\u516b\u3001\u53ef\u80fd\u9047\u5230\u7684\u95ee\u9898\"><\/a>\u516b\u3001\u53ef\u80fd\u9047\u5230\u7684\u95ee\u9898<\/h3>\n<ol>\n<li>\u5173\u4e8e Windows 10 \u7cfb\u7edf\u4e2d VPN \u80fd\u6b63\u5e38\u8fde\u63a5\uff0c\u4f46\u4e0d\u80fd\u6253\u5f00\u7f51\u9875\u7684\u60c5\u51b5\u3002\u8fd9\u4e0e\u201cVPN \u8fde\u63a5\u201d\u5c5e\u6027\u4e2d\u7684\u201c\u63a5\u53e3\u8dc3\u70b9\u6570\u201d\u8bbe\u7f6e\u6709\u5173\u3002\u8be5\u8bbe\u7f6e\u7528\u4e8e\u8bbe\u7f6e\u7f51\u7edc\u63a5\u53e3\u7684\u4f18\u5148\u7ea7\uff0c\u4f7f\u7528 cmd \u6267\u884c\u547d\u4ee4<code>route print<\/code>\u67e5\u770b\u8def\u7531\u8868\uff0c\u77e5\u9053\u5176\u4ed6\u63a5\u53e3\u7684\u8dc3\u70b9\u6570\u540e\uff0c\u6211\u4eec\u53ea\u8981\u5c06\u201cVPN \u8fde\u63a5\u201d\u7684\u201c\u63a5\u53e3\u8dc3\u70b9\u6570\u201d\u8bbe\u7f6e\u4f4e\u4e8e\u5b83\u4eec\u5c31\u53ef\u4ee5\u4e86\u3002\u8bbe\u7f6e\u597d\u540e\uff0c\u7f51\u7edc\u8bf7\u6c42\u4f1a\u4f18\u5148\u4f7f\u7528\u201cVPN \u8fde\u63a5\u201d\u3002<img decoding=\"async\" title=\"\u63a5\u53e3\u8dc3\u70b9\u6570\" src=\"\/wp-content\/uploads\/replace\/1a517704c868f6215cba38fb343a30eb.jpeg\" alt=\"\u63a5\u53e3\u8dc3\u70b9\u6570\" \/><br \/>\n<blockquote><p>\u56fe\u4e3a\uff1a\u63a5\u53e3\u8dc3\u70b9\u6570\u7684\u8bbe\u7f6e\u3002<\/p><\/blockquote>\n<p><img decoding=\"async\" title=\"route print\" src=\"\/wp-content\/uploads\/replace\/8f8acefbf738e77075f1b70db329a65e.jpeg\" alt=\"route print\" \/><\/p>\n<blockquote><p>\u56fe\u4e3a\uff1a<code>route print<\/code>\u547d\u4ee4\u6267\u884c\u7ed3\u679c\u3002<\/p><\/blockquote>\n<p>\u56fe\u4e2d\u201c\u63a5\u53e3\u5217\u8868\u201d\u7b2c\u4e00\u5217\uff0c\u7528\u7ea2\u8272\u5708\u51fa\u7684\u90e8\u5206\u4e3a\u8dc3\u70b9\u6570\uff0c\u5c06\u201cVPN \u8fde\u63a5\u201d\u7684\u201c\u63a5\u53e3\u8dc3\u70b9\u6570\u201d\u8bbe\u7f6e\u4e3a 10 \u5373\u53ef\u3002<\/li>\n<\/ol>\n<h3><a class=\"reference-link\" name=\"\u4e5d\u3001\u53c2\u8003\u6587\u732e\"><\/a>\u4e5d\u3001\u53c2\u8003\u6587\u732e<\/h3>\n<hr \/>\n<ul>\n<li><a title=\"strongSwan - \u5b98\u7f51\" href=\"https:\/\/www.strongswan.org\/\" target=\"_blank\" rel=\"noopener\">strongSwan - \u5b98\u7f51<\/a><\/li>\n<li><a title=\"IPSEC VPN on Centos 7 with StrongSwan\" href=\"https:\/\/raymii.org\/s\/tutorials\/IPSEC_vpn_with_CentOS_7.html\" target=\"_blank\" rel=\"noopener\">IPSEC VPN on Centos 7 with StrongSwan<\/a><\/li>\n<li><a title=\"CentOS 7 \u914d\u7f6e IPSec-IKEv2 VPN, \u9002\u7528\u4e8e ios, mac os, windows, linux.\" href=\"https:\/\/blog.itnmg.net\/2015\/04\/03\/centos7-ipsec-vpn\/\" target=\"_blank\" rel=\"noopener\">CentOS 7 \u914d\u7f6e IPSec-IKEv2 VPN, \u9002\u7528\u4e8e ios, mac os, windows, linux.<\/a><\/li>\n<li><a title=\"\u5728\u963f\u91cc\u4e91 CentOS 7\u4e0a\u4f7f\u7528strongswan\u642d\u5efaIKEv2 VPN\" href=\"https:\/\/blog.csdn.net\/wengzilai\/article\/details\/78707134\" target=\"_blank\" rel=\"noopener\">\u5728\u963f\u91cc\u4e91 CentOS 7\u4e0a\u4f7f\u7528strongswan\u642d\u5efaIKEv2 VPN<\/a><\/li>\n<li><a title=\"\u4e00\u952e\u642d\u5efa\u9002\u7528\u4e8eUbuntu\/CentOS\u7684IKEV2\/L2TP\u7684VPN\" href=\"https:\/\/github.com\/quericy\/one-key-ikev2-vpn\" target=\"_blank\" rel=\"noopener\">\u4e00\u952e\u642d\u5efa\u9002\u7528\u4e8eUbuntu\/CentOS\u7684IKEV2\/L2TP\u7684VPN<\/a><\/li>\n<\/ul>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u5728 CentOS 7 \u4e2d\u4f7f\u7528 strongSwan \u642d\u5efa IKEv2 VPN \u672c\u6587\u4ecb\u7ecd\u5728 CentOS 7 \u7cfb\u7edf\u4e2d\u4f7f\u7528 strongSwan \u5f00\u6e90\u8f6f\u4ef6\u642d\u5efa IKEv2 \u65b9\u5f0f\u7684 VPN \u914d\u7f6e\u3002 \u672c\u6587\u6d89\u53ca\u5230\u7684\u5404\u9879\u7cfb\u7edf\u53ca\u8f6f\u4ef6\u7248\u672c\uff1a \u670d\u52a1\u7aef\u7cfb\u7edf\uff1aC [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,8],"tags":[43],"topic":[39],"class_list":["post-184","post","type-post","status-publish","format-standard","hentry","category-linux","category-8","tag-vpn","topic-vpn"],"_links":{"self":[{"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/posts\/184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=184"}],"version-history":[{"count":3,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/posts\/184\/revisions"}],"predecessor-version":[{"id":190,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/posts\/184\/revisions\/190"}],"wp:attachment":[{"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=184"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftopic&post=184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}