Centos 7 快速搭建IOS可用IPsec

原文链接： https://www.cnblogs.com/WanAn/p/centos_ipsec.html

安装 strongswan

yum install -y http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
yum install -y strongswan

配置conf文件

vim /etc/strongswan/ipsec.conf

config setup
    cachecrls=yes
    uniqueids=yes
 
conn default
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsubnet=10.7.0.0/24
    rightsourceip=10.7.0.2/24
    rightdns=8.8.8.8
    auto=add

配置用户文件

vim /etc/strongswan/ipsec.secrets
: PSK "your share key"
noodles1 : XAUTH "your pwd"
noodles2 : XAUTH "your pwd"

配置firewalld 和 nat转发

# 内核支持转发
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf 
sysctl -p 

# 允许伪装IP
firewall-cmd --permanent --zone=public --add-masquerade

# nat
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING  -j MASQUERADE -s 10.0.0.0/8

# 允许ipsec服务端口
firewall-cmd --zone=public --add-port=500/udp --permanent
firewall-cmd --zone=public --add-port=4500/udp --permanent

firewall-cmd --reload

启动服务并配置自启动

systemctl enable strongswan
systemctl restart strongswan

ios连接测试