服务器端配置:

/etc/ipsec.conf

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
    interfaces=%defaultroute
conn %default
     authby=rsasig
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     keyingtries=1
     disablearrivalcheck=no
conn road
     left=192.168.1.176
     leftid="C=ZH,ST=HB,L=WH,O=secway1,OU=secway1,CN=secway1,[email protected],+S=C"
     leftsubnet=192.168.3.0/24
     leftcert=/etc/ipsec.d/certs/0.pem
     rightnexthop=%defaultroute
     right=%any
     rightid="C=ZH,ST=HB,L=WH,O=secway1,OU=secway1,CN=secway1,[email protected],+S=C"
     pfs=no
     auto=add
     compress=no
 
conn L2TP-PSK-NAT
     rightsubnet=vhost:%priv
     also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     rekey=no
     ikelifetime=8h
     keylife=1h
     type=transport
     left=192.168.1.176
     leftprotoport=17/1701
     right=%any
     rightprotoport=17/%any

/etc/ipsec.secret:

192.168.1.176 %any: PSK "1234"
: RSA /etc/ipsec.d/private/0.key ""

 

x.509证书认证的right端:

#Right(right)
version 2.0

config setup
    interfaces=%defaultroute
    nat_traversal=yes
    oe=off
    protostack=netkey
   
conn %default
     authby=rsasig
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     keyingtries=1
     disablearrivalcheck=no
conn road
     left=192.168.1.177
     #leftsubnet=192.168.3.0/24
     leftid="C=ZH,ST=HB,L=WH,O=secway2,OU=secway2,CN=secway2,[email protected],+S=C"
     leftcert=/etc/ipsec.d/certs/1.pem
     right=192.168.1.176
     rightsubnet=192.168.3.0/24
     rightid="C=ZH,ST=HB,L=WH,O=secway1,OU=secway1,CN=secway1,[email protected],+S=C"
     rightcert=/etc/ipsec.d/certs/0.pem
     pfs=no
     auto=add
     compress=no
 

 

 

此配置实现了同时支持iphone4的psk认证,以及right端的x.509认证