背景:方便在外面连接家中网络
软件环境 OpenWrt SNAPSHOT, r27700 / Linux OpenWrt 6.6.54 / Strongswan 5.9.14
配置 /etc/config/ipsec
```
config 'ipsec'
list listen 'wan'
option 'zone' 'ssvpn'
config 'remote' 'acme'
option 'enabled' '1'
option 'gateway' 'any'
option 'authentication_method' 'pubkey'
option 'local_gateway' 'xyz.mydomain.cn'
option 'local_cert' 'xyz.mydomain.cn.cer'
option 'local_key' 'xyz.mydomain.cn.key'
option 'rekeytime' '6h'
option 'keyingretries' '3'
option 'mobike' '1'
option 'fragmentation' 'yes'
option 'keyexchange' 'ikef'
option 'local_identifier' 'xyz.mydomain.cn'
#option 'dpdaction' 'clear'
list 'local_sourceip' '0.0.0.0'
list 'local_sourceip' '::'
list 'crypto_proposal' 'ike_proposal1'
list 'crypto_proposal' 'ike_proposal2'
list 'tunnel' 'sstun'
list 'pools' 'ipv4addr'
config 'crypto_proposal' 'ike_proposal1'
option 'encryption_algorithm' 'chacha20poly1305'
option 'dh_group' 'curve25519'
option 'prf_algorithm' 'prfsha512'
config 'crypto_proposal' 'ike_proposal2'
option 'encryption_algorithm' 'aes256gcm16'
option 'dh_group' 'curve25519'
option 'prf_algorithm' 'prfsha512'
# we don't specify subnets because we're going to use XFRM-interfaced based routes instead
config 'tunnel' 'sstun'
list 'local_subnet' '0.0.0.0/0'
#list 'remote_subnet' '0.0.0.0/0'
list 'remote_subnet' 'dynamic'
list 'remote_subnet' '224.0.0.0/4'
option 'if_id' '666'
option 'rekeytime' '1h'
option 'dpdaction' 'clear'
option 'startaction' 'none'
option 'closeaction' 'none'
list 'crypto_proposal' 'esp_proposal1'
list 'crypto_proposal' 'esp_proposal2'
config 'crypto_proposal' 'esp_proposal1'
option 'encryption_algorithm' 'chacha20poly1305'
option 'dh_group' 'x25519'
config 'crypto_proposal' 'esp_proposal2'
option 'encryption_algorithm' 'aes256gcm'
option 'dh_group' 'modp2048'
config 'pools' 'ipv4addr'
option 'addrs' '192.168.166.0/24'
list 'dns' '192.168.163.1'
```
配置 VPN 用户/etc/swanctl/conf.d/10.EAP_MSCHAPf.users.conf
```
secrets {
eap-user1 {
id = user1
secret = "user11980#"
}
}
``` |
|
