1.yum install -y wget
2.wget http://download.strongswan.org/strongswan.tar.gz
3.tar zxvf strongswan*
4.cd strongswan*
5.yum install -y make gcc gmp-devel openssl openssl-devel
6.make && sudo make install
7../configure --sysconfdir=/etc --disable-sql --disable-mysql --disable-ldap --enable-dhcp --enable-eap-identity --enable-eap-mschapv2 -enable-md4 --enable-xauth-eap --enable-eap-peap --enable-eap-md5 --enable-openssl --enable-shared --enable-unity --enable-eap-tls --enable-eap-ttls --enable-eap-tnc --enable-eap-dynamic --enable-addrblock --enable-radattr --enable-nat-transport --enable-kernel-netlink --enable-kernel-libipsec
8.vi /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
uniqueids = no
# Add connections here.
# Sample ××× connections
conn IPsec_xauth_psk
keyexchange=ikev1
left=192.168.0.8
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.0.0.0/24
auto=add
conn %default
keyexchange=ikev1
dpdaction=hold
dpddelay=600s
dpdtimeout=5s
lifetime=24h
ikelifetime=240h
rekey=no
left=192.168.0.8
leftsubnet=0.0.0.0/0
leftcert=***HostCert.pem ###***被過濾的,自行腦補
leftsendcert=always
right=%any
rightdns=8.8.8.8
rightsourceip=10.0.0.0/24
其中的兩處left=192.168.0.8需要修改爲你的服務器IP地址
9.vi /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
: PSK "SECRET" ##SECRET 爲Secret 的密碼
username : XAUTH "userpassword"
10.檢查防火牆配置
vi /usr/lib/firewalld/services/ipsec.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPsec</short>
<description>Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a ***c server or FreeS/WAN, do not disable this option.</description>
<port protocol="ah" port=""/>
<port protocol="esp" port=""/>
<port protocol="udp" port="500"/>
<port protocol="udp" port="4500"/>
</service>
~
11.firewall-cmd --permanent --add-service=ipsec
12.firewall-cmd --permanent --add-masquerade
13.firewall-cmd --reload
-
-