sudo apt-get install strongswan strongswan-pki strongswan strongswan-plugin-eap-mschapv2 strongswan-plugin-xauth-generic
There are differences in the software packages to be installed according to different system versions, but the first one must be installed
eap-mschapv2 certification also requires a server certificate, not a client certificate, but it also requires the CA certificate used by the server certificate to be in the client trust list. If it is a self-signed certificate, you must trust the CA. The certificate-free certificate on the Internet is misleading. Suspected, I went around a lot when I configured it. Only when the server certificate is issued by a trusted CA can the certificate be exempted from the client.
First generate the required certificates
ipsec pki --gen > caKey.der
ipsec pki --self --in caKey.der --dn "C=CN, O=youtuosoft, CN=192.168.5.105" --ca > caCert.der
ipsec pki --gen > serverKey.der
ipsec pki --pub --in serverKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=CN, O=youtuosoft, CN=192.168.5.105" --san 192.168.5.105 --flag serverAuth --flag ikeIntermediate > serverCert.der
CN and san can also be followed by a domain name or computer name
Install the certificate
CA certificate, CA certificate should also be installed in the client's trusted root certificate list, otherwise it will appear when connecting to VPN
13801
Error: IKE authentication credential not acceptable
sudo cp caCert.der /etc/ipsec.d/cacerts/
server certificate
sudo cp serverCert.der /etc/ipsec.d/certs/
private key
sudo cp serverKey.der /etc/ipsec.d/private/
configure ipsec.conf
conn ikev2_mschapv2
type=tunnel
keyexchange=ikev2
left=192.168.5.105
leftid = 192.168.5.105
leftauth=pubkey
leftcert=serverCert.der
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightauth=eap-mschapv2
eap_identity=%any
rightsourceip=192.168.7.0/24
rightsendcert=never
rightdns=8.8.4.4,114.114.114.114
mobike=yes
auto=add
/etc/ipsec.secrets
: RSA serverKey.der
test %any : EAP "12345678"
ipsec restart
The client installs the CA certificate, and installs caCert.der into the trust root certificate of Windows. The iPhone needs to be sent as an email attachment or placed on the http server to open the installation.
The configuration of ikev2 is mainly due to certificate problems. In addition, Eap-mschapv2 is not supported by default on low-version systems, and additional software packages need to be installed.
ikev2 can use rightsourceip to assign a virtual ip to the client. Unlike pptp and l2tp, only the client has a virtual ip, and the server does not.
refer to