mirrors/dockerfiles_vimagick
2
0
Fork 0
mirror of https://github.com/vimagick/dockerfiles.git synced 2025-12-21 13:23:02 +01:00
Code Issues Projects Releases Wiki Activity

update strongswan

Browse Source
This commit is contained in:
kev
2016-06-28 04:30:22 +08:00
parent e7f692539b
commit e3d74a622e
3 changed files with 14 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
strongswan/README.md
View File

@@ -18,7 +18,6 @@ strongswan:
- 500:500/udp - 500:500/udp
- 4500:4500/udp - 4500:4500/udp
volumes: volumes:
- ./log:/var/log
- /lib/modules:/lib/modules - /lib/modules:/lib/modules
- /etc/localtime:/etc/localtime - /etc/localtime:/etc/localtime
environment: environment:
@@ -37,7 +36,7 @@ strongswan:
```bash ```bash
docker-compose up -d docker-compose up -d
docker cp strongswan_strongswan_1:/etc/ipsec.d/client.mobileconfig . docker cp strongswan_strongswan_1:/etc/ipsec.d/client.mobileconfig .
tail -f log/charon.log docker-compose logs -f
``` ```
> File `client.mobileconfig` can be imported into MacOSX as `VPN (IKEv2)`. > File `client.mobileconfig` can be imported into MacOSX as `VPN (IKEv2)`.

1
strongswan/docker-compose.yml
View File

@@ -4,7 +4,6 @@ strongswan:
- 500:500/udp - 500:500/udp
- 4500:4500/udp - 4500:4500/udp
volumes: volumes:
- ./log:/var/log
- /lib/modules:/lib/modules - /lib/modules:/lib/modules
- /etc/localtime:/etc/localtime - /etc/localtime:/etc/localtime
environment: environment:

41
strongswan/init.sh
View File

@@ -10,13 +10,16 @@
if [ -e /etc/ipsec.d/ipsec.conf ] if [ -e /etc/ipsec.d/ipsec.conf ]
then then
echo "Already Initialized!" echo "Initialized!"
exit 0 exit 0
else
echo "Initializing ..."
fi fi
cat > /etc/ipsec.d/ipsec.conf <<_EOF_ cat > /etc/ipsec.d/ipsec.conf <<_EOF_
config setup config setup
uniqueids=never uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default conn %default
keyexchange=ike keyexchange=ike
@@ -41,7 +44,7 @@ conn IPSec-IKEv2
leftsendcert=always leftsendcert=always
leftauth=pubkey leftauth=pubkey
rightauth=pubkey rightauth=pubkey
rightid="client.${VPN_DOMAIN}" rightid="client@${VPN_DOMAIN}"
rightcert=client.cert.pem rightcert=client.cert.pem
auto=add auto=add
_EOF_ _EOF_
@@ -52,30 +55,12 @@ cat > /etc/ipsec.d/ipsec.secrets <<_EOF_
_EOF_ _EOF_
cat > /etc/strongswan.d/charon.conf <<_EOF_
charon {
duplicheck.enable = no
dns1 = ${VPN_DNS}
filelog {
/var/log/charon.log {
time_format = %b %e %T
ike_name = yes
append = yes
default = 1
flush_line = yes
}
}
user = root
}
_EOF_
# gen ca key and cert # gen ca key and cert
ipsec pki --gen --outform pem > /etc/ipsec.d/private/ca.pem ipsec pki --gen --outform pem > /etc/ipsec.d/private/ca.pem
ipsec pki --self \ ipsec pki --self \
--in /etc/ipsec.d/private/ca.pem \ --in /etc/ipsec.d/private/ca.pem \
--dn "C=CN, O=ING, CN=StrongSwan CA" \ --dn "C=CN, O=strongSwan, CN=strongSwan Root CA" \
--ca \ --ca \
--lifetime 3650 \ --lifetime 3650 \
--outform pem > /etc/ipsec.d/cacerts/ca.cert.pem --outform pem > /etc/ipsec.d/cacerts/ca.cert.pem
@@ -85,7 +70,7 @@ ipsec pki --gen --outform pem > /etc/ipsec.d/private/server.pem
ipsec pki --pub --in /etc/ipsec.d/private/server.pem | ipsec pki --pub --in /etc/ipsec.d/private/server.pem |
ipsec pki --issue --lifetime 1200 --cacert /etc/ipsec.d/cacerts/ca.cert.pem \ ipsec pki --issue --lifetime 1200 --cacert /etc/ipsec.d/cacerts/ca.cert.pem \
--cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=ING, CN=${VPN_DOMAIN}" \ --cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=strongSwan, CN=${VPN_DOMAIN}" \
--san="${VPN_DOMAIN}" --flag serverAuth --flag ikeIntermediate \ --san="${VPN_DOMAIN}" --flag serverAuth --flag ikeIntermediate \
--outform pem > /etc/ipsec.d/certs/server.cert.pem --outform pem > /etc/ipsec.d/certs/server.cert.pem
@@ -95,16 +80,16 @@ ipsec pki --gen --outform pem > /etc/ipsec.d/private/client.pem
ipsec pki --pub --in /etc/ipsec.d/private/client.pem | ipsec pki --pub --in /etc/ipsec.d/private/client.pem |
ipsec pki --issue \ ipsec pki --issue \
--cacert /etc/ipsec.d/cacerts/ca.cert.pem \ --cacert /etc/ipsec.d/cacerts/ca.cert.pem \
--cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=ING, CN=client.${VPN_DOMAIN}" \ --cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=strongSwan, CN=client@${VPN_DOMAIN}" \
--san="client.${VPN_DOMAIN}" \ --san="client@${VPN_DOMAIN}" \
--outform pem > /etc/ipsec.d/certs/client.cert.pem --outform pem > /etc/ipsec.d/certs/client.cert.pem
openssl pkcs12 -export \ openssl pkcs12 -export \
-inkey /etc/ipsec.d/private/client.pem \ -inkey /etc/ipsec.d/private/client.pem \
-in /etc/ipsec.d/certs/client.cert.pem \ -in /etc/ipsec.d/certs/client.cert.pem \
-name "client.${VPN_DOMAIN}" \ -name "client@${VPN_DOMAIN}" \
-certfile /etc/ipsec.d/cacerts/ca.cert.pem \ -certfile /etc/ipsec.d/cacerts/ca.cert.pem \
-caname "StrongSwan CA" \ -caname "strongSwan Root CA" \
-out /etc/ipsec.d/client.cert.p12 \ -out /etc/ipsec.d/client.cert.p12 \
-passout pass:${VPN_P12_PASSWORD} -passout pass:${VPN_P12_PASSWORD}
@@ -156,7 +141,7 @@ $(base64 /etc/ipsec.d/cacerts/ca.cert.pem)
<key>PayloadDescription</key> <key>PayloadDescription</key>
<string>添加 CA 根证书</string> <string>添加 CA 根证书</string>
<key>PayloadDisplayName</key> <key>PayloadDisplayName</key>
<string>StrongSwan CA</string> <string>strongSwan Root CA</string>
<key>PayloadIdentifier</key> <key>PayloadIdentifier</key>
<string>com.apple.security.root.${UUID2}</string> <string>com.apple.security.root.${UUID2}</string>
<key>PayloadType</key> <key>PayloadType</key>
@@ -204,7 +189,7 @@ $(base64 /etc/ipsec.d/cacerts/ca.cert.pem)
<integer>1440</integer> <integer>1440</integer>
</dict> </dict>
<key>LocalIdentifier</key> <key>LocalIdentifier</key>
<string>client.${VPN_DOMAIN}</string> <string>client@${VPN_DOMAIN}</string>
<key>PayloadCertificateUUID</key> <key>PayloadCertificateUUID</key>
<string>${UUID1}</string> <string>${UUID1}</string>
<key>RemoteAddress</key> <key>RemoteAddress</key>