Debian系统部署iKEv2

服务端部署

用nono编辑ipsec配置文件

nano /etc/ipsec.conf

替换成下面的内容

config setup
    charondebug="ike 2, knl 2, cfg 2"

conn ikev2-vpn
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=anan.cc
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightid=%any
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4

用nano编辑ipsec密钥文件

nano /etc/ipsec.secrets

添加下面代码

anan.cc : PSK "anan.cc"

测试启动代码

ipsec stop
ipsec start --nofork --debug-more

客户端部署

config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids=no

conn ikev2-connection
    keyexchange=ikev2
    authby=secret
    leftsourceip=%config
    leftauth=psk
    leftid=1.1.1.1
    right=128.14.188.106
    rightid=anan.cc
    rightauth=psk
    rightsubnet=0.0.0.0/0
    auto=start

1.1.1.1 : PSK "anan.cc"

做NAT让内网主机能上网

iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -j SNAT --to-source 10.10.10.3