# pkg ins -y strongswan # cd /usr/local/etc/ # mkdir vpn-certs # cd vpn-certs/



# ipsec pki --gen --type rsa --size 4096 --outform pem > server-root-key.pem # chmod 600 server-root-key.pem # ipsec pki --self --ca --lifetime 3650 --in server-root-key.pem --type rsa --dn "C=RU, O=SIMPLEBSD, CN=VPN Server Root CA" --outform pem > server-root-ca.pem # ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-server-key.pem # ipsec pki --pub --in vpn-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert server-root-ca.pem --cakey server-root-key.pem --dn "C=RU, O=SIMPLEBSD, CN=simplebsd.ru" --san simplebsd.ru --flag serverAuth --flag ikeIntermediate --outform pem > vpn-server-cert.pem # cp vpn-server-cert.pem /usr/local/etc/ipsec.d/certs/ # cp vpn-server-key.pem /usr/local/etc/ipsec.d/private/ # chmod 600 /usr/local/etc/ipsec.d/private/vpn-server-key.pem


# vi ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup uniqueids=never conn %default keyexchange=ikev2 ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096 esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096 dpdaction=clear dpddelay=35s dpdtimeout=300s rekey=no fragmentation=yes conn win_ios left=%any leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=vpn-server-cert.pem leftid=simplebsd.ru #leftfirewall=yes leftsendcert=always right=%any rightsourceip=10.0.1.20-10.0.1.30 rightauth=eap-mschapv2 rightsendcert=never rightdns=8.8.8.8,8.8.4.4 eap_identity=%identity auto=add



# vi ipsec.secrets


: RSA vpn-server-key.pem usreap : EAP "qweASD123"


# vi /usr/local/etc/strongswan.d/charon-logging.conf


charon { filelog { charon { path = /var/log/charon.log default = 2 } } }


# echo 'strongswan_enable="YES"' >> /etc/rc.conf # service strongswan start



pf_enable="YES" pf_rules="/etc/pf.conf"

# vi /etc/pf.conf


#!/bin/sh nat on vtnet0 from any to any -> vtnet0 pass all


# service pf start


or

# reboot