从 CLI 连接到 IPSec IKEv2 VPN

Question

我终于找到了基于此的解决方案这里。

我是这样做的：

安装网络管理器和 Strong Swan 插件

sudo apt install network-manager network-manager-strongswan

编辑全局管理的设备文件，将非管理的设备更改为无

echo "[keyfile]
unmanaged-devices=none" | sudo tee /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf

重新启动网络管理器服务

sudo systemctl restart NetworkManager

导入 .p12 证书

CERT_PATH=path/to/your/.p12

openssl pkcs12 -in $CERT_PATH -cacerts -nokeys -out $HOME/ca.cer
openssl pkcs12 -in $CERT_PATH -clcerts -nokeys -out $HOME/client.cer
openssl pkcs12 -in $CERT_PATH -nocerts -nodes  -out $HOME/client.key
rm $CERT_PATH

sudo chown root:root ca.cer client.cer client.key
sudo chmod 600 ca.cer client.cer client.key

创建 VPN 连接

注意：此处的名称VPN可以是任何你想要的

$SERVER="your server IP/domain"

sudo nmcli c add type vpn ifname -- vpn-type strongswan connection.id VPN connection.autoconnect no vpn.data 'address = $SERVER, certificate = $HOME/ca.cer, encap = no, esp = aes128gcm16, ipcomp = no, method = key, proposal = yes, usercert = $HOME/client.cer, userkey = $HOME/client.key, virtual = yes'

连接到它

nmcli c up 'Wired connection 1'
nmcli c up VPN
nmcli c

检查是否已连接

ifconfig

你应该会看到你的 VPN 的一个新条目，通常称为tunnel

建议以 root 身份运行这里的所有步骤，sudo su以便 $HOME 为/root。

这是我根据这些步骤创建的完整脚本，您可以按如下方式运行它./vpn.sh path/to/.p12 vpn.yourdomain.com

vpn网站

#!/bin/bash

# Check if the correct number of arguments were provided
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <certificate path> <server address>"
    exit 1
fi

CERT_PATH=$1
SERVER_ADDRESS=$2

# Step 1: Install Network manager and strongswan plugin
sudo apt update
sudo apt-get install -y network-manager network-manager-strongswan

# Step 2: Edit the globally managed devices file and change unmanaged devices to none
echo "[keyfile]
unmanaged-devices=none" | sudo tee /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf

# Step 3: Restart the network manager service
sudo systemctl restart NetworkManager

# Step 4: Check if the devices are managed
nmcli d

# Step 6: Import the .p12 certificate
openssl pkcs12 -in $CERT_PATH -cacerts -nokeys -out $HOME/ca.cer
openssl pkcs12 -in $CERT_PATH -clcerts -nokeys -out $HOME/client.cer
openssl pkcs12 -in $CERT_PATH -nocerts -nodes  -out $HOME/client.key
rm $CERT_PATH

sudo chown $USER:$USER $HOME/ca.cer $HOME/client.cer $HOME/client.key
sudo chmod 600 $HOME/ca.cer $HOME/client.cer $HOME/client.key

# Step 7: Create a VPN connection in NetworkManager and enable it.
sudo nmcli c add type vpn ifname -- vpn-type strongswan connection.id VPN connection.autoconnect no vpn.data "address = $SERVER_ADDRESS, certificate = $HOME/ca.cer, encap = no, esp = aes128gcm16, ipcomp = no, method = key, proposal = yes, usercert = $HOME/client.cer, userkey = $HOME/client.key, virtual = yes"

nmcli c up 'Wired connection 1'
nmcli c up VPN
nmcli c

Answer 1

我终于找到了基于此的解决方案这里。

我是这样做的：

安装网络管理器和 Strong Swan 插件

sudo apt install network-manager network-manager-strongswan

编辑全局管理的设备文件，将非管理的设备更改为无

echo "[keyfile]
unmanaged-devices=none" | sudo tee /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf

重新启动网络管理器服务

sudo systemctl restart NetworkManager

导入 .p12 证书

CERT_PATH=path/to/your/.p12

openssl pkcs12 -in $CERT_PATH -cacerts -nokeys -out $HOME/ca.cer
openssl pkcs12 -in $CERT_PATH -clcerts -nokeys -out $HOME/client.cer
openssl pkcs12 -in $CERT_PATH -nocerts -nodes  -out $HOME/client.key
rm $CERT_PATH

sudo chown root:root ca.cer client.cer client.key
sudo chmod 600 ca.cer client.cer client.key

创建 VPN 连接

注意：此处的名称VPN可以是任何你想要的

$SERVER="your server IP/domain"

sudo nmcli c add type vpn ifname -- vpn-type strongswan connection.id VPN connection.autoconnect no vpn.data 'address = $SERVER, certificate = $HOME/ca.cer, encap = no, esp = aes128gcm16, ipcomp = no, method = key, proposal = yes, usercert = $HOME/client.cer, userkey = $HOME/client.key, virtual = yes'

连接到它

nmcli c up 'Wired connection 1'
nmcli c up VPN
nmcli c

检查是否已连接

ifconfig

你应该会看到你的 VPN 的一个新条目，通常称为tunnel

建议以 root 身份运行这里的所有步骤，sudo su以便 $HOME 为/root。

这是我根据这些步骤创建的完整脚本，您可以按如下方式运行它./vpn.sh path/to/.p12 vpn.yourdomain.com

vpn网站

#!/bin/bash

# Check if the correct number of arguments were provided
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <certificate path> <server address>"
    exit 1
fi

CERT_PATH=$1
SERVER_ADDRESS=$2

# Step 1: Install Network manager and strongswan plugin
sudo apt update
sudo apt-get install -y network-manager network-manager-strongswan

# Step 2: Edit the globally managed devices file and change unmanaged devices to none
echo "[keyfile]
unmanaged-devices=none" | sudo tee /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf

# Step 3: Restart the network manager service
sudo systemctl restart NetworkManager

# Step 4: Check if the devices are managed
nmcli d

# Step 6: Import the .p12 certificate
openssl pkcs12 -in $CERT_PATH -cacerts -nokeys -out $HOME/ca.cer
openssl pkcs12 -in $CERT_PATH -clcerts -nokeys -out $HOME/client.cer
openssl pkcs12 -in $CERT_PATH -nocerts -nodes  -out $HOME/client.key
rm $CERT_PATH

sudo chown $USER:$USER $HOME/ca.cer $HOME/client.cer $HOME/client.key
sudo chmod 600 $HOME/ca.cer $HOME/client.cer $HOME/client.key

# Step 7: Create a VPN connection in NetworkManager and enable it.
sudo nmcli c add type vpn ifname -- vpn-type strongswan connection.id VPN connection.autoconnect no vpn.data "address = $SERVER_ADDRESS, certificate = $HOME/ca.cer, encap = no, esp = aes128gcm16, ipcomp = no, method = key, proposal = yes, usercert = $HOME/client.cer, userkey = $HOME/client.key, virtual = yes"

nmcli c up 'Wired connection 1'
nmcli c up VPN
nmcli c

从 CLI 连接到 IPSec IKEv2 VPN

供参考：

答案1

安装网络管理器和 Strong Swan 插件

编辑全局管理的设备文件，将非管理的设备更改为无

重新启动网络管理器服务

导入 .p12 证书

创建 VPN 连接

连接到它

检查是否已连接

vpn网站

相关内容