I followed the link below for setup IKEv2 VPN Using Strongswan and Let's encrypt on CentOS 7.
How to Setup IKEv2 VPN Using Strongswan and Let's encrypt on CentOS 7
But info on that link has been depricatd.
My Let's encrypt commands is like this :
curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --register-account -m [email protected]
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
or
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone --force
sudo yum -y install psmisc
sudo fuser 80/tcp
sudo yum -y install lsof
sudo lsof -i tcp:80
service httpd stop
~/.acme.sh/acme.sh --issue -d my_domain.com --standalone
Your cert is in: /root/.acme.sh/my_domain.com/my_domain.com.cer
Your cert key is in: /root/.acme.sh/my_domain.com/my_domain.com.key
The intermediate CA cert is in: /root/.acme.sh/my_domain.com/ca.cer
And the full chain certs is there: /root/.acme.sh/my_domain.com/fullchain.cer
~/.acme.sh/acme.sh --installcert -d my_domain.com --key-file /root/private.key --fullchain-file /root/cert.crt
service httpd start
service httpd status
I have 4 files here on my centos 7 vps after these commands.
my_domain.com.cer
my_domain.com.key
ca.cer
fullchain.cer
First of all i really don't know which file should i put on certs folder & which file should i put on cacerts folder and which file should i put on private folder.
I just did this :
sudo cp /root/.acme.sh/my_domain.com/fullchain.cer /etc/strongswan/ipsec.d/certs/
sudo cp /root/.acme.sh/my_domain.com/ca.cer /etc/strongswan/ipsec.d/cacerts/
sudo cp /root/.acme.sh/my_domain.com/my_domain.com.key /etc/strongswan/ipsec.d/private/
sudo cp /root/cert.crt /etc/strongswan/ipsec.d/cacerts/
sudo tree /etc/strongswan/ipsec.d/
Did i put those files on the correct folders?
Now let see StrongSwan config :
nano -K /etc/strongswan/ipsec.conf
#global configuration IPsec
#chron logger
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
#define new ipsec connection
conn hakase-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@my_domain.com
leftcert=fullchain.cer
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.15.1.0/24
rightdns=1.1.1.1,8.8.8.8
rightsendcert=never
eap_identity=%identity
And here is secrets file :
nano -K /etc/strongswan/ipsec.secrets
: RSA "my_doman.com.key"
temp : EAP "123"
And here StrongSwan status after running :
[root@art_300 ~]# systemctl status strongswan -l
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2024-01-14 21:17:03 +0330; 11s ago
Main PID: 2056 (starter)
CGroup: /system.slice/strongswan.service
├─2056 /usr/libexec/strongswan/starter --daemon charon --nofork
└─2098 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0
Jan 14 21:17:03 art_300.buzz systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz strongswan[2056]: Starting strongSwan 5.7.2 IPsec [starter]...
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1160.105.1.el7.x86_64, x86_64)
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] openssl FIPS mode(2) - enabled
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Jan 14 21:17:03 art_300.buzz charon[2098]: 00[JOB] spawning 16 worker threads
Jan 14 21:17:03 art_300.buzz ipsec_starter[2056]: charon (2098) started after 60 ms
Jan 14 21:17:03 art_300.buzz strongswan[2056]: charon (2098) started after 60 ms
As you know that link has been depricated and is old.
Now tell me what is i do wrong & how can i fix :
building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
ECDSA
keyword. Or you instruct acme.sh to use RSA (I think via--keylength <RSA key length e.g. 4096>
).