Debian13 StrongSwan IKEv2 VPN für Windows 11 (EAP-MSCHAPv2)

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Debian13 StrongSwan IKEv2 VPN für Windows 11 (kit01–kit13)

Pakete installieren

  • apt update
  • apt install strongswan strongswan-swanctl libstrongswan-extra-plugins

IP-Forwarding aktivieren

  • echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ipforward.conf
  • sysctl -p /etc/sysctl.d/ipforward.conf

NAT aktivieren (damit Windows-Clients ohne Rückroute ins LAN kommen)

  • nft add table ip nat
  • nft add chain ip nat postrouting '{ type nat hook postrouting priority 100; }'
  • nft add rule ip nat postrouting ip saddr 172.24.24.100-172.24.24.200 masquerade

StrongSwan Konfiguration

Datei
/etc/swanctl/conf.d/swanctl.conf
  • vi /etc/swanctl/conf.d/swanctl.conf
connections {
    vpn-kit {
        version = 2
        local_addrs = 194.59.156.167
        pools = kit-pool
        
        local {
            auth = psk
            id = 194.59.156.167
        }
        
        remote {
            auth = eap-mschapv2
            eap_id = %any
        }
        
        children {
            tunnel {
                local_ts = 0.0.0.0/0
                remote_ts = 172.24.24.0/24
                start_action = trap
            }
        }
    }
}

pools {
    kit-pool {
        addrs = 172.24.24.100-172.24.24.200
    }
}

secrets {
    ike-server {
        id = 194.59.156.167
        secret = "ServerKey123!"
    }
    
    eap-kit01 {
        id = "kit01"
        secret = "12Drei4--"
    }
    
    eap-kit02 {
        id = "kit02"
        secret = "12Drei4--"
    }
    
    eap-kit03 {
        id = "kit03"
        secret = "12Drei4--"
    }
    
    eap-kit04 {
        id = "kit04"
        secret = "12Drei4--"
    }
    
    eap-kit05 {
        id = "kit05"
        secret = "12Drei4--"
    }
    
    eap-kit06 {
        id = "kit06"
        secret = "12Drei4--"
    }
    
    eap-kit07 {
        id = "kit07"
        secret = "12Drei4--"
    }
    
    eap-kit08 {
        id = "kit08"
        secret = "12Drei4--"
    }
    
    eap-kit09 {
        id = "kit09"
        secret = "12Drei4--"
    }
    
    eap-kit10 {
        id = "kit10"
        secret = "12Drei4--"
    }
    
    eap-kit11 {
        id = "kit11"
        secret = "12Drei4--"
    }
    
    eap-kit12 {
        id = "kit12"
        secret = "12Drei4--"
    }
    
    eap-kit13 {
        id = "kit13"
        secret = "12Drei4--"
    }
}

StrongSwan starten

  • swanctl --load-all
  • systemctl restart strongswan-starter
  • swanctl -l

Windows 11 VPN

Einstellungen → Netzwerk & Internet → VPN → Verbindung hinzufügen
  • Anbieter: Windows (integriert)
  • Verbindungsname: VPN-KIT
  • Servername: 194.59.156.167
  • VPN-Typ: IKEv2
  • Anmelden mit Benutzername und Passwort

Zugangsdaten

Benutzer
kit01 – kit13
Passwort
12Drei4--

Funktionstest

  • ping 172.24.24.1
  • swanctl -l
  • swanctl -s
Abgerufen von „http://wiki.ixheim.de/index.php?title=Debian13_StrongSwan_IKEv2_VPN_für_Windows_11_(EAP-MSCHAPv2)&oldid=66124