add strongswan

README.md

@@ -117,6 +117,7 @@ A collection of delicious docker recipes.
 - [x] shadowvpn
 - [x] snort :beetle:
 - [x] squid
+- [x] strongswan :+1:
 - [x] swarm-arm
 - [x] taskd
 - [x] telegraf

strongswan/Dockerfile

@@ -0,0 +1,25 @@
+#
+# Dockerfile for ipsec
+#
+
+FROM alpine
+MAINTAINER kev <noreply@easypi.info>
+
+RUN set -xe \
+    && apk add --no-cache iptables openssl strongswan util-linux \
+    && ln -sf /etc/ipsec.d/ipsec.conf /etc/ipsec.conf \
+    && ln -sf /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
+
+COPY init.sh /
+
+VOLUME /etc/ipsec.d /etc/strongswan.d
+
+ENV VPN_SUBNET=10.20.30.0/24
+
+EXPOSE 500/udp 4500/udp
+
+CMD set -xe \
+    && /init.sh \
+    && sysctl -w net.ipv4.ip_forward=1 \
+    && iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o eth0 -j MASQUERADE \
+    && ipsec start --nofork

strongswan/README.md

@@ -0,0 +1,45 @@
+strongswan
+==========
+
+![](https://badge.imagelayers.io/vimagick/strongswan:latest.svg)
+
+[strongSwan][1] is an Open Source IPsec-based VPN solution for Linux and other
+UNIX based operating systems implementing both the IKEv1 and IKEv2 key exchange
+protocols.
+
+> :warning: This docker image only support IKEv2!
+
+### docker-compose.yml
+
+```yaml
+strongswan:
+  image: vimagick/strongswan
+  ports:
+    - 500:500/udp
+    - 4500:4500/udp
+  volumes:
+    - ./log:/var/log
+    - /lib/modules:/lib/modules
+    - /etc/localtime:/etc/localtime
+  environment:
+    - VPN_DOMAIN=vpn.easypi.info
+    - VPN_DNS=8.8.8.8
+    - VPN_SUBNET=10.20.30.0/24
+    - VPN_P12_PASSWORD=secret
+  cap_add:
+    - NET_ADMIN
+  privileged: yes
+  restart: always
+```
+
+### up and running
+
+```bash
+docker-compose up -d
+docker cp strongswan_strongswan_1:/etc/ipsec.d/client.mobileconfig .
+tail -f log/charon.log
+```
+
+> File `client.mobileconfig` can be imported into MacOSX as `VPN (IKEv2)`.
+
+[1]: https://strongswan.org/

strongswan/docker-compose.yml

@@ -0,0 +1,18 @@
+strongswan:
+  image: vimagick/strongswan
+  ports:
+    - 500:500/udp
+    - 4500:4500/udp
+  volumes:
+    - ./log:/var/log
+    - /lib/modules:/lib/modules
+    - /etc/localtime:/etc/localtime
+  environment:
+    - VPN_DOMAIN=vpn.easypi.info
+    - VPN_DNS=8.8.8.8
+    - VPN_SUBNET=10.20.30.0/24
+    - VPN_P12_PASSWORD=secret
+  cap_add:
+    - NET_ADMIN
+  privileged: yes
+  restart: always

strongswan/init.sh

@@ -0,0 +1,281 @@
+#!/bin/sh
+#
+# gen config files for strongswan
+#
+# - VPN_SUBNET
+# - VPN_DOMAIN
+# - VPN_DNS
+# - VPN_P12_PASSWORD
+#
+
+if [ -e /etc/ipsec.d/ipsec.conf ]
+then
+    echo "Already Initialized!"
+    exit 0
+fi
+
+cat > /etc/ipsec.d/ipsec.conf <<_EOF_
+config setup
+    uniqueids=never
+
+conn %default
+    keyexchange=ike
+    dpdaction=clear
+    dpddelay=300s
+    rekey=no
+    left=%any
+    leftsubnet=0.0.0.0/0
+    right=%any
+
+conn IKE-BASE
+    leftca=ca.cert.pem
+    leftcert=server.cert.pem
+    rightsourceip=${VPN_SUBNET}
+
+conn IPSec-IKEv2
+    also=IKE-BASE
+    keyexchange=ikev2
+    ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
+    esp=aes256-sha256,3des-sha1,aes256-sha1!
+    leftid="${VPN_DOMAIN}"
+    leftsendcert=always
+    leftauth=pubkey
+    rightauth=pubkey
+    rightid="client.${VPN_DOMAIN}"
+    rightcert=client.cert.pem
+    auto=add
+_EOF_
+
+
+cat > /etc/ipsec.d/ipsec.secrets <<_EOF_
+: RSA server.pem
+_EOF_
+
+
+cat > /etc/strongswan.d/charon.conf <<_EOF_
+charon {
+    duplicheck.enable = no
+    dns1 = ${VPN_DNS}
+    filelog {
+        /var/log/charon.log {
+            time_format = %b %e %T
+            ike_name = yes
+            append = yes
+            default = 1
+            flush_line = yes
+        }
+    }
+    user = root
+}
+_EOF_
+
+
+# gen ca key and cert
+ipsec pki --gen --outform pem > /etc/ipsec.d/private/ca.pem
+
+ipsec pki --self \
+          --in /etc/ipsec.d/private/ca.pem \
+          --dn "C=CN, O=ING, CN=StrongSwan CA" \
+          --ca \
+          --lifetime 3650 \
+          --outform pem > /etc/ipsec.d/cacerts/ca.cert.pem
+
+# gen server key and cert
+ipsec pki --gen --outform pem > /etc/ipsec.d/private/server.pem  
+
+ipsec pki --pub --in /etc/ipsec.d/private/server.pem |
+    ipsec pki --issue --lifetime 1200 --cacert /etc/ipsec.d/cacerts/ca.cert.pem \
+              --cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=ING, CN=${VPN_DOMAIN}" \
+              --san="${VPN_DOMAIN}" --flag serverAuth --flag ikeIntermediate \
+              --outform pem > /etc/ipsec.d/certs/server.cert.pem
+
+# gen client key and cert
+ipsec pki --gen --outform pem > /etc/ipsec.d/private/client.pem
+
+ipsec pki --pub --in /etc/ipsec.d/private/client.pem |
+    ipsec pki --issue \
+              --cacert /etc/ipsec.d/cacerts/ca.cert.pem \
+              --cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=ING, CN=client.${VPN_DOMAIN}" \
+              --san="client.${VPN_DOMAIN}" \
+              --outform pem > /etc/ipsec.d/certs/client.cert.pem
+
+openssl pkcs12 -export \
+               -inkey /etc/ipsec.d/private/client.pem \
+               -in /etc/ipsec.d/certs/client.cert.pem \
+               -name "client.${VPN_DOMAIN}" \
+               -certfile /etc/ipsec.d/cacerts/ca.cert.pem \
+               -caname "StrongSwan CA" \
+               -out /etc/ipsec.d/client.cert.p12 \
+               -passout pass:${VPN_P12_PASSWORD}
+
+# gen mobileconfig for mac
+
+UUID1=$(uuidgen)
+UUID2=$(uuidgen)
+UUID3=$(uuidgen)
+UUID4=$(uuidgen)
+UUID5=$(uuidgen)
+UUID6=$(uuidgen)
+
+cat > /etc/ipsec.d/client.mobileconfig <<_EOF_
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>PayloadContent</key>
+ <array>
+  <dict>
+   <key>Password</key>
+   <string>${VPN_P12_PASSWORD}</string>
+   <key>PayloadCertificateFileName</key>
+   <string>client.cert.p12</string>
+   <key>PayloadContent</key>
+   <data>
+$(base64 /etc/ipsec.d/client.cert.p12)
+   </data>
+   <key>PayloadDescription</key>
+   <string>添加 PKCS#12 格式的证书</string>
+   <key>PayloadDisplayName</key>
+   <string>client.cert.p12</string>
+   <key>PayloadIdentifier</key>
+   <string>com.apple.security.pkcs12.${UUID1}</string>
+   <key>PayloadType</key>
+   <string>com.apple.security.pkcs12</string>
+   <key>PayloadUUID</key>
+   <string>${UUID1}</string>
+   <key>PayloadVersion</key>
+   <integer>1</integer>
+  </dict>
+  <dict>
+   <key>PayloadCertificateFileName</key>
+   <string>ca.cer</string>
+   <key>PayloadContent</key>
+   <data>
+$(base64 /etc/ipsec.d/cacerts/ca.cert.pem)
+   </data>
+   <key>PayloadDescription</key>
+   <string>添加 CA 根证书</string>
+   <key>PayloadDisplayName</key>
+   <string>StrongSwan CA</string>
+   <key>PayloadIdentifier</key>
+   <string>com.apple.security.root.${UUID2}</string>
+   <key>PayloadType</key>
+   <string>com.apple.security.root</string>
+   <key>PayloadUUID</key>
+   <string>${UUID2}</string>
+   <key>PayloadVersion</key>
+   <integer>1</integer>
+  </dict>
+  <dict>
+   <key>IKEv2</key>
+   <dict>
+    <key>AuthenticationMethod</key>
+    <string>Certificate</string>
+    <key>ChildSecurityAssociationParameters</key>
+    <dict>
+     <key>DiffieHellmanGroup</key>
+     <integer>2</integer>
+     <key>EncryptionAlgorithm</key>
+     <string>3DES</string>
+     <key>IntegrityAlgorithm</key>
+     <string>SHA1-96</string>
+     <key>LifeTimeInMinutes</key>
+     <integer>1440</integer>
+    </dict>
+    <key>DeadPeerDetectionRate</key>
+    <string>Medium</string>
+    <key>DisableMOBIKE</key>
+    <integer>0</integer>
+    <key>DisableRedirect</key>
+    <integer>0</integer>
+    <key>EnableCertificateRevocationCheck</key>
+    <integer>0</integer>
+    <key>EnablePFS</key>
+    <integer>0</integer>
+    <key>IKESecurityAssociationParameters</key>
+    <dict>
+     <key>DiffieHellmanGroup</key>
+     <integer>2</integer>
+     <key>EncryptionAlgorithm</key>
+     <string>3DES</string>
+     <key>IntegrityAlgorithm</key>
+     <string>SHA1-96</string>
+     <key>LifeTimeInMinutes</key>
+     <integer>1440</integer>
+    </dict>
+    <key>LocalIdentifier</key>
+    <string>client.${VPN_DOMAIN}</string>
+    <key>PayloadCertificateUUID</key>
+    <string>${UUID1}</string>
+    <key>RemoteAddress</key>
+    <string>${VPN_DOMAIN}</string>
+    <key>RemoteIdentifier</key>
+    <string>${VPN_DOMAIN}</string>
+    <key>UseConfigurationAttributeInternalIPSubnet</key>
+    <integer>0</integer>
+   </dict>
+   <key>IPv4</key>
+   <dict>
+    <key>OverridePrimary</key>
+    <integer>1</integer>
+   </dict>
+   <key>PayloadDescription</key>
+   <string>Configures VPN settings</string>
+   <key>PayloadDisplayName</key>
+   <string>VPN</string>
+   <key>PayloadIdentifier</key>
+   <string>com.apple.vpn.managed.${UUID4}</string>
+   <key>PayloadType</key>
+   <string>com.apple.vpn.managed</string>
+   <key>PayloadUUID</key>
+   <string>${UUID4}</string>
+   <key>PayloadVersion</key>
+   <real>1</real>
+   <key>Proxies</key>
+   <dict>
+    <key>HTTPEnable</key>
+    <integer>0</integer>
+    <key>HTTPSEnable</key>
+    <integer>0</integer>
+   </dict>
+   <key>UserDefinedName</key>
+   <string>VPN (IKEv2)</string>
+   <key>VPNType</key>
+   <string>IKEv2</string>
+  </dict>
+  <dict>
+   <key>PayloadCertificateFileName</key>
+   <string>server.cer</string>
+   <key>PayloadContent</key>
+   <data>
+$(base64 /etc/ipsec.d/certs/server.cert.pem)
+   </data>
+   <key>PayloadDescription</key>
+   <string>添加 PKCS#1 格式的证书</string>
+   <key>PayloadDisplayName</key>
+   <string>${VPN_DOMAIN}</string>
+   <key>PayloadIdentifier</key>
+   <string>com.apple.security.pkcs1.${UUID5}</string>
+   <key>PayloadType</key>
+   <string>com.apple.security.pkcs1</string>
+   <key>PayloadUUID</key>
+   <string>${UUID5}</string>
+   <key>PayloadVersion</key>
+   <integer>1</integer>
+  </dict>
+ </array>
+ <key>PayloadDisplayName</key>
+ <string>VPN</string>
+ <key>PayloadIdentifier</key>
+ <string>com.github.vimagick.strongswan</string>
+ <key>PayloadRemovalDisallowed</key>
+ <false/>
+ <key>PayloadType</key>
+ <string>Configuration</string>
+ <key>PayloadUUID</key>
+ <string>${UUID6}</string>
+ <key>PayloadVersion</key>
+ <integer>1</integer>
+</dict>
+</plist>
+_EOF_