strongSwan 代码内的说明文档

https://github.com/strongswan/strongswan/blob/master/README_LEGACY.md

OpenSuSE 中文帮助手册 strongSwan 配置指南

https://zh.opensuse.org/SDB:Setup_Ipsec_VPN_with_Strongswan

其他有关strongSwan的英文文档

• 教程: 《How to Set Up an IKEv2 V(和)P(谐)N Server with strongSwan on Ubuntu 16.04》https://www.和谐digitalocean和谐.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
  作者 Namohttps://www.和谐digitalocean和谐.com/community/users/namo
  （中文翻译不完整https://ys138.win/2017/03/07/ubuntu-strongswan-ikev2vpn/）

一份比较完整的中文笔记

• 《Ubuntu安装和配置strongSwan》by mawenbao
  https://www.mawenbao.com/note/strongSwan-setup-and-config-on-ubuntu-server.html

cd /etc/ipsec.d

# root CA 的 RSA 私钥:
ipsec pki --gen --type rsa \
  --size 4096 --outform pem \
  > private/rootCAKey.pem

# 然后使用 root CA 私钥自签署 root CA 的根证书:
ipsec pki --self --ca --lifetime 3650 \
  --in private/rootCAKey.pem --type rsa \
  --dn "C=CH, O=my_company_name, CN=my_root_CA" \
  --outform pem > cacerts/rootCACert.pem

# 创建Server私钥
ipsec pki --gen --type rsa --size 2048 \
  --outform pem > private/strongSwanServerKey.pem

# CA 签发对应 Server 私钥的公钥证书
ipsec pki --pub --in private/strongSwanServerKey.pem --type rsa | \
  ipsec pki --issue --lifetime 730 \
  --cacert cacerts/rootCACert.pem \
  --cakey private/rootCAKey.pem \
  --dn "C=CH, O=my_company_name, CN=x86box1.example.com" \
  --san x86box1.example.com \
  --flag serverAuth --flag ikeIntermediate \
  --outform pem > certs/strongSwanServerCert.pem

疑问

12[IKE] 192.168.0.23 is initiating an IKE_SA
12[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
12[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048
12[IKE] received proposals inacceptable