Improve IKEv2 setup
- Increase RSA key size from the default 2048 bits to 3072 bits - Use fixed delay between certutil calls, a random delay is not needed - Update docs
This commit is contained in:
hwdsl2
parent
21a72d6232
commit
ee409250d8
@ -610,7 +610,7 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -x -n "IKEv2 VPN CA" \
|
||||
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t "CT,," -2
|
||||
```
|
||||
|
||||
@ -632,7 +632,7 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \
|
||||
-s "O=IKEv2 VPN,CN=$PUBLIC_IP" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t ",," \
|
||||
--keyUsage digitalSignature,keyEncipherment \
|
||||
--extKeyUsage serverAuth \
|
||||
@ -653,7 +653,7 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -c "IKEv2 VPN CA" -n "vpnclient" \
|
||||
-s "O=IKEv2 VPN,CN=vpnclient" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t ",," \
|
||||
--keyUsage digitalSignature,keyEncipherment \
|
||||
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
|
||||
|
||||
@ -612,7 +612,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -x -n "IKEv2 VPN CA" \
|
||||
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t "CT,," -2
|
||||
```
|
||||
|
||||
@ -634,7 +634,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \
|
||||
-s "O=IKEv2 VPN,CN=$PUBLIC_IP" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t ",," \
|
||||
--keyUsage digitalSignature,keyEncipherment \
|
||||
--extKeyUsage serverAuth \
|
||||
@ -655,7 +655,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -c "IKEv2 VPN CA" -n "vpnclient" \
|
||||
-s "O=IKEv2 VPN,CN=vpnclient" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t ",," \
|
||||
--keyUsage digitalSignature,keyEncipherment \
|
||||
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
|
||||
|
||||
@ -646,12 +646,12 @@ EOF
|
||||
create_client_cert() {
|
||||
bigecho2 "Generating client certificate..."
|
||||
|
||||
sleep $((RANDOM % 3 + 1))
|
||||
sleep 1
|
||||
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -c "IKEv2 VPN CA" -n "$client_name" \
|
||||
-s "O=IKEv2 VPN,CN=$client_name" \
|
||||
-k rsa -v "$client_validity" \
|
||||
-k rsa -g 3072 -v "$client_validity" \
|
||||
-d sql:/etc/ipsec.d -t ",," \
|
||||
--keyUsage digitalSignature,keyEncipherment \
|
||||
--extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null 2>&1 || exiterr "Failed to create client certificate."
|
||||
@ -923,20 +923,20 @@ create_ca_server_certs() {
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -x -n "IKEv2 VPN CA" \
|
||||
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
|
||||
y
|
||||
|
||||
N
|
||||
ANSWERS
|
||||
|
||||
sleep $((RANDOM % 3 + 1))
|
||||
sleep 1
|
||||
|
||||
if [ "$use_dns_name" = "1" ]; then
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -c "IKEv2 VPN CA" -n "$server_addr" \
|
||||
-s "O=IKEv2 VPN,CN=$server_addr" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t ",," \
|
||||
--keyUsage digitalSignature,keyEncipherment \
|
||||
--extKeyUsage serverAuth \
|
||||
@ -945,7 +945,7 @@ ANSWERS
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -c "IKEv2 VPN CA" -n "$server_addr" \
|
||||
-s "O=IKEv2 VPN,CN=$server_addr" \
|
||||
-k rsa -v 120 \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d sql:/etc/ipsec.d -t ",," \
|
||||
--keyUsage digitalSignature,keyEncipherment \
|
||||
--extKeyUsage serverAuth \
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user