dmzsrv

apt install -y freeradius
scp 10.0.0.1:/ca/certs/radius* /etc/freeradius/3.0/certs
scp 10.0.0.1:/etc/ssl/chain.crt /etc/freeradius/3.0/certs
chown freerad:freerad -R /etc/freeradius/3.0/certs

vi /etc/freeradius/3.0/mods-available/eap

#####
tls-config tls-common {
	private_key_password =
	private_key_file = ${certdir}/radius.key
	certificate_file = ${certdir}/radius.crt
	ca_file = ${certdir}/chain.crt
}
#####

vi /etc/freeradius/3.0/clients.conf

#####
client MAIN-R {
	ipaddr = 10.0.1.254
	secret = Skill39**
}
#####

systemctl restart freeradius.service

main-r

apt install strongswan libcharon-extra-plugins libstrongswan-extra-plugins
scp 10.0.0.1:/ca/cacert.pem /etc/ipsec.d/cacerts/subca.crt
scp 10.0.0.1:/etc/ssl/root-ca.crt /etc/ipsec.d/cacerts/
scp 10.0.0.1:/ca/certs/vpn.crt /etc/ipsec.d/certs/
scp 10.0.0.1:/ca/certs/vpn.key /etc/ipsec.d/private

vi /etc/ipsec.d/private/vpn.key
#####
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIN8ArmVSerbl9xJnDXmOxXEggAeWY+lMqKUvYx7jgMI3oAoGCCqGSM49
AwEHoUQDQgAEoxTrDdWAW0i2lG7klHUQM5GzjSxomhEqWUN+ShutnYSY789kIwgo
-----END EC PRIVATE KEY-----
#####

vi /etc/ipsec.secrets

#####
: ECDSA vpn.key "BggqhkjOPQMBBw=="
#####

vi /etc/strongswan.conf

#####
charon {
	load_modular = yes
	plugins {	
		include strongswan.d/charon/*.conf
		eap-radius {
			servers {
				freerad {
					secret = Skill39**
					address = 10.0.1.1
					auth_port = 1812
					acct_port = 1813
				}
			}
		}
	}
}
#####

vi /etc/ipsec.conf

#####
conn IKEv2-VPN
	keyexchange=ikev2
	leftsubnet=0.0.0.0/0
	left=%any
	leftauth=pubkey
	leftcert=vpn.crt
	right=%any
	rightid=%any
	rightsourceip=10.0.255.0/24
	rightdns=10.0.0.1
	rightauth=eap-radius
	eap_identity=%any
	auto=add
#####

systemctl restart ipsec

intsrv

scp /ca/certs/client* [email protected]:/home/sysop
scp /etc/ssl/root-ca.crt [email protected]:/home/sysop

pubclient

apt install -y network-manager-strongswan libcharon-extra-plugins
openssl ec -in client.key -out client_encrypt.key -aes256
chown sysop:sysop -R /home/sysop