本文以Ubuntu 20.04系统为例，安装strongswan软件，配置VPN协议IKEv2。

查看 Ubuntu 系统版本信息可以使用lsb_release 命令：

Shell$ lsb_release --all Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal

安装VPN相关软件包

使用包管理apt软件安装strongswan附属插件及相关工具：

sudo apt install strongswan strongswan-swanctl sudo apt install libstrongswan-extra-plugins libcharon-extra-plugins sudo apt install resolvconf curl

引入系统信任证书列表

strongswan软件默认未配置信任证书，以下步骤将重新导入系统信任证书列表：

sudo rm -f /etc/ipsec.d/cacerts/* sudo ln -s /etc/ssl/certs/* /etc/ipsec.d/cacerts/

创建VPN连接

方式 1: 使用ipsec命令

例子中的用户jAccount帐号名假定为myname，密码假定为mypassword，请替换：

编辑文件1/etc/ipsec.conf

conn "sjtu-staff" keyexchange=ikev2 left=%config leftsourceip=%config4,%config6 leftauth=eap-peap ike=aes128-sha1-modp1024, aes256-sha1-modp1024, 3des-sha1-modp1024! esp=aes128-sha1-modp1024, aes128-sha2_256-modp1024, 3des-sha1-modp1024! right=vpn.sjtu.edu.cn rightid=%any rightsendcert=never rightsubnet=0.0.0.0/0,2000::/3 rightauth=pubkey eap_identity="myname" # jAccount ID auto=add aaa_identity="@radius.net.sjtu.edu.cn" conn "sjtu-student" keyexchange=ikev2 left=%config leftsourceip=%config4,%config6 leftauth=eap-peap right=stu.vpn.sjtu.edu.cn rightid=@stu.vpn.sjtu.edu.cn rightsendcert=never rightsubnet=0.0.0.0/0,2000::/3 rightauth=pubkey eap_identity="myname" # jAccount ID auto=add aaa_identity="@radius.net.sjtu.edu.cn"

编辑文件2./etc/ipsec.secrets

"myname" : EAP "mypassword"

重新启动VPN，命令如下:

sudo ipsec restart

连接VPN，命令如下:

sudo ipsec up "sjtu-staff" #教职工VPN sudo ipsec up "sjtu-student" #学生VPN

断开VPN，命令如下:

sudo ipsec down "sjtu-staff" #教职工VPN sudo ipsec down "sjtu-student" #学生VPN

方式2: 使用swanctl命令

swanctl引用的配置文件名假定为 sjtuvpn.conf，文件完整路径为:

/etc/swanctl/conf.d/sjtuvpn.conf

例子中的用户jAccount帐号名假定为myname，密码假定为mypassword，请替换：

connections { sjtuvpn-staff { vips = 0.0.0.0,:: remote_addrs = vpn.sjtu.edu.cn send_certreq = no local { auth = eap-peap id = "myname" aaa_id = @radius.net.sjtu.edu.cn } remote { auth = pubkey id = %any } children { sjtuvpn-staff { remote_ts = 0.0.0.0/0,::/0 esp_proposals = aes128-sha1-modp1024, aes128-sha2_256-modp1024, 3des-sha1-modp1024,default } } version = 2 mobike = no proposals = aes128-sha1-modp1024, aes256-sha1-modp1024,3des-sha1-modp1024,default } sjtuvpn-student { vips = 0.0.0.0,:: remote_addrs = stu.vpn.sjtu.edu.cn send_certreq = no local { auth = eap-peap id = "myname" aaa_id = @radius.net.sjtu.edu.cn } remote { auth = pubkey id = @stu.vpn.sjtu.edu.cn } children { sjtuvpn-student { remote_ts = 0.0.0.0/0,::/0 } } version = 2 mobike = no } } secrets { eap-jaccount { id = "myname" secret = "mypassword" } }

重新读取VPN配置，命令如下:

sudo swanctl --load-conns

连接VPN，命令如下:

sudo swanctl -i --child sjtuvpn-staff #教职工VPN sudo swanctl -i --child sjtuvpn-student #学生VPN

断开VPN，命令如下

sudo swanctl -t --child sjtuvpn-staff #教职工VPN sudo swanctl -t --child sjtuvpn-student #学生VPN

检查VPN是否生效

可通过命令行执行如下命令，查看连接VPN前后，命令反馈的IP地址是否发生变化

curl whatismyip.sjtu.edu.cn curl v6.whatismyip.sjtu.edu.cn