Q10貌似只支持Cisco IPSec VPN,所以不能选用PPTP协议,折腾了一天发现还是英文资料靠谱。
1.Server
racoon
raccon is an Internet Key Exchange (IKE) daemon for automatically keying IPsec connections. We’ll use this tool to establish our IPSec connection.
Since we are on Debian, we can simply use apt-get to install it:
apt-get install racoon
And set its configuration files as follows:
racoon.conf
# /etc/racoon/racoon.conf path pre_shared_key “/etc/racoon/psk.txt”; path certificate “/etc/racoon/certs”; listen { isakmp SERVER.IP.ADDRESS [500]; isakmp_natt SERVER.IP.ADDRESS [4500]; } remote anonymous { exchange_mode aggressive, main, base; mode_cfg on; proposal_check obey; nat_traversal on; generate_policy unique; ike_frag on; passive on; dpd_delay 30; proposal { lifetime time 28800 sec; encryption_algorithm 3des; hash_algorithm md5; authentication_method xauth_psk_server; dh_group 2; } } sainfo anonymous { encryption_algorithm aes, 3des, blowfish; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } mode_cfg { auth_source system; dns4 8.8.8.8; banner “/etc/racoon/motd”; save_passwd on; network4 10.12.0.100; netmask4 255.255.255.0; pool_size 100; pfs_group 2; }
只需要修改listen的ip地址
psk.txt
Pre-shared key:
# /etc/racoon/psk.txt # Group Name Group Secret GROUP.NAME GROUP.SECRET
And set its permissions to 600:
chmod 600 /etc/racoon/psk.txt
我开始手贱,修改了psk.txt文件的权限,结果就是登录不上,log是个好东西,通过查看log提示权限有问题,修改权限后就可以登录了。
motd
Banner:
# /etc/racoon/motd # Banner Welcome to Cisco IPSec!
Accounts
To make it simple, we use system’s account system to validate our users:
useradd -MN -b /tmp -s /bin/false USER passwd USER
iptables
Add the following rules to open relative ports and enable NAT.
iptables -A INPUT -p udp -–dport 500 -j ACCEPT iptables -A INPUT -p udp –-dport 4500 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT
These rules may be lost after reboot. Consult this article to avoid this.
原文中第二条记录-dport前少了一条短线。
ipv4 forward
# /etc/sysctl.conf net.ipv4.ip_forward=1
Run this command to enable this change:
sysctl -p /etc/sysctl.conf
2.Client
Linux
We can use vpnc as a client on Linux. Here is an example of its config:
# /etc/vpnc/default.conf IPSec gateway SERVER.DOMAIN/IP IPSec ID GROUP.NAME IPSec secret GROUP.SECRET IKE Authmode psk Xauth username USER.NAME Xauth password USER.PASSWORD NAT Traversal Mode cisco-udp
Now we can connect or disconnect to the server using vpnc-connect or vpnc-disconnect.
3.Reference
Thanks to these articles for great help:
- Pure IPSec VPN with IPSec-Tools/Racoon on CentOS
- Linode+Centos6.2+racoon+IPSec设置
- How to enable IP Forwarding
- IPSec-tools
转自:http://diary.archangelsdy.com/blog/2012/07/29/cisco-ipsec-vpn-for-debian/
October 31st, 2014 at 9:12 am
I used vpnc as a client on Linux after your example of its configuration, thank you