Oct 16

Q10貌似只支持Cisco IPSec VPN,所以不能选用PPTP协议,折腾了一天发现还是英文资料靠谱。

1.Server

racoon

raccon is an Internet Key Exchange (IKE) daemon for automatically keying IPsec connections. We’ll use this tool to establish our IPSec connection.

Since we are on Debian, we can simply use apt-get to install it:

apt-get install racoon

And set its configuration files as follows:

racoon.conf

# /etc/racoon/racoon.conf

path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;

listen {
    isakmp SERVER.IP.ADDRESS [500];
    isakmp_natt SERVER.IP.ADDRESS [4500];
}

remote anonymous {
    exchange_mode aggressive, main, base;
    mode_cfg on;
    proposal_check obey;
    nat_traversal on;
    generate_policy unique;
    ike_frag on;
    passive on;
    dpd_delay 30;

    proposal {
        lifetime time 28800 sec;
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method xauth_psk_server;
        dh_group 2;
    }
}

sainfo anonymous {
    encryption_algorithm aes, 3des, blowfish;
    authentication_algorithm hmac_sha1, hmac_md5;
    compression_algorithm deflate;
}

mode_cfg {
    auth_source system;
    dns4 8.8.8.8;
    banner “/etc/racoon/motd”;
    save_passwd on;
    network4 10.12.0.100;
    netmask4 255.255.255.0;
    pool_size 100;
    pfs_group 2;
}

只需要修改listen的ip地址

psk.txt

Pre-shared key:

# /etc/racoon/psk.txt

# Group Name Group Secret
GROUP.NAME GROUP.SECRET

And set its permissions to 600:

chmod 600 /etc/racoon/psk.txt

我开始手贱,修改了psk.txt文件的权限,结果就是登录不上,log是个好东西,通过查看log提示权限有问题,修改权限后就可以登录了。

motd

Banner:

# /etc/racoon/motd

# Banner
Welcome to Cisco IPSec!

Accounts

To make it simple, we use system’s account system to validate our users:

useradd -MN -b /tmp -s /bin/false USER
passwd USER

iptables

Add the following rules to open relative ports and enable NAT.

iptables -A INPUT -p udp -–dport 500 -j ACCEPT
iptables -A INPUT -p udp –-dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT

These rules may be lost after reboot. Consult this article to avoid this.

原文中第二条记录-dport前少了一条短线。

ipv4 forward

# /etc/sysctl.conf

net.ipv4.ip_forward=1

Run this command to enable this change:

sysctl -p /etc/sysctl.conf

2.Client

Linux

We can use vpnc as a client on Linux. Here is an example of its config:

# /etc/vpnc/default.conf

IPSec gateway SERVER.DOMAIN/IP
IPSec ID GROUP.NAME
IPSec secret GROUP.SECRET
IKE Authmode psk
Xauth username USER.NAME
Xauth password USER.PASSWORD
NAT Traversal Mode cisco-udp

Now we can connect or disconnect to the server using vpnc-connect or vpnc-disconnect.

3.Reference

Thanks to these articles for great help:

转自:http://diary.archangelsdy.com/blog/2012/07/29/cisco-ipsec-vpn-for-debian/

One Response to “Cisco IPSec VPN for Debian”

  1. vigilanza bari Says:

    I used vpnc as a client on Linux after your example of its configuration, thank you

Leave a Reply