Q10貌似只支持Cisco IPSec VPN,所以不能选用PPTP协议,折腾了一天发现还是英文资料靠谱。
1.Server
racoon
raccon is an Internet Key Exchange (IKE) daemon for automatically keying IPsec connections. We’ll use this tool to establish our IPSec connection.
Since we are on Debian, we can simply use apt-get to install it:
apt-get install racoon
And set its configuration files as follows:
racoon.conf
# /etc/racoon/racoon.conf
path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;
listen {
isakmp SERVER.IP.ADDRESS [500];
isakmp_natt SERVER.IP.ADDRESS [4500];
}
remote anonymous {
exchange_mode aggressive, main, base;
mode_cfg on;
proposal_check obey;
nat_traversal on;
generate_policy unique;
ike_frag on;
passive on;
dpd_delay 30;
proposal {
lifetime time 28800 sec;
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method xauth_psk_server;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
mode_cfg {
auth_source system;
dns4 8.8.8.8;
banner “/etc/racoon/motd”;
save_passwd on;
network4 10.12.0.100;
netmask4 255.255.255.0;
pool_size 100;
pfs_group 2;
}
只需要修改listen的ip地址
psk.txt
Pre-shared key:
# /etc/racoon/psk.txt
# Group Name Group Secret
GROUP.NAME GROUP.SECRET
And set its permissions to 600:
chmod 600 /etc/racoon/psk.txt
我开始手贱,修改了psk.txt文件的权限,结果就是登录不上,log是个好东西,通过查看log提示权限有问题,修改权限后就可以登录了。
motd
Banner:
# /etc/racoon/motd
# Banner
Welcome to Cisco IPSec!
Accounts
To make it simple, we use system’s account system to validate our users:
useradd -MN -b /tmp -s /bin/false USER
passwd USER
iptables
Add the following rules to open relative ports and enable NAT.
iptables -A INPUT -p udp -–dport 500 -j ACCEPT
iptables -A INPUT -p udp –-dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT
These rules may be lost after reboot. Consult this article to avoid this.
原文中第二条记录-dport前少了一条短线。
ipv4 forward
# /etc/sysctl.conf
net.ipv4.ip_forward=1
Run this command to enable this change:
sysctl -p /etc/sysctl.conf
2.Client
Linux
We can use vpnc as a client on Linux. Here is an example of its config:
# /etc/vpnc/default.conf
IPSec gateway SERVER.DOMAIN/IP
IPSec ID GROUP.NAME
IPSec secret GROUP.SECRET
IKE Authmode psk
Xauth username USER.NAME
Xauth password USER.PASSWORD
NAT Traversal Mode cisco-udp
Now we can connect or disconnect to the server using vpnc-connect or vpnc-disconnect.
3.Reference
Thanks to these articles for great help:
转自:http://diary.archangelsdy.com/blog/2012/07/29/cisco-ipsec-vpn-for-debian/
Recent Comments