Debian系Linux发行版Cisco Ipsec VPN搭建方法

这是从我的前博客拯救回来的文章(感谢谷歌的快照功能,使我能够恢复部分数据!),不过我修改了一些部分,使其步骤描述更明确,便于读者尝试搭建。


 

由于某些原因,我需要VPN。于是自己想办法搭建,从安全和效率方面考虑,我选择了Cisco Ipsec VPN。度娘谷歌了一番,最终选择了racoon。
下面就来说说我的搭建过程。

我的安装环境: XenSystem Ubuntu 14.01 Server x64

1、安装racoon

2、配置racoon
待安装好后,就可以配置了,主要配置的是racoon.conf和psk.txt以及motd文件。
首先配置/etc/racoon/racoon.conf
将原内容替换为以下内容:

接着,配置/etc/racoon/psk.txt
在末尾加入一行:组名称 组密匙
即可。
然后,配置/etc/racoon/motd
这里主要是写欢迎信息的。里面是空的都无所谓。为了兼容性,请务必建立这个文件。
最后为了能够透过VPN连接互联网,还需要设置系统做IP包转发:

紧接着执行sysctl -p使之立即生效。
接着添加防火墙规则:

注意上面命令的X视每个主机的公网接口不同而不同,博主的X是0,即eth0,请各位加以注意。
ubuntu并不会保存防火墙设置,所以我们需要做一个额外的操作保存它:

首次安装此包会自动提示你保存当前iptables规则,以后若有修改规则,执行
iptables-save
即可保存。

OK,现在就可以使用支持Xaush PSK的客户端连接VPN Server了。

You may also like...

4 Responses

  1. fido说道:

    我在ubuntu 14.04 LTS下安装的.不成功.
    能不能帮忙看一下log?我实在是有点捉急,搞不定.非常感谢!

    Foreground mode.
    2015-03-26 18:19:48: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge...)
    2015-03-26 18:19:48: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/)
    2015-03-26 18:19:48: INFO: Reading configuration from "/etc/racoon/racoon.conf"
    2015-03-26 18:19:48: INFO: Resize address pool from 0 to 100
    2015-03-26 18:19:48: INFO: [VPS IP][4500] used for NAT-T
    2015-03-26 18:19:48: INFO: [VPS IP][4500] used as isakmp port (fd=7)
    2015-03-26 18:19:48: INFO: [VPS IP][500] used for NAT-T
    2015-03-26 18:19:48: INFO: [VPS IP][500] used as isakmp port (fd=8)
    2015-03-26 18:19:58: INFO: respond new phase 1 negotiation: [VPS IP][500][家里的 IP][9950]
    2015-03-26 18:19:58: INFO: begin Aggressive mode.
    2015-03-26 18:19:58: INFO: received broken Microsoft ID: FRAGMENTATION
    2015-03-26 18:19:58: INFO: received Vendor ID: RFC 3947
    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

    2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    2015-03-26 18:19:58: INFO: received Vendor ID: CISCO-UNITY
    2015-03-26 18:19:58: INFO: received Vendor ID: DPD
    2015-03-26 18:19:58: [[家里的 IP]] INFO: Selected NAT-T version: RFC 3947
    2015-03-26 18:19:58: INFO: Adding remote and local NAT-D payloads.
    2015-03-26 18:19:58: [[家里的 IP]] INFO: Hashing [家里的 IP][9950] with algo #2 (NAT-T forced)
    2015-03-26 18:19:58: [[VPS IP]] INFO: Hashing [VPS IP][500] with algo #2 (NAT-T forced)
    2015-03-26 18:19:58: INFO: Adding xauth VID payload.
    2015-03-26 18:19:58: INFO: NAT-T: ports changed to: [家里的 IP][31334][VPS IP][4500]
    2015-03-26 18:19:58: INFO: NAT-D payload #0 doesn't match
    2015-03-26 18:19:58: INFO: NAT-D payload #1 doesn't match
    2015-03-26 18:19:58: [[家里的 IP]] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    2015-03-26 18:19:58: INFO: NAT detected: ME PEER
    2015-03-26 18:19:58: INFO: Sending Xauth request
    2015-03-26 18:19:58: INFO: ISAKMP-SA established [VPS IP][4500]-[家里的 IP][31334] spi:2214689180cd369e:af93ce0f86f5d50e
    2015-03-26 18:19:58: INFO: Using port 0
    2015-03-26 18:19:58: INFO: login succeeded for user "vpn"

    大概过了不到半分钟,iPhone上面显示: 与VPN服务器协议失败

    然后又过了一小段时间,出现下面的信息:

    2015-03-26 18:20:53: [[家里的 IP]] INFO: DPD: remote (ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e) seems to be dead.
    2015-03-26 18:20:53: INFO: purging ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e.
    2015-03-26 18:20:53: INFO: purged ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e.
    2015-03-26 18:20:53: INFO: ISAKMP-SA deleted [VPS IP][4500]-[家里的 IP][31334] spi:2214689180cd369e:af93ce0f86f5d50e
    2015-03-26 18:20:53: INFO: Released port 0

    贴一下我的配置.
    /etc/racoon/racoon.conf

    log info;
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";
    listen {
    isakmp 服务器IP地址 [500];
    isakmp_natt 服务器IP地址 [4500];
    }

    remote anonymous {
    exchange_mode main,aggressive;
    mode_cfg on;
    proposal_check claim; #替换掉客户端的比如lifetime的配置。
    nat_traversal force;
    generate_policy unique;
    ike_frag on;
    passive off;
    dpd_delay 30;

    proposal {
    lifetime time 12 hour; ## 设置一个比较长的时间,避免OSX每小时断一次
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method xauth_psk_server;
    dh_group modp1024;
    }
    }

    sainfo anonymous {
    encryption_algorithm aes, 3des, blowfish;
    authentication_algorithm hmac_sha1, hmac_md5;
    pfs_group 2;
    lifetime time 100 hour;
    compression_algorithm deflate;
    }

    mode_cfg {
    auth_source system;
    dns4 8.8.4.4,8.8.8.8;
    save_passwd on;
    banner "/etc/racoon/motd";
    network4 10.100.0.10;
    netmask4 255.255.255.0;
    pool_size 100;
    pfs_group 2;
    }

    /etc/racoon/psk.txt:

    group group_password

    • 祥子酱说道:

      你的配置文件跟我的出入比较大,建议还是按照我的配置来。

    • 祥子酱说道:

      1、不用Xauth RSA的话,没必要包括证书path certificate “/etc/racoon/certs”;
      2、调整下面三项,太严格的模式兼容性可能有问题
      proposal_check claim;
      nat_traversal force;
      passive off;
      3、剩下的建议和我一样

    • 祥子酱说道:

      运行日志上没有什么错误信息,有没有尝试过非苹果设备连接?

发表评论

电子邮件地址不会被公开。 必填项已用*标注