Openswan

Openswan 2.X Release Notes
#########################################################################
************ See docs/RELEASE-NOTES.txt for more information 

Openswan is an IPsec implementation for Linux. It has support for most 
of the extensions (RFC + IETF drafts) related to IPsec, including 
IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.

Openswan was originally based on FreeS/WAN 2.04 CVS with the X.509 Patch
from Andreas Steffen, the NAT-T patch from Arkoon networks and some minor
bug fixes from 2.05 and 2.06.  See CREDITS for the history.

Download it from

    https://download.openswan.org/openswan/

#########################################################################
# REQUIREMENTS
#########################################################################

A recent Linux distribution based on either Kernel 2.4.x, or 2.6.x are 
the currently supported platforms.

Most recent distributions have package support for openswan.  Unless
a source based build is truly needed,  it is often best to use the pre-built
distributions packaged version.

There are a few packages required for Openswan to compile from source:

1. The GNU Math Precision Library:

   Debian package names: libgmp3, libgmp3-dev
   Rpm package names:    gmp, gmp-devel

2. awk, flex and bison

   Debian package names: gawk/mawk, flex, bison
   Rpm package names:    same as for Debian

3. iproute2, iptables, sed, awk, bash, cut and possible other tools
   are required at runtime.

   Debian package names: iproute, iptables, the rest are usually there
   Rpm package names:    same as for Debian

   python is also required for "ipsec verify".

#########################################################################
# HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
#########################################################################

NETKEY (Native linux IPsec stack)
---------------------------------

To use Openswan with the linux native (builtin) IPsec stack,  then the
following steps should be all that are needed. Please use at least kernel
version 2.6.9, as prior versions of the kernel have serious bugs in the
native IPsec stack.  From the Openswan directory:

    make programs
    sudo make install

Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8
is required. For backported kernels, setkey and thus ipsec-tools might still
be required. Run 'ipsec verify' to determine if your system has either one
of the requirements.

KLIPS/KLIPSNG (Openswan IPsec stack)


To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux
Kernels 2.6.23 and higher, the following steps should work.  From the
Openswan directory:

    make programs
    make KERNELSRC=/lib/modules/`uname -r`/build module
    sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall

For Linux 2.6 Kernels before 2.6.23, including 2.4 linux systems, the kernel
requires patching if NAT-T support or SAref tracking is required. Full kernel
source will be required as the kernel sources are being patched, built and
installed.  It is good practice to build and install an unpatched kernel
before starting to ensure the process is correct.  See your distribution
documentation on how to build and install a new kernel

    Determine the linux source directory,  for example /usr/src/linux on
    most full source installs.  It may also be /usr/src/linux-2.[46].X

    Add NAT-T support (if required).

        From the Openswan source directory:

          make KERNELSRC=/usr/src/linux nattpatch | patch -d /usr/src/linux -p1

    Add SAref tracking support (if required).

        Premade patches for some distributions kernels can be found in
        patches/kernel/  It is recommended that kernel 2.6.32 or higher is
        used. Documentation on SAref/MAST can be found in docs/HACKING/Mast*
        and doc/klips/mast.xml. To understand what SAref tracking does, see
        doc/ipsecsaref.png and the overlapip= entry in the ipsec.conf man page.

        From the Openswan source directory:

          make KERNELSRC=/usr/src/linux sarefpatch | patch -d /usr/src/linux -p1

    Add OCF HW offloading support

        For OCF HW offloading support, you need also need a patched kernel
        See: http://ocf-linux.sourceforge.net/ for more details.

    Build and install a new kernel

        See your distribution documentation on how to install a new kernel.
        It should be something similar to:

          cd /usr/src/linux
          make oldconfig
          make dep                    - this step is ignore on 2.6 systems)
          make bzImage install

    Build Openswan

        From the Openswan source directory:

            make programs
            make KERNELSRC=/usr/src/linux module
            sudo make KERNELSRC=/usr/src/linux install minstall

The Openswan configuration file can select which ipsec stack to use at
runtime by using the "protostack=<klips|netkey|mast>" options in ipsec.conf.
See the ipsec.conf man page for more information on configuration options.

#########################################################################
# UPGRADING
#########################################################################

1. If you are upgrading from a 1.x product to Openswan 2.x, you will
   need to adjust your config files.  See doc/upgrading.html for details
   on what has changed.

2. You can 'make install' overtop of your old version - it won't replace
   your /etc/ipsec.* config files

#########################################################################
# SUPPORT
#########################################################################

Mailing Lists:

    https://lists.openswan.org is home of the mailing lists.  Note: these are
    closed lists - you *must* be subscribed to post.

Wiki:

    https://github.com/xelerance/Openswan/wiki is home to the Openswan Wiki.
    It has the most up to date documentation, interop guides and other related
    information.

IRC:

    Openswan developers and users can be found on IRC, on #openswan on
    irc.freenode.net.

Commercial support for Openswan is also available - see
http://www.xelerance.com/services/openswan-support/ for more information, or
email sales@xelerance.com

#########################################################################
# BUGS
#########################################################################

Bugs with the package can be report on:
https://github.com/xelerance/Openswan/issues

#########################################################################
# SECURITY HOLES
#########################################################################

All security vulnerabilities found that require public disclosure will
receive proper CVE tracking numbers (see http://mitre.org/) and co-ordinated
via the vendor-sec mailing list. A complete list of known security
vulnerabilities is available at:
https://github.com/xelerance/Openswan/wiki/Security-and-vulnerability-information

#########################################################################
# DEVELOPMENT
#########################################################################

Those interested in the development, patches, beta releases of Openswan
can join the development mailing list (https://lists.openswan.org -
dev@lists.openswan.org) or join the development team on IRC in
#openswan-dev on irc.freenode.net

#########################################################################
# DOCUMENTATION
#########################################################################

The most up to date docs are at https://github.com/xelerance/Openswan/wiki

Several high-level documents are in the doc directory.  Most are in HTML
format; See doc/index.html for the top level index.  These are now
considered obsolete.

To build from source, you will need at least 60MB free (Source tree is 
currently 40MB)

from https://github.com/xelerance/openswan

www.openswan.org

-------------------------------------------

Construct ipsec VPN with openswan 2.4.7

Introduction:

Against the complex compound tried many times, in line under the guidance of the relevant documents, finally achieved in RH Linux 9.0 (kernel 2.4.20-8) on the way to install openswan-2.4.27 source, but the old system, install the new version of software it is rather a matter of labor heart trouble, for no other, only to learn, huh, huh: lol:. This experiment in RH Linux 9.0 (kernel 2.4.20-8) on the implementation, please note that your kernel version (this is important).

[Color = Red] Part I: VPN Introduction [/ color]

Linux platform, the VPN can be roughly divided into three categories:

IPSec VPN (Openswan, frees / wan, strongswan, KAME)

IPSec (IP Security) is a relatively old is the most widely used VPN technology, developed by the IETF as a set of experiences and data encryption protocol is to provide a private, integrity, authenticity and safety of anti-replay, etc. services, IP networks can be used for data confidentiality, integrity checking, as experience is, key management and many other aspects.

Implementation of IPSec in Linux, divided into two categories, first is was called the Frees / wan project, has now been divided into openswan and strongswan. They all provide their own kernel stack (kernel stack), also can be based on newly provided in the kernel code. The second is on top of BSD KAME, it can only use the kernel stack. Most ipsec specification itself is not in the local network to the remote host to provide a virtual IP, but still achieved a lot for this extension can solve these problems. Thus, L2TP can be supported by Microsoft products running on ipsec over.

ipsec connection is the face of all the agreements, for many commercial categories used by the router. Openswan XAUTH expansion based on its own, or as Cisco, Nortel and other products over VPN client integration.

ipsec can not change our external firewall rules in the case, quite easy in the kernel level through the tunnel on what or what not to security processing; its implementation NET-TO-NET, as well as host-to-net of the allocation also showed a great deal of flexibility. But flexible means to achieve them difficult, so the success of configuration ipsec running quite difficult, moreover, despite its support of the NAT-Travel has done a lot of improvement, but still can not work better in some NAT After the gateway.

SSL VPN (openVPN)

Recently, Secure Sockets Layer (SSL) virtual private network (VPN) increasingly popular. The greatest benefit of this VPN is that you only need a TCP or UDP port individual can easily pass through most firewalls for data transfer. SSL VPN on the Linux system, the best implementation is OpenVPN, its very mature and feature rich.

PPTP VPN (PoPToP)

PPTP (Point to Point Tunneling Protocol) is sponsored by Microsoft, including Windows 95 can work in multiple operating systems including Microsoft agreement. Although already used for a long time, but there are still many security issues. It is mainly based on GRE (Generic Routing Encapsulation) tunnels to transfer through a PPP connection. PPTP Linux system to achieve the main representative is PoPToP. If you do need to PPTP, then, strongly suggest that you use the L2TP IPSEC-based instead of PPTP, because it is more secure, and provides the same functionality and PPTP.

[Color = Red] Part II, openswan installation [/ color]

FreeS / WAN IPSec-based VPN entry, and now has stopped development of its split into two projects, Openswan and Strongswan. IPsec can use their own kernel stack (Kernel stack), called KLIPS, you can use the 2.6 kernel stack code; because IPSec work in the network layer, so they need the support of the kernel state, but the 2.4 kernel does not implement the kernel stack Hence, it must play klips patch. Also, if you want to achieve NAT Traversal support, also need to apply NAT-T patch.

openswan is a new project, and frees / wan has stopped development in 2004, so we assume the use openswan.

Since the gateway forwards the data to do two or more NIC is naturally indispensable.

First, install the kernel source code

1. You can download the latest version 2.4 to / usr / src, and extract; I am here to use the distribution CD-ROM that comes with the kernel source code to achieve, mount RH 9.0 in the second set and execute the following command to install

# Rpm-ivh kernel-source-2.4.20-8.i386.rpm

2. Check / usr / src directory of the linux and linux-2.4 is linked to the newly installed kernel source, if not, then execute the following command to create links:

# Ln-s linux-2.4.20-8 linux 
# Ln-s linux-2.4.20-8 linux-2.4

Second, download openswan, klips patch and nat-t patch to / usr / src directory

1. Download address: http://www.openswan.org/code, please download all of the following three packages

openswan-2.4.7.tar.gz 
openswan-2.4.7.kernel-2.4-klips.patch.gz 
openswan-2.4.7.kernel-2.4-natt.patch.gz

2. Unzip openswan, and copy the patch to the directory you unpacked

# Cd / usr / src 
# Tar zxvf openswan-2.4.7.tar.gz 
# Cp openswan-2.4.7.kernel-2.4-* / usr/src/openswan-2.4.7

Third, enter the source directory, for the preparation of the kernel compilation

1. Clean source tree

# Cd / usr/src/linux-2.4 
# Make mrproper

2. Generate the kernel source

# Cp ./configs/kernel-2.4.20-i686.config. Config 
# Make menuconfig

Select the kernel options you need, you can save out. Please note, try not to make on the development and experimental options compiled in..

Note: If your Linux is installed in VMWare on top of it, make sure to select the following:

Ram Disk Drive: 
Block devices ---> 
<*> RAM disk support 
(4096) Default RAM disk size (NEW) 
<*> Initial RAM disk (initrd) support

File System: 
File systems ---> 
[*] Ext3 journalling file system support 
[*] JBD (ext3) debugging support

SCSI drive, if you use an analog SCSI hard disk (if the upgrade installation kernel, BusLogic SCSI support is also necessary to set the key 'M'), this particular should be noted: 
<*> SCSI support ---> 
SCSI low-level drivers ---> 
<M> BusLogic SCSI support

Virtual LAN AMD PCnet32 drive: 
Device Drivers ---> 
Networking support ---> 
Ethernet (10 or 100Mbit) ---> 
<*> AMD PCnet32 PCI support

3. Need a new kernel module directory

# Mkdir-pv / lib/modules/2.4.20-8custom

4, application of kernel patches and install the kernel compile

1. Application of the kernel patch, and compile the kernel

# Cd / usr/src/openswan-2.4.7 
# Make nattpatch | (cd / usr/src/linux-2.4 & & patch-p1 & & make bzImage) 
# Cd / usr / src / linux & & make dep bzImage

2. Compile and install kernel module

# Cd / usr/src/linux-2.4 
# Make modules 
# Make modules_install

3. Installing the kernel

# Make install

4. Check / boot directory, whether to display the following three

# Ls / boot | grep custom

initrd-2.4.20-8custom.img 
System.map-2.4.20-8custom 
vmlinuz-2.4.20-8custom

Because some did not know clearly the reasons, the initrd file often leads kernel panic, so we move it somewhere else and re-generate a

# Mv / boot/initrd/initrd-2.4.20-8custom.img 
# Mkinitrd / boot/initrd-2.4.20-8custom.img 2.4.20-8custom

5. Check / boot / grub / grub.conf file if the following lines:

# More / boot / grub / grub.conf 
title Red Hat Linux (2.4.20-8custom) 
root (hd0, 0) 
kernel / vmlinuz-2.4.20-8custom ro root = LABEL = / 
initrd / initrd-2.4.20-8custom.img

Well, if everything is ready, you can restart your system, and attention to enable the new kernel. :) Pray for ... ...

5, if there is no problem opening the new kernel, then you can begin the installation process the following openswan Rights

1. To ensure the opening of a new kernel

# Uname-r 
2.4.20-8custom

2. Install build userland tools and ipsec.o

# Cd / usr/src/openswan-2.4.7 
# Make KERNELSRC = / usr/src/linux-2.4 programs module 
# Make KERNELSRC = / usr/src/linux-2.4 install minstall

Note: The above second step (# make KERNELSRC = / usr/src/linux-2.4 programs module) if the process appears similar to the following error, you need to edit / usr/src/openswan-2.4.7/linux/net / ipsec/pfkey_v2.c file delete "owner" of the row corresponding to about 122 and 132 in the original line, you can delete it.

cc-include / usr/src/openswan-2.4.7/packaging/linus/config-all.h-O3-Wall-DIPCOMP_PREFIX-D__KERNEL__ -I/usr/src/linux-2.4.20-8/include-Wall - Wstrict-prototypes-Wno-trigraphs-O2-fno-strict-aliasing-fno-common-fomit-frame-pointer-pipe-mpreferred-stack-boundary = 2-march = i686 -I/usr/src/openswan-2.4. 7/linux/include -I/usr/src/linux-2.4/include-I-DIPCOMP_PREFIX-DARCH = i386-DMODVERSIONS-include / usr/src/linux-2.4/include/linux/modversions.h-DMODULE-DMODVERSIONS - include / usr/src/linux-2.4.20-8/include/linux/modversions.h-DKBUILD_BASENAME = pfkey_v2-c-o pfkey_v2.o / usr/src/openswan-2.4.7/linux/net/ipsec/pfkey_v2 . c 
/ Usr/src/openswan-2.4.7/linux/net/ipsec/pfkey_v2.c: 122: unknown field `owner 'specified in initializer 
/ Usr/src/openswan-2.4.7/linux/net/ipsec/pfkey_v2.c: 122: warning: initialization makes integer from pointer without a cast 
/ Usr/src/openswan-2.4.7/linux/net/ipsec/pfkey_v2.c: 122: initializer element is not computable at load time 
/ Usr/src/openswan-2.4.7/linux/net/ipsec/pfkey_v2.c: 122: (near initialization for `pfkey_family_ops.authentication ') 
/ Usr/src/openswan-2.4.7/linux/net/ipsec/pfkey_v2.c: 132: unknown field `[color = Red] owner [/ color] 'specified in initializer 
/ Usr/src/openswan-2.4.7/linux/net/ipsec/pfkey_v2.c: 132: warning: initialization from incompatible pointer type 
make [2]: *** [pfkey_v2.o] Error 1 
make [2]: Leaving directory `/ usr/src/openswan-2.4.7/modobj ' 
make [1]: *** [module24] Error 2
make [1]: Leaving directory `/ usr/src/openswan-2.4.7 ' 
make: *** [module] Error 2

3. Check / lib/modules/2.4.20-8custom/kernel/net/ipsec whether the output ipsec.o

# Ls / lib/modules/2.4.20-8custom/kernel/net/ipsec 
ipsec.o

4. Install openswan, [this moment too long, so it:)]

# Cd / usr/src/openswan-2.4.7 
# Make programs 
# Make install

6, start and check the start state

1. Edit / etc / sysctl.conf, find the following two:

net.ipv4.ip_forward = 0 
net.ipv4.conf.default.rp_filter = 1

Conversion:

net.ipv4.ip_forward = 1 
net.ipv4.conf.default.rp_filter = 0

Then use the following command to re-enable this file

# Sysctl-p

2. Start openswan

# Service ipsec start 
ipsec_setup: Starting Openswan IPsec 2.4.7 ...

3. Check Status

# Ipsec verify 
Checking your system to see if IPsec got installed and started correctly: 
Version check and ipsec on-path [color = Green] [OK] [/ color] 
Linux Openswan 2.4.7 (klips) 
Checking for IPsec support in kernel [color = Green] [OK] [/ color] 
Checking for RSA private key (/ etc / ipsec.secrets) [color = Green] [OK] [/ color] 
Checking that pluto is running [color = Green] [OK] [/ color] 
Two or more interfaces found, checking IP forwarding [color = Green] [OK] [/ color] 
Checking NAT and MASQUERADEing 
Checking for 'ip' command [color = Green] [OK] [/ color] 
Checking for 'iptables' command [color = Green] [OK] [/ color] 
Opportunistic Encryption Support [color = Red] [DISABLED] [/ color]

[Size = 2] [color = Red] 
The third part, configure Openswan [/ color] [/ size]

openswan the connection of two kinds:

1) NET-TO-NET mode

This approach can be two different locations of the networks as a virtual private network connection; connection is established, both ends of each host can transparently access. However, between the two gateways and the gateway to the other host can not be achieved within the internal network transparent access to each other. This is the second approach Road 
Warrior Part of the reason there.

This approach must meet the following conditions:

A two network has its own Linux gateway and each gateway is installed openswan; 
B IP addresses at both ends of the network stack can not appear; 
Gateway on the local network is best to install the tcpdump, to test the connection

2) Road Warrior mode

This way to the remote host to dial the local network security, mainly for staff travel can often secure remote access to enterprise resources.

This approach should meet the following conditions:

A static IP address of the Linux gateway, installed openswan 
An installed openswan the laptop, or dynamic IP address on the local network gateway is best to install the tcpdump, in order to test the connection

openswan supports multiple authentication methods, such as RSA, RSK, XAUTH, X.509, etc.; most commonly used is the RSA and x.509, the following description we were both certified under the openswan configuration of the various connections.

[Color = Blue] 1, RSA authentication [/ color]

A) net-to-net connection

1. Use of the network model is as follows:

left network <---------> left gateway <-------|-------> right gateway <--------> right network 
(192.168.10.0/24) (eth1: 192.168.10.254 (eth0: 192.168.1.202 (192.168.100.0/24) 
eth0: 192.168.1.201 eth1: 192.168.100.254 
defaultGW: 192.168.1.1) defaultGW: 192.168.1.1)

Apart from the above IP address information, it should also prepare one for each gateway in the IPSEC consultations to distinguish each other's identity, you can use the gateway itself 
FQDN, or other names, such as @ left, @ right.mydomain.org. The name can by its own allocation.

2.

Was left (about the definition by the administrator himself, the general left the local to the remote for the right) ipsec gateway public key and append to / etc / ipsec.conf in 
In the left gateway to perform the following command:

# Ipsec showhostkey - left>> / etc / ipsec.conf

The output is similar to the following results (the output is very long, it is replaced with an ellipsis): 
# RSA 2192 bits Left Sat Mar 10 11:44:12 2007 
leftrsasigkey = 0sAQOuY/CYUfe66P + RXeZ0TXEbH ......

Execute the following command to file / etc / ipsec.conf copy for the right of the gateway / etc / ipsec.conf (purpose is to obtain the right side of the gateway's public key)

# Scp / etc / ipsec.conf root@192.168.1.202: / etc / ipsec.conf

Ipsec gateway access to the right public key and append to / etc / ipsec.conf, in the right gateway to perform the following command:

# Ipsec showhostkey - right>> / etc / ipsec.conf

To the right gateway / etc / ipsec.conf file copy back to the left of a gateway:

# Scp / etc / ipsec.conf root@192.168.1.201: / etc / ipsec.conf

Note: in the implementation of ipsec showhostkey command prompt if there is no private key needs to use the following command to generate a:

# Ipsec newhostkey - out / etc / ipsec.secrets

3. In the left gateway to edit / etc / ipsec.conf, define the connection to be established

In / etc / ipsec.conf in the following sentence, add a new connection definition 
# Add connections here (this sentence before "#" as the comment character)

conn net-to-net 
left = 192.168.1.201 # left outside the network gateway IP 
leftsubnet = 192.168.10.0/24 # the left internal network segment 
leftid = @ left # left-Net logo 
leftnexthop =% defaultroute # specify the left as the default gateway route next hop 
right = 192.168.1.202 # the right gateway IP outside the network 
rightsubnet = 172.16.16.0/20 # the left side of the network segment 
rightid = @ right # right-Gateway logo 
rightnexthop =% defaultroute # specify the right gateway for the default route next hop 
auto = add # authorize this connection, but the connection is established between the gateway does not automatically start, in order to debug or manual start

For unity can also be the gateway public key corresponding to the above connection.

The / etc / ipsec.conf copy to the right gateway:

# Scp / etc / ipsec.conf root@192.168.1.202: / etc / ipsec.conf

3. Do not allow IP masquerading or NAT packets tunnel through this link

If any side of the gateway using MASQ or NAT, you must modify the iptables rules at the gateway to prevent the data packets based on this objective by 
IPSEC tunnel, that is, if the gateway uses the following rules:

# Iptables-t nat-A POSTROUTING-o eth0-s 192.168.10.0/24-j MASQUERADE

They should be amended as follows:

# Iptables-t nat-A POSTROUTING-o eth0-s 192.168.10.0/24-d! 192.168.100.0/24-j MASQUERADE

4. Start Connection

Start to connect the local gateway:

# Ipsec auto - up net-to-net

The output is as follows:

[Root @ Left root] # ipsec auto - up net-to-net 
104 "net-to-net" # 1: STATE_MAIN_I1: initiate 
003 "net-to-net" # 1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR] 
003 "net-to-net" # 1: received Vendor ID payload [Dead Peer Detection] 
106 "net-to-net" # 1: STATE_MAIN_I2: sent MI2, expecting MR2 
108 "net-to-net" # 1: STATE_MAIN_I3: sent MI3, expecting MR3 
004 "net-to-net" # 1: STATE_MAIN_I4: ISAKMP SA established (auth = OAKLEY_RSA_SIG cipher = oakley_3des_cbc_192 prf = oakley_md5 group = modp1536) 
117 "net-to-net" # 2: STATE_QUICK_I1: initiate 
004 "net-to-net" # 2: STATE_QUICK_I2: sent QI2, IPsec SA established (ESP => 0x606fcf02 <0xd0904bdd xfrm = AES_0-HMAC_SHA1 NATD = none DPD = none)

You can also view the log / var / log / messages and / var / log / secure to see the connection start situation. If you did not start properly, please note that view later in the description on the troubleshooting.

5. Test link

In the network segment in the inner side of the host (note: not a gateway) on a machine ping the other subnet (note: not a gateway)

ping 192.168.100.7 (if the host is windows, the best add-t option to ensure the continuous ping)

At this point, the local gateway with the following command to see the output:

# Tcpdump-i eth0

Then should be able to see data similar to the following sequence of back and forth through:

23:16:18.529865 192.168.1.201> 192.168.1.202: ESP (spi = 0x32db83e2, seq = 0x154) 
23:16:18.530521 192.168.1.202> 192.168.1.201: ESP (spi = 0x7e2b7039, seq = 0x154) 
23:16:19.531058 192.168.1.201> 192.168.1.202: ESP (spi = 0x32db83e2, seq = 0x155) 
23:16:19.531861 192.168.1.202> 192.168.1.201: ESP (spi = 0x7e2b7039, seq = 0x155)

Note: This form can only be established between the net-to-net connection and can not ensure that the connection between the gateway-gateway or gateway-subnet (other) connection between. If you want to use this connection, such as one of the gateway or a file server, then you also need to establish other additional connections.

6. Re-amend / etc / ipsec.conf file (if you want the system starts automatically if the connection is enabled)

Be found in the gateway host:

auto = add

Amended as follows:

auto = start

OK, so you can enjoy the convenience of VPN to bring you up.

[Color = Blue] (b) Road warrior [/ color]

1. Use of the network model is as follows:

left network <---------> left gateway <-------|-------> laptop (linux) 
(192.168.10.0/24) (eth1: 192.168.10.254 eth0: 192.168.1.202 
eth0: 192.168.1.201 defaultGW: 192.168.1.1) 
defaultGW: 192.168.1.1)

2. Prerequisite requirements:

Gateway to have a static external network IP, and a good gateway to determine the subnet IP address range, after; 
Local gateway and the laptop have been properly installed openswan 
Gateway and laptop must have a logo to distinguish between ipsec consultations. Can be FQDN, can be any allocation name, as long as you can be able to distinguish between the two.

3. Access to both the public key:

Obtain the public key of the first laptop (its for the left)

# Ipsec showhostkey - left

The public key and public key under the gateway and the gateway must be additional to the laptop's / etc / ipsec.conf file (in this configuration because both / etc / ipsec.conf very different, so should their try to achieve).

Then, in the gateway access to its public key (its the right):

# Ipsec showhostkey - right

4. Modify / etc / ipsec.conf, define the connection

In the laptop, you need to use the editor to open / etc / ipsec.conf, and then add the following content. You can modify according to their own situation.

conn road 
left =% defaultroute # If a dynamic IP, then the left point to the default gateway. If a static IP, fill, and add a leftnexthop =% defaultroute can. 
leftid = @ laptop # logo 
leftrsasigkey = ... ... # here the public key for the laptop 
right = 192.168.1.201 # to dial the IP Gateway 
rightsubnet = 192.168.10.0/24 # remote subnet 
rightid = @ vpnserver # Remote Gateway logo 
rightrsasigkey = ... ... # the public key of the remote gateway 
auto = add # connections, does not automatically enable

The remote gateway, and with editor to edit / etc / ipsec.conf, add the following content (which can be summarized according to their own situation changes). Note that in the Road Worrior ways, left and right of the designation with the net-to-net methods are very different. In this way, left, said the local machine, right tables of the remote host.

conn road 
left = 192.168.1.201 # gateway host ip 
leftid = @ vpnserver # gateway host identity 
leftsubnet = 192.168.10.0/24 # subnet 
leftrsasigkey =... # 
rightnexthop =% defaultroute # 
right =% any # remote host (laptop) in the IP unknown 
rightid = @ laptop # 
rightrsasigkey =... # remote host (laptop) public key 
auto = add #

5. Start Connection

Start Road Worrior laptop client to connect to

# Ipsec auto - up road

If the output is similar to the following, then start a successful

104 "net-net" # 223: STATE_MAIN_I1: initiate 
106 "road" # 301: STATE_MAIN_I2: sent MI2, expecting MR2 
108 "road" # 301: STATE_MAIN_I3: sent MI3, expecting MR3 
004 "road" # 301: STATE_MAIN_I4: ISAKMP SA established 
112 "road" # 302: STATE_QUICK_I1: initiate 
004 "road" # 302: STATE_QUICK_I2: sent QI2, IPsec SA established

6. Testing connections

In the laptop side, ping the remote gateway node after any test, be careful not to ping the gateway itself.

# Ping 192.168.10.7

Then the gateway host on view through the ESP packet, and if similar to the following, congratulations, you succeeded.

13:46:18.529865 192.168.1.201> 192.168.1.202: ESP (spi = 0x32db83e2, seq = 0x154) 
13:46:18.530521 192.168.1.202> 192.168.1.201: ESP (spi = 0x7e2b7039, seq = 0x154)

Members may have noticed, this is still only on the gateway between the host and the laptop's data stream encryption, but does not protect the gateway between the data to the laptop.

7. Modify the configuration, so that "road" to connect automatically start

In both hosts / etc / ipsec.conf, find

auto = add

Amended as follows:

auto = start

8. In the above the RSA's Road Warriors, if more than one laptop need to dial, you need to configure multiple of the Road Warrior to achieve. By distinguishing between the public key for each laptop and each link in the left / right gateway host of other parameters can easily distinguish each incoming laptop. However, if the authentication by PSK to achieve this application, will have to use the same key for each laptop, which will bring great security risk.

-----------------------------------------------

自己搭建过 L2TP VPN 的网友应该知道 Linux 上有 OpenSwan、 FreeS/Wan 和 strongSwan（它们实际是同一个项目的不同分支）等免费的开源 IPSec 软件包，而 IPSec 正是塞班 mVPN 所支持的协议。 至于说配置复杂， 我看到过诺基亚论坛上有国外网友说： “诺 基亚对 mVPN 客户端配置问题的官方回复是——请向你的系统管理员查询， 可我自己就是系统管 理员，我该去问谁呢。”如果从阅读相关文档以弄懂每一个参数该如何设置开始，S60 手机 +OpenSwan 的 VPN 方案配置起来确实比较复杂，但如果找到一个可以工作的模板，很可能只要 简单的修改一下服务器地址、验证密钥这些因人而异的参数，拷贝到自己的机器上就能用了。本 教程就是试图提供这样一个模板的尝试。 但在实际使用中， 由于 mVPN 客户端的 V3.1 和 V4 的差 异，网络运营商的不同，所用 VPS 的区别，可能需要更多的调整。这些细节大部分会放在专门 讨论各种高级设置的第三部分介绍。 首先你需要一台服务器来安装 OpenSwan（好像选择另外两个分支的人现在很少），我用的是 PhotonVPS 的 Xen 虚拟服务器（可用的 CPU 有 16 核，UnixBench 的分数随便就能到 450，对于我 这种对性能有偏执的用户来说足以让人忽略他们其它方面的缺点了） 我试过在启用了 TUN/TAP 。 设备并成功安装了 OpenVPN 的 OpenVZ VPS 上运行 OpenSwan，但会提示缺少某个内核模块，似 乎是内核没有包含 IPSec 支持的原因。所以目前假定所用 VPS 必须是基于 Xen，至于是否还有其 它的配置要求，我就不确定了。 使用 CentOS 的用户可以用：

sudo yum install openswan

命令来安装 IPSec VPN 网关，发行版中的源是 U2.6.21。这个版本可以工作，但下一部分要讨论的 高级设置可能需要包含了某些 Bug fix 的最新版本（但像一些例子中提到过的 “authby=secret|rsasig”这种参数设置在我用过的版本中都无效，所以不能确定版本越新越好）。 最新的 rpm 包可以用

sudo wget http://www.openswan.org/download/binaries/centos/5/without-nss/openswan-2.6. 24rc5-1.x86_64.rpm

 命令下载（32 位 OS 用户请自行下载适用版本），用

sudo rpm -i openswan-2.6.24rc5-1.x86_64.rpm

命令安装。Debian 用户用

sudo apt-get install openswan

命令安装的是 U2.4.12 版，我没有测试过这个版本，因为在 Debian 下都是下载源码编译的，具 体细节将在下一部分讲修改源码的时候介绍。 在 Google 中搜索“OpenSwan 安装”可以找到不少资料，虽然不完全对得上（不同 Linux 发行版以 及从二进制包安装或从源码编译会有所不同） 但可以作为参考而不需我在这个问题上深入下去 ， 了。关键的几个配置文件为全局配置“/etc/ipsec.conf”，内容如下（并不是说里面的参数必须如此 设定，而是提供一个我自己确认能用的配置）：

# /etc/ipsec.conf – Openswan IPsec configuration file # # Manual: # # Please place your own config files in /etc/ipsec.d/ ending in .conf ipsec.conf.5

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration config setup # Debug-logging controls: “none” for (almost) none, “all” for lots. # klipsdebug=none # plutodebug=”control parsing” # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

 protostack=netkey nat_traversal=yes interfaces=%defaultroute virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192 .168.0.0/24 oe=off # Enable this if you see “failed to find any available worker” nhelpers=0

#You may put your configuration (.conf) file in the “/etc/ipsec.d/” and uncomment this. include /etc/ipsec.d/*.conf

全局验证密钥“/etc/ipsec.secrets”，内容如下：

include /etc/ipsec.d/*.secrets

连接配置“/etc/ipsec.d/e63.conf”（可以有多个，名字不限，但这牵涉到高级设置中的问题了，本 部分只以单一连接为例），内容如下：

conn e63

# Key exchange ike=aes256-sha1-modp1536

# Data exchange esp=aes256-sha1

# Authentication method PSK

 authby=secret auto=add keyingtries=3

# Modeconfig setting modecfgpull=yes pfs=no rekey=no type=tunnel compress=yes

# local endpoint left=%defaultroute leftsourceip=192.168.6.1 leftsubnet=0.0.0.0/0 leftrsasigkey=none leftmodecfgserver=yes leftxauthserver=yes

# remote endpoint rightrsasigkey=none right=%any rightxauthclient=yes rightmodecfgclient=yes rightsourceip=192.168.6.252

 rightsubnet=192.168.6.252/32

连接验证密钥“/etc/ipsec.d/e63.secrets”，引号中为作为验证密钥的字符串：

: PSK “StringUsedAsPreSharedKey”

本文给出了范例中除了使用 PSK 验证方式外，还是用了 Xauth 验证，也就是说连上 IPSec VPN 服 务器后，还需要输入预先设置的用户名和密码，对应的服务器设置为 “leftxauthserver/rightxauthclient=yes”。 觉得没必要的读者可以把“yes”改成“no”并修改手机端 VPN 规则中的相应部分“USE_XAUTH: TRUE”为“FALSE”即可跳过 Xauth 验证。但部分参考文献中提到 Xauth 在某些条件下是必须的。Xauth 验证的用户名和密码放在“/etc /ipsec.d/passwd”中，生成该 文件需要 apache-utils 软件包中的 htpasswd 命令：

sudo umask 0027

sudo htpasswd -c -b passwd username1 password1

添加用户的命令为：

sudo htpasswd -b passwd username2 password2

然后用编辑“/etc/ipsec.d/passwd”，内容为：

username:.z2I2VoRCNOZI

冒号前是用户名，冒号后是加密后的密码，读者需要自己在最后加上连接名称：

username:.z2I2VoRCNOZI:e63

我自己在“/etc/rc.local”中添加了如下 NAT 和转发设置 （我对这部分比前面的内容更没有把握， 请 有经验的读者自行修正）：

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

 echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -o eth0 -j SNAT –to 47.117.26.212 <- 你自己的外网 IP

重启 VPS 让所有的改动生效（或者运行“sudo /etc/init.d/ipsec restart”及其它命令）。然后用

sudo /usr/sbin/ipsec verify

命令检查 IPSec 服务的状态是否正常，应返回如下信息：

Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path Linux Openswan U2.6.24rc5/K2.6.18-164.10.1.el5xen (netkey) Checking for IPsec support in kernel Testing against enforced SElinux mode NETKEY detected, testing for disabled ICMP send_redirects NETKEY detected, testing for disabled ICMP accept_redirects Checking for RSA private key (/etc/ipsec.secrets) Checking that pluto is running Pluto listening for IKE on udp 500 Pluto listening for NAT-T on udp 4500 Two or more interfaces found, checking IP forwarding Checking NAT and MASQUERADEing [OK] [OK] [OK] [OK] [OK] [OK] [OK] [OK] [OK] [OK]

 Checking for ‘ip’ command Checking for ‘iptables’ command Opportunistic Encryption Support

以上为 OpenSwan 的安装设置部分，下面该讲手机端的 VPN 规则生成了。我最初参考了英文文 献一、文献二和文献三（对这篇文章的内容有疑问的读者可自行查询这些文献），在前两篇参考 资料中，提到的 VPN 规则的生成方式还是用 makesis 生成 sis/sisx 安装文件的复杂过程。幸好新 的 mVPN V3.1 和 V4 都支持第三篇文献中简单的多的.vpn 文件导入了。VPN 规则实际由两个文件 组成，一个是 VPN.pin，内容为：

[POLICYNAME] VPN Beta [POLICYDESCRIPTION] VPN Beta [POLICYVERSION] 1.1 [ISSUERNAME] Do not edit [CONTACTINFO] Do not edit

实际上只是一个简单的规则标识，并不牵涉实际的配置问题。而真正的设置是存在 VPN.pol 文件 中，其内容如下：

SECURITY_FILE_VERSION: 3 [INFO] VPN [POLICY] sa ipsec_1 = { esp

 encrypt_alg 12 max_encrypt_bits 256 auth_alg 3 identity_remote 0.0.0.0/0 src_specific hard_lifetime_bytes 0 hard_lifetime_addtime 3600 hard_lifetime_usetime 3600 soft_lifetime_bytes 0 soft_lifetime_addtime 3600 soft_lifetime_usetime 3600 }

remote 0.0.0.0 0.0.0.0 = { ipsec_1(IPSec VPN 服务器地址) } inbound = { } outbound = { }

[IKE] ADDR: IPSec VPN 服务器地址 255.255.255.255 MODE: Main SEND_NOTIFICATION: TRUE ID_TYPE: 11 FQDN: MobileGroup GROUP_DESCRIPTION_II: MODP_1536 USE_COMMIT: FALSE

 IPSEC_EXPIRE: FALSE SEND_CERT: FALSE INITIAL_CONTACT: FALSE RESPONDER_LIFETIME: TRUE REPLAY_STATUS: TRUE USE_INTERNAL_ADDR: FALSE USE_NAT_PROBE: FALSE DNS_SERVER: 8.8.8.8 <- DNS 服务器的 IP 地址 ESP_UDP_PORT: 0 NAT_KEEPALIVE: 60 USE_XAUTH: TRUE USE_MODE_CFG: TRUE REKEYING_THRESHOLD: 90 PROPOSALS: 1 ENC_ALG: AES256-CBC AUTH_METHOD: PRE-SHARED HASH_ALG: SHA1 GROUP_DESCRIPTION: MODP_1536 GROUP_TYPE: DEFAULT LIFETIME_KBYTES: 0 LIFETIME_SECONDS: 28800 PRF: NONE PRESHARED_KEYS: FORMAT: STRING_FORMAT KEY: 24 StringUsedAsPreSharedKey <- 前面是密钥的长度，后面是作为密钥的字符串本身

 里面的参数绝大部分和 OpenSwan 的设置是对应的， 也就是说修改里面的某个参数一般意味着服 务器端的修改。在前面提到的三篇英文参考文献中，都提到了需要给 OpenSwan 打补丁才能解决 DNS 推送的问题，不知道是 OpenSwan 还是 mVPN 客户端版本的问题，因为实际上 VPN 规则中 可以用 “DNS_SERVER”这个参数（从另一篇参考文献中找到的）指定 DNS 服务器。 编辑好这两个文件后，压缩成一个 zip 文件，然后把后缀名从.zip 改为.vpn，然后传到手机上就 可以直接导入了——简单吧 然后按我写的前一篇文章中的步骤就可以在诺基亚塞班 S60 手机上使用该 VPN 了。连接成功后， VPN 日志中会出现以下内容（日志中出现其它错误信息需要自己分析了）：

1:authenticated to vpn gateway IPSec VPN 服务器地址, vpn access point VPN 规 则标识

2:infomation :address info for vpn access point VPN 规则标识, virtual ip 192.168.6.252, local ip 运营商分配给手机的 ip, nat status code 0

3:infomation :activated vpn access point VPN 规则标识, ip address 192.168.6.252

如果一切顺利，你就可以用该 VPN 访问任何网站了。万一有网关无响应之类的问题，比如运营 商分配给手机的 ip 是 192.168 或 10.0 之类的内网 IP，而 nat status code 为 0（应该是 1），恭喜 ——你需要和我进入下一部分折腾了…… 总结： 诺基亚 Symbian S60 上的 mVPN 客户端可以支持用 OpenSwan 搭建的 IPSec VPN， 但过程还 是有些麻烦的。除非你本身需要 VPS 做其它用途，或者干脆就喜欢折腾（本人二者兼是:D），单 单需要使用 VPN 还是购买 12vpn 之类现成的服务合适：一个 Xen VPS 一般不低于 6 美元一个月， 而 12vpn 的 Lite 账号平均一个月大概 2 美元，并且除非是用有>100M 专线的独立服务器，否则 自建 VPN 的速度是很难和专门的 VPN 服务商相比的。这也是我虽然可以用自建的 VPN 但还是买 了 12vpn 账号的原因。 本文来自：http://www.alpha2beta.com/ Related posts: 1. 2. 3. 4. 5. WordPress 模板中显示作者相关函数 BuyVM OpenVZ VPS Debian 安装 PPTP VPN 在诺基亚 S60 手机上使用 VPN 之一：原生客户端说明及 12vpn 评测 Debian/Ubuntu 快速搭建 PPTP VPN Ubuntu 系统下 QQ 农场等 Flash 程序中文无法显示的解决方法

Nokia, Symbian, VPN, 手机, 诺基亚 这是一篇早就打算要写的文章， 但因为有一些技术细节始终没有解决好， 所以一直迟迟没有动笔。 最后我意识到这样下去， 这篇文章不知道要到猴年马月才能写出来， 而且 12vpn 推出了对诺基亚

 S60 手机原生 VPN 客户端的支持， 完善我的教程的必要性也就不那么迫切了。 我打算分三个部分 写这个教程： 1. 诺基亚 S60 手机原生 VPN 客户端的使用说明和 12vpn 的评测，因为如果我一上来就把如何生 成 VPN 策略文件和 OpenSwan 的配置摆上来，不需要知道这些的普通用户可能会被弄晕而产生 用起来太复杂的错误印象； 2. 生成 VPN 策略文件和安装配置 OpenSwan 的教程。这个教程其实只是一个可以工作的范例， 有些需要细调的高级设置我自己也没有弄清楚； 3. VPN 策略文件和 OpenSwan 的高级设置问题，这是我目前还在折腾的部分。 下面是诺基亚 S60 手机原生 VPN 客户端的使用说明及 12vpn 评测： 看到过不少诺基亚 S60 上没有可用 VPN 客户端的观点， 但事实上诺基亚 S60 手机上原生的 Mobile VPN 客户端只是不支持常见的 PPTP 协议（第三方软件 SymVPN 支持 PPTP，但正版价格超过二十 美元，而破解版绝大多数都不好用），而是支持 IPSec VPN。另一种观点是诺基亚 S60 手机原生 VPN 用户端太复杂，普通用户很难搞定。这种看法也对也不对，VPN 策略文件的生成确实比较复 杂，但这是系统管理员的工作，普通用户只需要把系统管理员发给他们的 VPN 策略文件安装到 手机上， 简单设置一下就可以用了。 实际上 iPhone/iPod Touch 常用的 L2TP VPN 很多也是基于 IPSec 的，12vpn 提供给 S60 用户的配置方式看起来并不比 iPhone/iPod Touch 复杂。 诺基亚 S60 手机原生的 Mobile VPN 客户端并不需要用户自己设置 VPN 服务器地址、用户名和密 码（额外使用了 Xauth 验证的是另一回事），这些都是在 VPN 规则中定义好的。mVPN 客户端 中有一个设置规则服务器的选项，这是用于把 VPN 规则推送到手机上的，需要在服务器端安装 诺基亚专门的软件，这种方式很少有人用，用户可以从本地安装 VPN 策略文件而完全不去管这 个选项。VPN 策略文件早些是以 sis 文件形式提供的，像普通软件一样安装。但目前 mVPN V3.1 和 V4 都可以直接导入.vpn 文件。 下面的使用说明参考了 12vpn 针对 S60V5 上的 mVPN V4 英文介绍： 1. 用户首先需要安装 mVPN 客户端，V3.1（针对 S60V3 FP1）在此下载，V4（针对 S60V3 FP2 和 S60V5）在此下载； 2. 从系统管理员那里得到.vpn（或.sis/.sisx）策略文件并传到手机上安装。IPSec VPN 网管和客户 端之间的验证主要有两种方式：PSK 和 X509 证书。如果是 PSK 方式，VPN 规则文件直接装上就 可以用了；而 X509 证书是以 PKCS#12 格式存储的，安装含有该证书的规则时会提示用户输入密 码才能正确读取证书，这个密码是由提供 VPN 规则文件的系统管理员设置，比如 12vpn 的证书 密码一律是“import”〔不含引号〕。第一次导入证书的时候， 手机会提示用户设置〔输入两次〕 读取证书的密码，一定要牢记该密码，以后启动 VPN 连接的时候都要输入密码；新装含有 X509 证书的 VPN 规则后使用 mVPN V3.1 的 S60V3 FP1 手机需要重启，需要重装 VPN 规则前，删除原 来的规则和证书并重启机器。我不确定使用 mVPN V4 的 S60V5 和 S60V3 Fp2 手机是否同样需要 如此，听说不用； 3. 使用 WiFi 的话要确认无线路由打开了 VPN Passthrough 的选项； 4. 手机上网需使用 net 连接而非 wap（这一点我不确定， 因为 mVPN 客户端中可以定义 Proxy） ； 5. S60V5 等较新的手机上导入了 VPN 规则后会自动生成一个标记为 IntraNet 的 VPN 接入点，在 浏览器等需要联网的程序出现接入点选择时使用该接入点即通过 VPN 上网； S60V3 FP1 等较老的 手机上需要自己通过“设置—>连接—>VPN（虚拟专网）—>VPN 接入点—>选项—>新增接入点”用 导入的 VPN 规则定义新的接入点。 6. IPSec VPN 连接的初始化有点慢，大概要等半分钟的样子，之后就没有影响了。如果 VPN 规则

 中使用 X509 证书，验证的时候手机会提示用户输入保存证书时设置的密码，使用 PSK 验证的则 没有这一步。假如 VPN 规则和 IPSec 网关（二者是对应的）中设置了使用 Xauth 验证，则另外需 要输入系统管理员在服务器上设置的用户名和密码。 7. 根据我自己的经验，如果设置了多个使用不同 VPN 规则的接入点，有可能会出现冲突。但这 也许和个人手机和 IPSec VPN 的具体设置有关，只是一个在使用中出现问题的时候可以参考的可 能性。 8. 另外一点是使用 VPN 的时候也留心一下 DNS 设置。诺基亚 S60 手机设置接入点的时候可以自 定义 DNS 服务器地址，新的 VPN 规则参数中也有独立的选项。虽然似乎现在多数 IPSec VPN 网 关也可以把 DNS 信息推送到手机上，但说不定某个时候问题会出在这个地方。 简而言之，诺基亚 S60 手机原生的 VPN 客户端的设置是通过 VPN 规则文件完成的，而该 VPN 规 则和具体的 IPSec VPN 设置对应，应该都由系统管理员完成，而不需要普通用户操心。 之所以专门附上 12vpn 的评测，因为它是众多 VPN 服务商中我唯一知道提供了对诺基亚 S60 手 机支持的。除了通常的 PPTP 外，它还支持 OpenVPN、L2TP 和 IPSec（Cisco）从而保证了不同平 台的用户都可以使用他们的服务。 和个人架设的 VPN 相比，在我看来 12vpn 有下面几个优势： 1. 他们在有多个的 VPN 服务器在不同的国家，这在用户需要特定地区的 IP 来使用某些服务，例 如 BBC iPlayer 和 Hulu 等等，的时候会很必要； 2. 作为一个公司，他们有更多的资源提供客户支持。自己架设过 VPN 的网友很清楚要支持不同 的平台和千差万别的网络（不同的运营商和防火墙）是一件相当负责的任务。即使 12vpn 自己刚 放出诺基亚 S60 手机的 VPN 规则的时候，只能支持 S60V5 手机上的 mVPN V4，而在 S60V3 手机 上的 mVPN V3.1 中无法正常工作。 我和另一个推友@nielspeen 自己花了很多时间修改他们的 VPN 规则都未成功，最后还是 12vpn 过了一天自己更新了配置文件解决的。 但 12vpn 的 Personal 帐号比较贵（包年 70 美元，月付要 9 美元另加 10 美元的设置费。）其实 他们还有便宜得多的 Lite 帐号没有放在主页上，不过只能包年（25 美元，2010 年 2 月底之前有 10%的优惠），而且有每月 10G 的流量限制。还有推友觉得 12vpn 的速度一般，这是一个小马过 河的问题，我自己觉得用 12vpn 看 Hulu 的速度还不错（稍有停顿，但似乎比 hideipvpn 快些，比 我原来自己建的一个 OpenVPN 速度有明显提高）。 除了购买 12vpn 的服务外，喜欢折腾的网友还可以自己在 VPS 或专用主机上搭建 IPSec VPN，不 过这方面的内容要放到下一篇文章中了。没有条件自己折腾，又不打算购买 12vpn，但想在诺基 亚 S60 手机上使用 VPN 的网友，也可以联系我要帐号测试你的诺基亚 S60 手机在我的 IPSec VPN 上用起来是否让人满意，再决定是否购买付费服务。 本文来自：http://www.alpha2beta.com/ Related posts: 1. 2. 诺基亚智能手机格机详细教程技巧 主流智能手机操作系统和必备软件

Nokia, Symbian, VPN, 手机, 诺基亚
? Java 手机社交网络应用整合软件 Snaptu 开始支持中文 在诺基亚 S60 手机上使用 VPN 之二：OpenSwan 安装配置和 VPN 规则的生成 ?

 之一： 在诺基亚 S60 手机上使用 VPN 之一：原生客户端说明 评测。 及 12vpn 评测。
这是一篇早就打算要写的文章，但因为有一些技术细节始终没有解决好，所以一直迟迟没有动笔。最后我 意识到这样下去，这篇文章不知道要到猴年马月才能写出来，而且 12vpn 推出了对诺基亚 S60 手机原生 VPN 客户端的支持，完善我的教程的必要性也就不那么迫切了。我打算分三个部分写这个教程： 1. 诺基亚 S60 手机原生 VPN 客户端的使用说明和 12vpn 的评测， 因为如果我一上来就把如何生成 VPN 策略文件和 OpenSwan 的配置摆上来，不需要知道这些的普通用户可能会被弄晕而产生用起来太复 杂的错误印象； 2. 3. 生成 VPN 策略文件和安装配置 OpenSwan 的教程。这个教程其实只是一个可以工作的范例，有 些需要细调的高级设置我自己也没有弄清楚； VPN 策略文件和 OpenSwan 的高级设置问题，这是我目前还在折腾的部分。 下面是诺基亚 S60 手机原生 VPN 客户端的使用说明及 12vpn 评测： 看到过不少诺基亚 S60 上没有可用 VPN 客户端的观点，但事实上诺基亚 S60 手机上原生的 Mobile VPN 客户端只是不支持常见的 PPTP 协议（第三方软件 SymVPN 支持 PPTP，但正版价格超过二十美元，而破 解版绝大多数都不好用） 而是支持 IPSec VPN。 ， 另一种观点是诺基亚 S60 手机原生 VPN 用户端太复杂， 普通用户很难搞定。 这种看法也对也不对， VPN 策略文件的生成确实比较复杂， 但这是系统管理员的工作， 普通用户只需要把系统管理员发给他们的 VPN 策略文件安装到手机上，简单设置一下就可以用了。实际上 iPhone/iPod Touch 常用的 L2TP VPN 很多也是基于 IPSec 的，12vpn 提供给 S60 用户的配置方式看 起来并不比 iPhone/iPod Touch 复杂。 诺基亚 S60 手机原生的 Mobile VPN 客户端并不需要用户自己设置 VPN 服务器地址、用户名和密码（额 外使用了 Xauth 验证的是另一回事），这些都是在 VPN 规则中定义好的。mVPN 客户端中有一个设置规 则服务器的选项，这是用于把 VPN 规则推送到手机上的，需要在服务器端安装诺基亚专门的软件，这种方 式很少有人用，用户可以从本地安装 VPN 策略文件而完全不去管这个选项。VPN 策略文件早些是以 sis 文件形式提供的，像普通软件一样安装。但目前 mVPN V3.1 和 V4 都可以直接导入.vpn 文件。 下面的使用说明参考了 12vpn 针对 S60V5 上的 mVPN V4 英文介绍： 1. 2. 用户首先需要安装 mVPN 客户端，V3.1（针对 S60V3 FP1）在此下载，V4（针对 S60V3 FP2 和 S60V5）在此下载； 从系统管理员那里得到.vpn（或.sis/.sisx）策略文件并传到手机上安装。IPSec VPN 网管和客 户端之间的验证主要有两种方式：PSK 和 X509 证书。如果是 PSK 方式，VPN 规则文件直接装上就可以 用了；而 X509 证书是以 PKCS#12 格式存储的，安装含有该证书的规则时会提示用户输入密码才能正确 读取证书，这个密码是由提供 VPN 规则文件的系统管理员设置，比如 12vpn 的证书密码一律是“import” 〔不含引号〕 。第一次导入证书的时候， 手机会提示用户设置〔输入两次〕读取证书的密码，一定要牢记 该密码，以后启动 VPN 连接的时候都要输入密码；新装含有 X509 证书的 VPN 规则后使用 mVPN V3.1 的 S60V3 FP1 手机需要重启，需要重装 VPN 规则前，删除原来的规则和证书并重启机器。我不确定使用 mVPN V4 的 S60V5 和 S60V3 Fp2 手机是否同样需要如此，听说不用； 3. 4. 5. 使用 WiFi 的话要确认无线路由打开了 VPN Passthrough 的选项； 手机上网需使用 net 连接而非 wap（这一点我不确定，因为 mVPN 客户端中可以定义 Proxy） ； S60V5 等较新的手机上导入了 VPN 规则后会自动生成一个标记为 IntraNet 的 VPN 接入点，在 浏览器等需要联网的程序出现接入点选择时使用该接入点即通过 VPN 上网；S60V3 FP1 等较老的手机上 需要自己通过“设置—>连接—>VPN （虚拟专网） —>VPN 接入点—>选项—>新增接入点”用导入的 VPN 规则定义新的接入点。

 6.

IPSec VPN 连接的初始化有点慢，大概要等半分钟的样子，之后就没有影响了。如果 VPN 规则 中使用 X509 证书， 验证的时候手机会提示用户输入保存证书时设置的密码， 使用 PSK 验证的则没有这一 步。假如 VPN 规则和 IPSec 网关（二者是对应的）中设置了使用 Xauth 验证，则另外需要输入系统管理 员在服务器上设置的用户名和密码。

7. 8.

根据我自己的经验，如果设置了多个使用不同 VPN 规则的接入点，有可能会出现冲突。但这也许 和个人手机和 IPSec VPN 的具体设置有关，只是一个在使用中出现问题的时候可以参考的可能性。 另外一点是使用 VPN 的时候也留心一下 DNS 设置。诺基亚 S60 手机设置接入点的时候可以自 定义 DNS 服务器地址，新的 VPN 规则参数中也有独立的选项。虽然似乎现在多数 IPSec VPN 网关也可 以把 DNS 信息推送到手机上，但说不定某个时候问题会出在这个地方。 简而言之，诺基亚 S60 手机原生的 VPN 客户端的设置是通过 VPN 规则文件完成的，而该 VPN 规则和具 体的 IPSec VPN 设置对应，应该都由系统管理员完成，而不需要普通用户操心。 之所以专门附上 12vpn 的评测， 因为它是众多 VPN 服务商中我唯一知道提供了对诺基亚 S60 手机支持的。 除了通常的 PPTP 外，它还支持 OpenVPN、L2TP 和 IPSec（Cisco）从而保证了不同平台的用户都可以 使用他们的服务。 和个人架设的 VPN 相比，在我看来 12vpn 有下面几个优势：

1. 2.

他们在有多个的 VPN 服务器在不同的国家，这在用户需要特定地区的 IP 来使用某些服务，例如 BBC iPlayer 和 Hulu 等等，的时候会很必要； 作为一个公司，他们有更多的资源提供客户支持。自己架设过 VPN 的网友很清楚要支持不同的平 台和千差万别的网络（不同的运营商和防火墙）是一件相当负责的任务。即使 12vpn 自己刚放出诺基亚 S60 手机的 VPN 规则的时候， 只能支持 S60V5 手机上的 mVPN V4， 而在 S60V3 手机上的 mVPN V3.1 中无法正常工作。我和另一个推友@nielspeen 自己花了很多时间修改他们的 VPN 规则都未成功，最后还 是 12vpn 过了一天自己更新了配置文件解决的。 但 12vpn 的 Personal 帐号比较贵（包年 70 美元，月付要 9 美元另加 10 美元的设置费。）其实他们还 有便宜得多的 Lite 帐号没有放在主页上，不过只能包年（25 美元，2010 年 2 月底之前有 10%的优惠）， 而且有每月 10G 的流量限制。还有推友觉得 12vpn 的速度一般，这是一个小马过河的问题，我自己觉得 用 12vpn 看 Hulu 的速度还不错 （稍有停顿， 但似乎比 hideipvpn 快些， 比我原来自己建的一个 OpenVPN 速度有明显提高）。 除了购买 12vpn 的服务外，喜欢折腾的网友还可以自己在 VPS 或专用主机上搭建 IPSec VPN，不过这方 面的内容要放到下一篇文章中了。没有条件自己折腾，又不打算购买 12vpn，但想在诺基亚 S60 手机上 使用 VPN 的网友，也可以联系我要帐号测试你的诺基亚 S60 手机在我的 IPSec VPN 上用起来是否让人 满意，再决定是否购买付费服务.