Pages

Thursday, 30 July 2015

用Racoon搭建IPsec VPN,在windows/安卓/iphone下翻墙(我测试成功)

(用Racoon搭建的IPsec VPN就是所谓的ikeV1 VPN)

在debian/ubuntu上,用Racoon搭建IPsec VPN

 Racoon官网:http://ipsec-tools.sourceforge.net

(注:最好在xen/kvm vps上安装。我在openvz vps上安装racoon就是不成功,因为openvz vps没有
pfkey,af_key模块:

我在openvz vps的debian系统上,装完racoon后,得到提示:
racoon - IKE keying daemon will not be started as /proc/net/pfkey is not
         available or a suitable 2.6 (or 2.4 with IPSEC backport)

         kernel with af_key.[k]o module installed.)

apt-get install racoon
racoon 包必须为 0.8+
配置请不要随便更改,否则可能丧失某平台兼容,测试通过:iOS/OSX、黑莓(OS4/5/6/7),WebOS,诺基亚,VPNC等。
软件安装完毕,修改 /etc/racoon/motd ,这是 VPN 连接成功后的 banner,可有可无;
修改 /etc/racoon/psk.txt ,这是 VPN 连接的 group name 和 group secret,格式很简单, 一行即可,例如
wk iamsogayyaha
接着,把配置文件/etc/racoon/racoon.conf的内容替换为下面的内容:

log info;
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

listen {
}

remote anonymous {
        exchange_mode main,aggressive;
        doi ipsec_doi;
        nat_traversal on;
        proposal_check obey;
        generate_policy unique;
        ike_frag on;
        passive on;
 dpd_delay = 30;
 dpd_retry = 30;
 dpd_maxfail = 800;
 mode_cfg = on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method xauth_psk_server;
                dh_group 2;
  lifetime time 12 hour;
        }
}

timer
{
        natt_keepalive 20 sec;
}

sainfo anonymous {
        lifetime time 12 hour ;
        encryption_algorithm aes,3des,des;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
}

mode_cfg {
        dns4 xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx; #填上你VPS上的DNS,我填的是8.8.8.8,8.8.4.4;
        save_passwd on;
        network4 10.1.0.2; #VPS客户端IP
        netmask4 255.255.255.0;
        pool_size 250;
        banner "/etc/racoon/motd";
        auth_source system;#这里的认证方式即:useradd -s /bin/false some_username和passwd some_username)
        conf_source local;
        pfs_group 2;
 default_domain "local";
}
 
最后运行 iptables 规则和设置 ipv4 转发即可:
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf

sysctl -p

iptables --table nat --append POSTROUTING -o eth0 --jump MASQUERADE

from https://w3.owind.com/pub/linux-cisco-vpn-server-for-dummies/ 
(我测试成功。windows桌面系统下的客户端的配置,
见此文: https://w3.owind.com/pub/connect-a-cisco-vpn-in-windows/,客户端下载地址:
https://www.shrew.net/download/vpn/vpn-client-2.2.0-release.exe

android系统下的客户端:vpncilla-http://www.coolapk.com/apk/com.gmail.mjm4456.vpncilla/download/?dl=1,
http://android.d.cn/software/27337.html)

能建立链接,但“几乎”无法访问互联网问题的解决:
 这里我使用“几乎”这个词,是因为并不是完全不能访问互联网。症状为,打开 Google 搜索没问题,但其它网站均无法打开;
SSH 可用,但 scp 不行;ftp 能握手,但传不了文件。我就遇到了这种情况,仔细 Google 后发现原来是 MTU 的问题,
用 ping 探测了一下果然是包过大了。知道问题就好办了,我们可以通过 iptables 来修正这一问题。
具体原理就不讲了,需要的自己 Google。这里只说解决方案,在 filter 表中添加下面的规则:
iptables -A FORWARD -s 10.1.0.0/255.255.255.0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1200
 上面规则中的 1200 可以根据你的实际情况修改,为了保证最好的网络性能,这个值应该不断修改,
直至能保证网络正常使用情况下的最大值.
 
 
1.Ubuntu/debian vps下,运行apt-get install racoon后,会装好racoon和ipsec-tools(ipsec-tools会顺带自动装好)
2.用命令useradd -s /bin/false some_username和passwd some_username设置用户名和密码。
在/etc/racoon/racoon.conf中,认证方式建议设为auth_source system,
不要设为auth_source pam,这样省事一点。
3.iptables规则: 
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A FORWARD -s 10.1.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.0.0/255.255.255.0 -o eth0 -j MASQUERADE
如果连上了vpn,还是打不开任何网站,那么就运行:
iptables -A FORWARD -s 10.1.0.0/255.255.255.0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1200

注:
经过一段时间的使用,发现这类IPsec VPN软件的稳定性稍差些,主要表现在有时客户端断开后
(尤其是进入sleep状态时)VPN服务器端未能收到断开信号,
以致该客户端短时间内再次连接VPN服务器时可能就会被拒绝,
这时要么重启VPN服务器,或者等上一段时间再访问
(一般情形下VPN服务器端过一段时间,比如最多2分钟,就会自动恢复正常)。

为尽可能确保VPN服务器端处于正常状态,我还是做了一个定时任务,比如每天临晨4:00让VPN服务器端重启一下。
crontab -e     #进入定时任务编辑状态
在其中添加如下的一条定时任务,并保存退出。

00 20 * * * pkill racoon && racoon -f /etc/racoon/racoon.conf

注:Debian的定时任务似乎默认按UTC时间来执行的(尽管系统的时区我已设置UTC+8),
所以这里是20:00以确保实际在临晨4:00执行。

修改完成后,需要重启一下定时任务的程序:
/etc/init.d/cron restart
如果客户机器连接不上vpn,就在vps里重启一下racoon:
pkill racoon && racoon -f /etc/racoon/racoon.conf
 --------------------------------------

 在centos7 64位系统上安装racoon vpn 

(我测试成功,可在iphone/mac下翻墙.iphone/mac下,选择vpn类型-ciso ipsec vpn。不要试图在centos6/7上编译racoon vpn,因为会遇到很多错误,很难编译成功也不要试图在centos6上,用rpm包来安装racoon vpn,因为途中会提示缺少某个dependency,而这个dependency你很难搞得定!在centos7上,你可以用rpm包来安装racoon vpn如下。)

yum install -y flex flex-devel bison byacc
yum groupinstall 'Development Tools' -y
yum groupinstall "Server Platform Development" -y

下载软件
wget https://dl.fedoraproject.org/pub/epel/7/x86_64/i/ipsec-tools-0.8.2-1.el7.x86_64.rpm
安装:
rpm -ivh
ipsec-tools-0.8.2-1.el7.x86_64.rpm
(不要用下面的办法安装racoon!!否则racoon会不正常。

  1. 启用 epel 仓库
    yum install -y epel-release
    
  2. 安装 ipsec-tools
    yum install -y ipsec-tools)

 
配置

    设置欢迎信息

    nano /etc/racoon/motd

    Welcome to Test IPSec VPN

    设置VPN组名和密钥:
    nano /etc/racoon/psk.txt

    vpn 123123

    设置配置文件

    nano /etc/racoon/racoon.conf

    path include "/etc/racoon";
    #include "remote.conf";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/cert";
    #log debug;

    listen
    {
        isakmp your_vps_ip [500];
        isakmp_natt your_vps_ip [4500];
    }

    remote anonymous
    {
        exchange_mode main, aggressive, base;
        mode_cfg on;
        proposal_check obey;    # obey, strict, or claim
        nat_traversal on;
        generate_policy unique;
        ike_frag on;
        passive on;
        dpd_delay 30;

        proposal {
            lifetime time 28800 sec;
            encryption_algorithm 3des;
            hash_algorithm md5;
            authentication_method xauth_psk_server;
            dh_group 2;
        }
    }

    sainfo anonymous
    {
        encryption_algorithm 3des, aes, blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
    }

    mode_cfg
    {
        auth_source system;
        dns4 8.8.8.8, 8.8.4.4;
        banner "/etc/racoon/motd";
        save_passwd on;
        network4 192.168.0.10;
        netmask4 255.255.255.0;
        pool_size 100;
        pfs_group 2;
    }

添加系统的用户和密码:
useradd -s /bin/false testvpn
passwd testvpn

开启转发:

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf

sysctl -p

设置防火墙规则:
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT

保存:
service iptables save

启动:
racoon -f /etc/racoon/racoon.conf

    ERROR: /etc/racoon/psk.txt has weak file permission

    chmod 700 /etc/racoon/psk.txt 



如果客户机器连接不上vpn,就在vps里重启一下racoon:
pkill racoon && racoon -f /etc/racoon/racoon.conf

最好在debian系统上搭建。在centos系统搭建的话,麻烦较多,容易遇到错误。
--------------------------------

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
    isakmp xx.xx.xx.xx [500]; #服务器IP
    isakmp_natt xx.xx.xx.xx [4500]; #服务器IP
}

remote anonymous {
    exchange_mode aggressive, main, base;
    mode_cfg on;
    proposal_check obey;
    nat_traversal on;
    generate_policy unique;
    ike_frag on;
    passive on;
    dpd_delay 30;

    proposal {
        lifetime time 28800 sec;
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method xauth_psk_server;
        dh_group 2;
    }
}

sainfo anonymous {
    encryption_algorithm aes, 3des, blowfish;
    authentication_algorithm hmac_sha1, hmac_md5;
    compression_algorithm deflate;
}

mode_cfg {
    auth_source system;
    dns4 8.8.8.8; //DNS
    banner "/etc/racoon/motd"; #欢迎字符的路径
    save_passwd on;
    network4 10.12.0.1; #VPN内网IP
    netmask4 255.255.255.0;
    pool_size 100;
    pfs_group 2;
}
1
2

1


4. 设置iptables的规则

  1. 添加 iptables 配置
    iptables -A INPUT -p udp -–dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
    iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT
    
  2. 保存 iptables 的设置
    iptables-save
    
  3. 确认一下 iptables 的设置
    iptables -L 
      
--------------------------------------------------------------

在 centos 7上安装racoon vpn

下面是具体的步骤:
1. 安装 IPSec-tools/racoon

    启用 epel 仓库:

    yum install epel-release

    安装 ipsec-tools:

    yum install ipsec-tools

2. 配置racoon
安装后默认的配置文件路径是 /etc/racoon/,一共需要关注三个文件,racoon.conf, psk.txt 和 motd。

    修改 racoon.conf:

   path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
    isakmp xx.xx.xx.xx [500]; #服务器IP
    isakmp_natt xx.xx.xx.xx [4500]; #服务器IP
}

remote anonymous {
    exchange_mode aggressive, main, base;
    mode_cfg on;
    proposal_check obey;
    nat_traversal on;
    generate_policy unique;
    ike_frag on;
    passive on;
    dpd_delay 30;

    proposal {
        lifetime time 28800 sec;
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method xauth_psk_server;
        dh_group 2;
    }
}

sainfo anonymous {
    encryption_algorithm aes, 3des, blowfish;
    authentication_algorithm hmac_sha1, hmac_md5;
    compression_algorithm deflate;
}

mode_cfg {
    auth_source system;
    dns4 8.8.8.8; //DNS
    banner "/etc/racoon/motd"; #欢迎字符的路径
    save_passwd on;
    network4 10.12.0.1; #VPN内网IP
    netmask4 255.255.255.0;
    pool_size 100;
    pfs_group 2;
}

    修改 psk.txt:
# VPN组名 VPN密钥
vpn 123456

3. 添加系统的用户名和密码

useradd -s /sbin/nologin USER
passwd USER

4. 设置iptables的规则

    添加 iptables 配置

    iptables -A INPUT -p udp -–dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
    iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT

    保存 iptables 的设置

    iptables-save

    确认一下 iptables 的设置

    iptables -L

5. 设置ipv4 forward

修改 /etc/sysctl.conf 里的
net.ipv4.ip_forward=1


sysctl -p

6. 测试

用调试模式启动 racoon。

racoon -F

然后客户端连接测试下,如果没有报错,就能顺利连接。

7. 开启 racoon 自启动
service racoon start
chkconfig racoon on
--------------------------------------------------

因为觉得IPsec的效率会比OpenVPN要好,于是想把tomato上的OpenVPN也换成IPsec VPN,

怎么换呢?Tomato通过Optware能安装的只有vpnc这一个IPsec客户端,vpnc只支持IKE phase 1 aggressive mode,而服务器端的StrongSwan只支持main mode,这两个明显是八字不合的,然后有两条路:

1) 把Tomato换成OpenWRT,然后用StrongSwan/OpenSwan/racoon做客户端连StrongSwan Server

2) 把StrongSwan Server换成OpenSwan或者racoon支持aggressive mode,继续用vpnc做客户端

方案一试过,可惜行不通,

做法是去买了一台超便宜的无线猫,DB120跑OpenWRT,然后我在上面 装过OpenSwan和StrongSwan试着和服务器端连,其中StrongSwan的包比较完整,OpenSwan有些功能模块没有编译好的安装 包,然后比较不幸的是,虽然配置貌似正确用户验证能通过,但是路由和转发总是有问题,不是不能把数据包转发到VPN Server,就是能转发但是本地连接中断,相当折腾!

不止如此,我甚至连服务器端都换成过OpenSwan改用aggressive mode,然后iPhone,OSX拨号上来的时候发现modecfg的split DNS支持貌似不匹配,因此无法推DNS到客户端,OSX倒还好,可以自己指定DNS server,iPhone就傻掉了,而且tomato上用vpnc 连接IKE phase I也过不去,所以只能放弃。

然后到方案二,这个是可以工作的方案,

把StongSwan换成racoon,然后iOS,OSX,windows,tomato神马的都可以拨上来了,省略痛苦的折腾过程,简单的步骤如下:

1) 安装racoon

我的VPS跑的是CentOS,可以自行编译,也可以通过yum安装,相比之下yum安装会容易一些,

wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm
wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm
yum localinstall --nogpgcheck ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm ipsec-tools-0.8.0-1.el5.pp.i386.rpm

如果要编译,可以使用以下参数:
configure –sysconfdir=/etc/racoon –enable-natt –enable-broken-natt –enable-hybrid –enable-dpd

如果提示需要内核头文件,可以参考这个文章:
http://blog.csdn.net/zhangyang0402/article/details/5732815

2) 配置racoon

yum/apt-get安装后默认的配置文件路径是/etc/racoon,一共需要关注三个文件,racoon.conf / psk.txt 和 motd,逐个来.

编辑racoon.conf:
pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp YOUR.IP.ADDRESS [500]; #YOUR.IP.ADDRESS改为VPS的外网地址
isakmp_natt YOUR.IP.ADDRESS [4500]; #YOUR.IP.ADDRESS改为VPS的外网地址
}

remote anonymous {
exchange_mode aggressive, main, base; #同时支持IKE aggressive和main mode
mode_cfg on; #支持通过modcfg获取dns配置
proposal_check obey; #这里很奇怪,多数配置例子写的是proposal_check claim,即在协商中取短的lifetime并通告initiator,但在0.8版本用claim是不work的,只能配置成obey,即遵循 initiator发出的lifetime
nat_traversal on; #开启NAT-T,必须的
generate_policy unique; #这个貌似是为了支持多个客户端被NAT成同一个地址
ike_frag on;
passive on;
dpd_delay 30; #dead peer detection的超时时间

proposal {
lifetime time 28800 sec;
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method xauth_psk_server; #Pre-shared key+用户名/密码认证
dh_group 2;
          }
}

sainfo anonymous {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

mode_cfg {
auth_source system; #使用系统的用户名/密码体系认证,懒得再折腾其他的方法了
dns4 8.8.8.8;
banner "/etc/racoon/motd"; #banner,貌似vpnc必须要有banner才能work,真的吗?
save_passwd on;
network4 10.12.0.100; #客户端获得的IP起始地址
netmask4 255.255.255.0; #客户端获得的地址的掩码
pool_size 100; #最大客户端数量
pfs_group 2;

psk.txt # Group_Name Group_Secret
YOUR_GROUP_NAME YOUR_GROUP_SECRET #前面是Group Name, 或者vpnc里配置的IPSec ID,后面是Secret,或者vpnc里的IPSec secret

motd
ANY.WORD #随便写

3) 添加用户名密码

useradd YOUR.USERNAME

passwd YOUR.PASSWROD

然后vi一下/etc/passwd把racoon用的用户的shell设置为/sbin/nologin使VPN用户无法使用shell,并且把根目录指向/tmp之类的.


4) 在Tomato Firmware的路由器上安装vpnc

要在tomato上用optware装软件的最好有一个U盘,当然也可以用jffs,optware的安装教程可以参考TomatoUSB的HOWTO

http://tomatousb.org/doc:optware

http://tomatousb.org/tut:optware-installation

ipkg update
ipkg install vpnc

5) 配置VPNC

vpnc的默认配置路径在/opt/etc/vpnc,没有多个服务器的话直接改default.conf也可以

IPSec gateway YOUR.VPN.GW #VPN服务器的地址或者域名
IPSec ID YOUR.GROUP.ID #对应刚才在psk.txt里设置的Group Name
IPSec secret YOUR.SECRET #对应刚才在psk.txt里设置的secret
Xauth username YOUR.USERNAME #用户名
Xauth password YOUR.PASSWORD #密码


6) 一些小tricky tuning
参考 @paveo 的文章们:
openwrt 下 vpncwatch 和 mtu 问题
路由器上使用 Cisco IPSec VPN client
CHNroutes
@paveo同学的A类路由表确实暴力,连我最爱的mobile01都上不去了,少少改一下:

由于发现了用ip -batch来添加3000行路由的时间也就是2-3秒,所以我们还是把chnroutes的全路由写一下好了~

#!/bin/sh

OLDGW=$(nvram get lan_gateway) #家里有两台路由器,用于连接VPN的路由器并非是PPPoE拨号的路由器,如果只有一台路由器,lan_gateway应改为wan_gateway

ip -batch

#chnrouts
route add 1.0.1.0/24 via $OLDGW metric 5
route add 1.0.2.0/23 via $OLDGW metric 5
route add 1.0.8.0/21 via $OLDGW metric 5
route add 1.0.32.0/19 via $OLDGW metric 5
route add 1.1.0.0/24 via $OLDGW metric 5
route add 1.1.2.0/23 via $OLDGW metric 5
......
route add 223.255.236.0/22 via $OLDGW metric 5
route add 223.255.252.0/23 via $OLDGW metric 5

EOF

还有就是用vpncwatch来启动vpnc,断线可以自动重连,

cd /opt/sbin/
wget http://p5.gfw.io/vpncwatch

然后可以把启动命令直接贴到Tomato WEBGUI的administration –> Scripts –> Init 里头:
/opt/sbin/vpncwatch -c twitter.com -p 80 -i 30 vpnc /opt/etc/vpnc/default.conf

from http://blog.wellsgz.info/?p=1964
------------------------------------------------

如何用Racoon 搭建ipsec VPN 服务器

我们有很多方式可以实现 IP Sec VPN , android 、 iOS 都可以使用多种类型的VPN (近来PPTP 被破解,少用哦),但是唯独少了黑莓。熟悉我的朋友应该知道我很早就用 Cisco PIX 535 实现过这个功能了,但是不幸的是即便有了VPN 黑莓上也没有任何意义:1 必须 WIFI ;2 只有个别程序才会通过VPN 。这很可能不符合你的要求,因此你也可以不必读如何部分。


IP Sec VPN 有多种实现方式,而且遵循不同的模式,我们常见的是 StrongSwan/OpenSwan , Racoon/ipsec-tool
。我已经写过前者的配置方法,以达到Playbook 连接的目的。但是StrongSwan 4.XX 不能用作黑莓手机的服务器,因为不支持ike keyexchange 的一个 aggressive模式,但是StrongSwan5.0 已经支持了,只是我没有再测试。所以文章就开始写Racoon 如何搭建ipsec VPN 服务器。

1 安装
Debian 下 直接
 apt-get install racoon

请注意,默认源中的较老,你可以使用test 源来安装最新版。

2 配置 vim /etc/racoon/racoon.conf


#log notify;
##下面是定义VPN 要引用的PSK 的group ID 和Group Secret
path pre_shared_key "/etc/racoon/psk.txt";

## 这个是定义证书目录,如果你使用X509 rsasig 认证,就保留,否则删除也不影响的
path certificate "/etc/racoon/certs";


## 这个不需要我来解释了
log warning;


## Author : @bao3
## remote anonynous 是定义任意IP 连接服务器时,要遵循的规则
## 网上经常可以看到 Romote 192.168.10.1(任意IP),这是为了指定
## 特定IP连入服务器时的规则。我们要做服务器,自然要允许所有IP

remote anonymous {
## 下面是指定我们VPN 服务器的工作模式,注意哟:
## 可以选择base,main和aggressive 三种,但是如果
## 你要给手机连接使用,必须也只能选择Aggressive
     
        exchange_mode aggressive;

        lifetime time 1440 min;

## 这个是初始化连接,其实不加也可以,但是为了兼容VPNC和cisco vpn client
## 就加入这个
        initial_contact on;

## 下面这行不加入也行
        verify_identifier on;

## mode_cfg{} ,用于VPN连接中途,分发IP和DNS。
## 后面会讲到
        mode_cfg on;
## ike_frag ,尽管平时加不加都一样,但是
## 这个选项可以将ike不兼容时的报碎片重组
        ike_frag on;
        passive on;
## 这个是验证第一阶段的规则检查,有3个选项可以选
## off ,不解释。strict ,就是严格,如果手机有一个参数不匹配就登录失败
## obey 是宽容状态,双方会协商一个共同模式,保证连接成功。
        proposal_check obey;

## 这个选项是为了产生路由加密规则,网上的教程都是教你如何
## 手动创建SPD (setkey)规则,那是因为服务器很明确地建立在两个
## 已知IP之间,但我们的VPN服务器很明显要接受所有IP连接进入,需要
## 动态生成规则。这里你可以选择 on 或者 unique ,基本没有差别
## 一定不可以设置为off !!!!这很重要。如果不设定或者设置为off
## 就无法在你手机和服务器间建立 ESP 加密隧道,通讯就是失败。
        generate_policy unique; #unique; #on ;

        # might be patented:

## 这个是NAT_T ,必须打开
        nat_traversal on;

        dpd_delay 200;

## 下面是第一阶段要验证的规则,这里面规定了加密算法和
## HASH 方式以及验证方法xauth_psk_server 。
        proposal {

## 这里定义加密方式,你可以只指定一种,但我这里指定了3种
## 这3中是为了跟更多的手机协商或者电脑客户端匹配
                encryption_algorithm aes 256;#3des,des ;
                hash_algorithm sha1;#md5;
## 这是验证方式,也可以指定pre_shared_key,但是我建议你使用
## 我的方式,但是这就让iOS 很不爽,用了就知道为啥了
                authentication_method xauth_psk_server;   #pre_shared_key; # xauth_psk_server;

## 这个你就默认吧,也即是modp_1024=group 2
                dh_group 2;
        }
}
## 这是第二阶段验证,需要注意:在验证第一阶段完毕,第二阶段开始之前,
## 还有一个验证1.5阶段,也就是mode_cfg{}分发,所以你排查错误时要理清
## 这个先后关系
sainfo anonymous {
        # yes, short, and?
        lifetime time 10 min;
        encryption_algorithm aes 256,3des,blowfish;
        authentication_algorithm hmac_sha1,hmac_md5;

## 这个是定义通讯压缩模式,所有的教程默认都是 deflate,
## 但是我特意使用了lzs 压缩,是因为VPNC 端默认就是这个
## 如果你觉得有问题,请注释掉下面一行。
        #compression_algorithm deflate;
        compression_algorithm lzs;
}
padding {
        # to hinder guessing
        randomize on;
        randomize_length on;
        strict_check off;
        exclusive_tail on;
}

## 这个是介于验证阶段一和阶段二之间的一个关键环节
## 服务器会像你的手机或者电脑分发IP,DNS ,并显示
## 欢迎画面(motd),其总auth_source system表示使用
## 你的Linux / FreeBSD 系统的用户(也即是SSH帐号)
## 你也可以使用radius,pam 等认证方式
## 内容我不解释,读不懂你就是不合格的SA
mode_cfg {
        auth_source system;
         conf_source local;
        default_domain "local";
        pool_size 10;
        network4 10.0.12.100;
        netmask4 255.255.255.0;
        dns4 8.8.8.8;
        banner "/etc/racoon/motd";
        auth_throttle 3;
        #pfs_group 2; #from @bao3 
}
* 注意:文中刻意HightLine 了 padding{} 字段,这个字段很多老外的配置都没有加入或者少东西。这个字段如果确实,黑莓就无法连接哦。也就是说,我的配置中任何部分你都可以自己改动,唯一这个 padding {} 部分,请完整保留,除非调试不通。
好了,上面就完成了 blackberry vpn 配置。由于我们使用的 xauth_pre_key ,还要创建用户名密码和psk。mode_cfg 中的用户名密码使用Linux 系统的用户验证auth_source system,这个问题就自动解决了。接下来我们还要写一个psk.txt ,用来写入group name , group Secret 。
cat /etc/racoon/psk.txt

#group name  group Secret
test            test
最后,记得添加 iptables nat 的配置和允许 esp isamp ike 的规则。(建议你直接将iptables 设置为accept ,方便调试)
然后在 /etc/sysctl.conf 中加入 net.ipv4.ip_forward=1
如此一来,就可以对照playbook , blackberry 来设置登录了。
好啦,调整好路由或者iptables 就可以开始VPN上网了。
from http://bao3.blogspot.co.uk/2012/08/blackberry-vpn-ios.html
-------------------------------------------

我的VPS系统是CentOS,所以方法略有不同,配置文件基本上按他上面的做法,同时参考了这里的解决方案,在此感觉他们的努力。

1. 安装racoon vpn

1
2
3
wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm
wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm
yum localinstall --nogpgcheck ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm ipsec-tools-0.8.0-1.el5.pp.i386.rpm
2. 配置(说明参见@bao3童鞋的文章)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log warning;
remote anonymous {
    exchange_mode aggressive;
    lifetime time 1440 min;
    initial_contact on;
    verify_identifier on;
    mode_cfg on;
    ike_frag on;
    passive on;
    proposal_check obey;
    generate_policy unique;
    nat_traversal on;
    dpd_delay 200;
    proposal {
        encryption_algorithm aes 256; #3des,des;
        hash_algorithm sha1;
        authentication_method xauth_psk_server; #pre_shared_key;
        dh_group 2;
    }
}
sainfo anonymous {
    lifetime time 10 min;
    encryption_algorithm aes 256, 3des, blowfish;
    authentication_algorithm hmac_sha1, hmac_md5;
    #compression_algorithm deflate;
    compression_algorithm lzs;
}
padding {
    #to hinder guessing
    randomize on;
    randomize_length on;
    strict_check off;
    exclusive_tail on;
}
mode_cfg {
    auth_source system;
    conf_source local;
    default_domain "local";
    pool_size 10;
    network4 10.0.88.100;
    netmask4 255.255.255.0;
    dns4 8.8.8.8;
    banner "/etc/racoon/motd";
    auth_throttle 3;
    #pfs_group 2;
}
3. 修改psk.txt(自个修改test部分)
# cat /etc/racoon/psk.txt
#group name group Secret
test test
4. 添加欢迎词motd(可选)
# cat /etc/racoon/motd
Welcome to IPSec world!
5. 修改iptables
请参考《VPN在Xen和OpenVZ下配置iptables的差别》Xen部分

1
2
3
4
5
6
7
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A FORWARD -s 10.0.88.0/255.255.255.0 -j ACCEPT
iptables -A POSTROUTING -s 10.0.88.0/255.255.255.0 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
补充:如果执行“iptables -A POSTROUTING”报错:iptables: No chain/target/match by that name
原因是没有指定nat表为缺省表,解决方法是增加“-t nat”参数,参见:http://is.gd/3PFk4O
iptables -t nat -A POSTROUTING -s 10.0.88.0/255.255.255.0 -o eth0 -j MASQUERADE
5. 修改net.ipv4.ip_forward为1

1
2
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
6. 添加racoon服务并启动

1
2
chkconfig racoon on
service racoon start
调试命令:# racoon -d -F -f /etc/racoon/racoon.conf
如果没有出错按Ctrl+C退出程序,然后以服务方式运行,输出日志:
cat /var/log/messages
清空日志再调试:
cat /dev/null > /var/log/messages
7. 黑莓客户端配置
搜索“Cisco IPSec VPN 安装配置说明”,可以找到好多PDF文件,照着方案一,注意几个容易出错的地方:
a) 启动扩展验证(Enable extended authentication)要钩选
b) IPSec加密和无用数据组选IKE密钥(比如AES 256)和IKE无用数据(比如HMAC SHA1 160)两部分的组合(比如AES256-SHA1)。
c) 登录组用前面第3步的设置,用户用VPS的用户,可以用“useradd username -s /sbin/nologin -M”新建。
配置说明的一个链接供参考:Cisco_IPSec_VPN_Guide_for_BlackBerry_v1.3.pdf
8. 问题
a) ERROR: racoon: MLS support is not enabled. // 忽略之
b) ERROR: libipsec failed pfkey open (Address family not supported by protocol) // 你的VPS不支持modprobe af_key,估计没戏了,参考http://blog.csdn.net/open_free_share/article/details/5159112
c) ERROR: no suitable proposal found. // 没钩前面第7条a)项。
9. 验证
按前面的配置说明成功连接后下载Twitter官方客户端,手机自带浏览器访问http://blackberry.com/twitter(直连),没有黑莓App帐户选第二个按钮完成安装。
如果先运行Twitter客户端再开启VPN可能会登录失败,解决办法是重启或杀进程(含twitter_lib进程?)。
总结:黑莓能走VPN的程序太少了,Twitter官方客户端能行,黑莓自带浏览器不行,据说ucweb可行,没试过。
PS. 只能走WIFI。

from http://lordong.pw/wp/post/1420.html
-------------------------------------------------------------

安裝Racoon,實現Pure IPsec VPN


一來strongswan穩定性一般,二則不能通過vpnc連接,因此考慮利用racoon來實現pure ipsec vpn
。 服務器環境是debian 6.0,ramhost kvm LA機房。

首先安裝rancoon:
1sudo aptitude install racoon
安裝完成後配置文件在/etc/racoon目錄,首先編輯racoon的配置文件:
1cd /etc/racoon
2sudo vim /etc/racoon.conf
插入以下代碼:
01path pre_shared_key "/etc/racoon/psk.txt";
02
03listen {
04}
05
06remote anonymous {
07exchange_mode aggressive, main, base;
08mode_cfg on;
09proposal_check obey;
10nat_traversal on;
11generate_policy unique;
12ike_frag on;
13passive on;
14dpd_delay 30;
15
16proposal {
17lifetime time 28800 sec;
18encryption_algorithm aes;
19hash_algorithm sha1;
20authentication_method xauth_psk_server;
21dh_group 2;
22          }
23}
24
25sainfo anonymous {
26encryption_algorithm aes, 3des, blowfish;
27authentication_algorithm hmac_sha1, hmac_md5;
28compression_algorithm deflate;
29}
30
31mode_cfg {
32auth_source system; #使用系統的用戶名和密碼認證
33dns4 8.8.8.8;
34banner "/etc/racoon/motd"; #banner,登錄成功後的歡迎信息
35save_passwd on;
36network4 10.12.0.100;
37netmask4 255.255.255.0;
38pool_size 100;
39pfs_group 2;
40}
然後編輯群組名稱和密鑰:
1sudo vim psk.txt
群組名稱和密鑰既vpnc的IPsec ID和IPsec secret,用下面的形式:
1NAME SECRET
中間用空格或tab隔開。
然後編輯banner:
1sudo vim motd
內容隨便寫。
最後添加iptables轉發信息:
1iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
2iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
3iptables -A INPUT -p esp -j ACCEPT
4iptables -A FORWARD -s 10.12.0.0/255.255.255.0 -j ACCEPT
5iptables -t nat -A POSTROUTING -s 10.12.0.0/255.255.255.0 -o eth0 -j MASQUERADE
並修改net.ipv4.ip_forward為1允許轉發:
1sudo vim /etc/sysctl.conf
1net.ipv4.ip_forward = 1
使修改立即生效:
1sudo sysctl -p
可以添加一些不允許登錄的用戶來登錄vpn:
1sudo useradd -s /bin/false username
2sudo passwd username


-----------------








IPSecAuto

IPSecAuto is a shell-based script for one-click cisco ipsec vpn (ikev1) installation. We are currently using racoon as the vpn software and we are adding ssl vpn (ocserv) that supports cisco anyconnect soon. please star this project if you want. IPSecAuto for Debain: ipsecauto.sh in this repo. IPSecAuto for CentOS: ipsecauto-centos.sh in this repo。
脚本在此:
https://github.com/frjalex/useful/blob/master/ipsecauto.sh
https://github.com/frjalex/useful/blob/master/ipsecauto-centos.sh
----------

配置Mavericks自带的Cisco VPN的一个注意事项

Cisco的VPN Server端配置的是使用数字证书进行对拨入的用户进行认证,所以需要将根证书和客户端证书导入KeyChain Access。导入的方法不多说,很简单。关键是导入后需要对证书进行一些配置。

根证书和客户端证书都要配置成always trust。
客户端证书的私钥要enable “Allow all application to access this item”选项,也就是说要允许racoon能够使用该私钥。否则会出现如下错误:
com.apple.SecurityServer[15]: Problem opening rules file "/etc/authorization": No such file or directory racoon[1413]: error -25308 errSecInteractionNotAllowed.
具体配置步骤如下:
选择该私钥:
私钥配置界面.

启用“Allow all application to access this item”:

KeyChain配置界面
----------------------

IPSEC: secure IP over the Internet

There are two kinds of IPSEC available for Linux these days. For 2.2 and 2.4, there is FreeS/WAN, which was the first major implementation. They have an official site and an unofficial one that is actually maintained. FreeS/WAN has traditionally not been merged with the mainline kernel for a number of reasons. Most often mentioned are 'political' issues with Americans working on crypto tainting its exportability. Furthermore, it does not integrate too well with the Linux kernel, leading it to be a bad candidate for actual merging.
Additionally, many parties have voiced worries about the quality of the code. To setup FreeS/WAN, a lot of documentation is available.
As of Linux 2.5.47, there is a native IPSEC implementation in the kernel. It was written by Alexey Kuznetsov and Dave Miller, inspired by the work of the USAGI IPv6 group. With its merge, James Morris' CrypoAPI also became part of the kernel - it does the actual crypting.
This HOWTO will only document the 2.5+ version of IPSEC. FreeS/WAN is recommended for Linux 2.4 users for now, but be aware that its configuration will differ from the native IPSEC. In related news, there are now patches to make the FreeS/WAN userspace code work with the native Linux IPSEC.
As of 2.5.49, IPSEC works without further patches.

NoteUserspace tools appear to be available here. There are multiple programs available, the one linked here is based on Racoon.
When compiling your kernel, be sure to turn on 'PF_KEY', 'AH', 'ESP' and everything in the CryptoAPI!
WarningThe author of this chapter is a complete IPSEC nitwit! If you find the inevitable mistakes, please email bert hubert .
First, we'll show how to manually setup secure communication between two hosts. A large part of this process can also be automated, but here we'll do it by hand so as to acquaint ourselves with what is going on 'under the hood'.
Feel free to skip the following section if you are only interested in automatic keying but be aware that some understanding of manual keying is useful.

7.1. Intro with Manual Keying

IPSEC is a complicated subject. A lot of information is available online, this HOWTO will concentrate on getting you up and running and explaining the basic principles. All examples are based on Racoon as found on the link above.

NoteMany iptables configurations drop IPSEC packets! To pass IPSEC, use: 'iptables -A xxx -p 50 -j ACCEPT' and 'iptables -A xxx -p 51 -j ACCEPT'
IPSEC offers a secure version of the Internet Protocol. Security in this context means two different things: encryption and authentication. A naive vision of security offers only encryption but it can easily be shown that is insufficient - you may be communicating encyphered, but no guarantee is offered that the remote party is the one you expect it to be.
IPSEC supports 'Encapsulated Security Payload' (ESP) for encryption and 'Authentication Header' (AH) for authenticating the remote partner. You can configure both of them, or decided to do only either.
Both ESP and AH rely on security associations. A security association (SA) consists of a source, a destination and an instruction. A sample authentication SA may look like this:
   add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
 
This says 'traffic going from 10.0.0.11 to 10.0.0.216 that needs an AH can be signed using HMAC-MD5 using secret 1234567890123456'. This instruction is labelled with SPI ('Security Parameter Index') id '15700', more about that later. The interesting bit about SAs is that they are symmetrical. Both sides of a conversation share exactly the same SA, it is not mirrored on the other side. Do note however that there is no 'autoreverse' rule - this SA only describes a possible authentication from 10.0.0.11 to 10.0.0.216. For two-way traffic, two SAs are needed. A sample ESP SA:
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
 
This says 'traffic going from 10.0.0.11 to 10.0.0.216 that needs encryption can be encyphered using 3des-cbc with key 123456789012123456789012'. The SPI id is '15701'. So far, we've seen that SAs describe possible instructions, but do not in fact describe policy as to when these need to be used. In fact, there could be an arbitrary number of nearly identical SAs with only differing SPI ids. Incidentally, SPI stands for Security Parameter Index. To do actual crypto, we need to describe a policy. This policy can include things as 'use ipsec if available' or 'drop traffic unless we have ispec'.
A typical simple Security Policy (SP) looks like this:
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
   esp/transport//require
   ah/transport//require;
 
If entered on host 10.0.0.216, this means that all traffic going out to 10.0.0.11 must be encrypted and be wrapped in an AH authenticating header. Note that this does not describe which SA is to be used, that is left as an exercise for the kernel to determine. In other words, a Security Policy specifies WHAT we want; a Security Association describes HOW we want it.
Outgoing packets are labelled with the SA SPI ('the how') which the kernel used for encryption and authentication so the remote can lookup the corresponding verification and decryption instruction.
What follows is a very simple configuration for talking from host 10.0.0.216 to 10.0.0.11 using encryption and authentication. Note that the reverse path is plaintext in this first version and that this configuration should not be deployed.
On host 10.0.0.216:
#!/sbin/setkey -f
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";          
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";

spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
   esp/transport//require
   ah/transport//require;
 
On host 10.0.0.11, the same Security Associations, no Security Policy:
#!/sbin/setkey -f
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";
 
With the above configuration in place (these files can be executed if 'setkey' is installed in /sbin), 'ping 10.0.0.11' from 10.0.0.216 looks like this using tcpdump:
22:37:52 10.0.0.216 > 10.0.0.11: AH(spi=0x00005fb4,seq=0xa): ESP(spi=0x00005fb5,seq=0xa) (DF)
22:37:52 10.0.0.11 > 10.0.0.216: icmp: echo reply
 
Note how the ping back from 10.0.0.11 is indeed plainly visible. The forward ping cannot be read by tcpdump of course, but it does show the Security Parameter Index of AH and ESP, which tells 10.0.0.11 how to verify the authenticity of our packet and how to decrypt it. A few things must be mentioned however. The configuration above is shown in a lot of IPSEC examples and it is very dangerous. The problem is that the above contains policy on how 10.0.0.216 should treat packets going to 10.0.0.11, and that it explains how 10.0.0.11 should treat those packets but it does NOT instruct 10.0.0.11 to discard unauthenticated or unencrypted traffic!
Anybody can now insert spoofed and completely unencrypted data and 10.0.0.11 will accept it. To remedy the above, we need an incoming Security Policy on 10.0.0.11, as follows:
#!/sbin/setkey -f 
spdadd 10.0.0.216 10.0.0.11 any -P IN ipsec
   esp/transport//require
   ah/transport//require;
 
This instructs 10.0.0.11 that any traffic coming to it from 10.0.0.216 is required to have valid ESP and AH. Now, to complete this configuration, we need return traffic to be encrypted and authenticated as well of course. The full configuration on 10.0.0.216:
#!/sbin/setkey -f
flush;
spdflush;

# AH
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";

# ESP
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";

spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 10.0.0.11 10.0.0.216 any -P in ipsec
           esp/transport//require
           ah/transport//require;
   
 
And on 10.0.0.11:
#!/sbin/setkey -f
flush;
spdflush;

# AH
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";

# ESP
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";


spdadd 10.0.0.11 10.0.0.216 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 10.0.0.216 10.0.0.11 any -P in ipsec
           esp/transport//require
           ah/transport//require;

 
Note that in this example we used identical keys for both directions of traffic. This is not in any way required however.
To examine the configuration we just created, execute setkey -D, which shows the Security Associations or setkey -DP which shows the configured policies.

from http://lartc.org/howto/lartc.ipsec.html
--------------------------

IPsec/ISAKMP negotiation opened up

IPsec is becomming the Internet standard for securing IP packets. Instead of manually configuring all the encryption parameters, the keys are usually negatiated between the peers using an ISAKMP (Internet Security Association and Key Management Protocol)/Oakley protocol: IKE (Internet Key Exchange). This post goes into its details.
The main goal of IKE is to negotiate one or more SA’s (Security Associations) between the peers. SA’s contain all information needed to preform the crypto-operations such as encrypting and/or authenticating the packet. It specifies which cipher to use, which key to use, which mode (tunnel or transport) to use, …

Phase 2

Phase 2 is responsible to negotiate the SA’s themselves. This negotiation happens in Quick Mode (QM). The initiating peer sends one or more proposals of encryption parameters. These include:
  • The two sides of the tunnel. A side can be a host, subnet or name.
  • Which encapsulation mode to use: tunnel or transport
  • Which cipher (transform ID) to use: NULL, DES, 3DEs, AES, …
  • Which authentication algorithm to use: HMAC-MD5, HMAC-SHA1, …
  • The lifetime of the SA, specified in seconds and/or kilobytes
The receiving peer compares the list of proposals to its own list and picks the highest match. Along with the parameters, both sides exchange “key material”: a bunch of bits that form the encryption key.
After the 3 packet quick mode exchange, both sides have negotiated usually two SA’s (one in each direction).

Phase 1

Phase 1 is responsible to protect the Quick Mode exchange and to authenticate the remote peer. Authentication usually happens with a pre-shared key (PSK), but you can also use certificates and other mechanisms. Besides the authentication, a Diffie-Hellman key exchange takes place to form a secure channel over an insecure network. The channel is secured similar to a phase2 tunnel, with the same kind of parameters.

Captures

When debugging IPsec tunnels, things can get fairly difficult since all packets are encrypted. To get around this problem, I usually change the phase2 parameters to use ESP-NULL encryption. This is a special encryption algorithm that does just nothing: the packets are NOT encrypted.
Wireshark can be configured to “Attempt to detect/decode NULL encrypted ESP payloads”. Obviously, the confidentiality of the tunnel is compromised as well.
The above trick only makes the tunneled data visible on the wire; the IKE exchange is still protected by phase1. Just out of curiosity, I wanted to look into this exchange. Aparenly you can configure the linux isakmpd to dump the decrypted ISAKMP packets by passing it the -L option. The dump only contains the ISAKMP packets in decrypted form, not the tunneled data.
This is the topology used for the above pcap dumps.

from https://blog.dest-unreach.be/2009/05/27/ipsec-isakmp-negotiation-opened-up
-----------------
http://www.qcloud.com/doc/product/215/%E4%BD%BF%E7%94%A8Ipsec-tools%E6%90%AD%E5%BB%BA%E5%AF%B9%E7%AB%AFVPN%E7%BD%91%E5%85%B3%E8%BF%9E%E6%8E%A5VPC#2.-%E5%AE%89%E8%A3%85ipsec-tools
----------------
如果执行:setkey -f /etc/setkey.conf 时,碰到这样的错误提示:pfkey_open: Address family not supported by protocol
一般就是由于没有加载Kernel IPsec 相关的modlue.如果IPsec相关的代码被编译成module 形式,用需要手动加载相关ipsec module:
modprobe af_key

参考:
1. http://www.ipsec-howto.org/
2. http://www.shorewall.net/IPSEC-2.6.html
3. http://zh.wikipedia.org/wiki/IPsec
------------------

Debian server下通过racoon搭建Cisco Ipsec VPN

apt-get install racoon -y  
安装好后编辑/etc/racoon/racoon.conf
log info;  
path include "/etc/racoon";  
path pre_shared_key "/etc/racoon/psk.txt";

listen {  
    isakmp vps_ip [500]; #监听的端口
    isakmp_natt vps_ip [4500]; #监听的端口
}

remote anonymous {  
    exchange_mode main,aggressive;
    doi ipsec_doi;
    nat_traversal on;
    proposal_check obey;
    generate_policy unique;
    ike_frag on;
    passive on;
    dpd_delay = 30;
    dpd_retry = 30;
    dpd_maxfail = 800;
    mode_cfg = on;
    proposal {
        encryption_algorithm aes;
        hash_algorithm sha1;
        authentication_method xauth_psk_server;
        dh_group 2;
        lifetime time 12 hour;
    }
}

timer  
{
    natt_keepalive 20 sec;
}

sainfo anonymous {  
    lifetime time 12 hour ;
    encryption_algorithm aes,3des,des;
    authentication_algorithm hmac_sha1,hmac_md5;
    compression_algorithm deflate;
}

mode_cfg {  
    dns4 8.8.8.8,8.8.4.4;
    save_passwd on;
    network4 vps_ip; 
    netmask4 255.255.255.0;
    pool_size 250;
    banner "/etc/racoon/motd";
    auth_source system;#这里的认证方式即:useradd -s /bin/false some_username和passwd some_username)
    conf_source local;
    pfs_group 2;
    default_domain "local";
}
接着,配置/etc/racoon/psk.txt
在末尾加入一行
组名称          组密匙
即可.
然后配置/etc/racoon/motd 里面是欢迎信息,可有可无.
接着添加防火墙规则:
iptables --table nat --append POSTROUTING -o ethX --jump MASQUERADE  
不出意外的话现在就可以使用了.
--------------------------------------------------------------

Deploying a pure-IPsec PKI VPN server for Android devices


Android offers built-in support for a handful of VPN configurations, including PPTP, L2TP/IPsec, and starting in ICS, pure-IPsec (without requiring L2TP).
Both pre-shared key (PSK) and public-key infrastructure (PKI) configurations are supported, but today we’ll be focusing on “IPsec Xauth RSA,” which uses PKI to connect. With good key management hygiene, certificates are much more secure than PSK, since you only need to share public keys and can keep private keys secret.
Today we’re going to turn an off-the-shelf Debian server into a pure-IPsec certificate-based server that our Android device can connect to. We’ll be cooking up our own certificates from scratch, and using racoon to handle key exchange and SA management. I’m assuming that our server has a static, publicly routable IPv4 address.
First we’ll start by installing IPsec tools and racoon:
# apt-get install ipsec-tools racoon

Generating PKI certificates

Next we’ll generate the certificates needed to drive our PKI configuration. This includes a new certificate authority (CA), a server certificate, and a client certificate. To make the configuration easier, you might want to edit some of the defaults in /etc/ssl/openssl.cnf:
countryName_default = US
stateOrProvinceName_default = California
0.organizationName_default = Setec
And let’s generate our certificates over near racoon:
$ mkdir /etc/racoon/certs
$ chmod 700 /etc/racoon/certs
$ cd /etc/racoon/certs
First let’s create our CA:
$ openssl req -new -x509 -extensions v3_ca -out myca.crt -keyout myca.key -days 3650
You can hit “enter” through most of the prompts, but be sure to provide good passwords and a unique Common Name for each certificate. Next let’s generate our server certificate and sign it with our CA:
$ openssl req -new -keyout myserver.key -out myserver.csr -days 3650
$ openssl x509 -req -in myserver.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out myserver.crt
Next, let’s decrypt the server private key so that racoon can access it:
$ chmod 600 myserver.key
$ openssl rsa -in myserver.key -out myserver.key
And finally let’s generate a client certificate for our phone and sign it.
$ openssl req -new -keyout myphone.key -out myphone.csr -days 3650
$ openssl x509 -req -in myphone.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out myphone.crt
While we’re working with certificates, let’s export our client public and private keys, along with our CA, into a PKCS #12 file, which can be easily imported by Android devices:
$ openssl pkcs12 -export -in myphone.crt -inkey myphone.key -certfile myca.crt -name myphone -out myphone.p12
I’d strongly recommend protecting it with an export password, since we’ll be pushing it to the SD card later, which is world-readable on most Android devices. (Unless you’ve enabled Settings > Developer options > Protect USB storage.)

Configuring server

Now that our certificates are ready, we can configure /etc/racoon/racoon.conf:
path certificate "/etc/racoon/certs";

timer {
 # NOTE: varies between carriers
 natt_keepalive 45 sec;
}

listen {
 isakmp 106.187.34.245[500];
 isakmp_natt 106.187.34.245[4500];
}

remote anonymous {
 exchange_mode aggressive,main;
 my_identifier asn1dn;

 certificate_type x509 "myserver.crt" "myserver.key";
 ca_type x509 "myca.crt";
 peers_certfile x509 "myphone.crt";

 passive on;
 proposal_check strict;
 generate_policy on;
 nat_traversal force;

 proposal {
  encryption_algorithm aes256;
  hash_algorithm sha1;
  authentication_method xauth_rsa_server;
  dh_group modp1024;
 }
}

sainfo anonymous {
 encryption_algorithm aes256;
 authentication_algorithm hmac_sha1;
 compression_algorithm deflate;
}

log info;

mode_cfg {
 auth_source system;
 conf_source local;
 accounting system;
 network4 10.44.0.0;
 netmask4 255.255.255.255;
}
This is a fairly typical configuration, but there are a few things worth noting:
First, we’ve carefully chosen our natt_keepalive value, which is the frequency at which our server sends UDP keepalive packets. When our client connects through a NAT, the NAT allocates a public-facing UDP port to receive packets from our server. If no packets are received within a specific timeout, the NAT reclaims that port for allocation to other clients.
So we have a tradeoff: if our keepalive is too short, we waste battery by sending unnecessary keepalive packets; if it’s too long, the port will be reclaimed by the NAT, disconnecting us. To help figure out the best tradeoff, I wrote a tool to empirically derive UDP NAT timeouts, and found these values for popular carrier networks:
NetworkUDP NAT timeout
Verizon 4G LTE60 sec
T-Mobile HSDPA90 sec
AT&T HSDPA120 sec
(When setting the natt_keepalive value for a T-Mobile device, I halved the timeout to give plenty of headroom, which explains the 45 sec value above.)
Second, it’s important to note that we’ve strictly limited the acceptable algorithms and key sizes for both IKE phases 1 and 2 to the strongest that ICS supports. Based on NIST recomendations, AES-256 should be strong enough to protect data beyond 2030, but 1024-bit asymmetric keys and SHA-1 hashes aren’t nearly as robust. If you’re building Android yourself, you could include stronger Diffie-Hellman groups and hashing algorithms.
Next, let’s add a NAT on the server so our Android device can reach the Internet when connected. We need to enable IPv4 forwarding, and create a Source NAT for all non-ESP traffic leaving the server:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING ! -p esp -o eth0 -j SNAT --to-source 106.187.34.245
And let’s create a local user account for racoon to authenticate against:
# useradd -s /sbin/nologin setec
# passwd setec
Finally, let’s restart racoon to pick up our config changes:
# /etc/init.d/racoon restart

Configuring phone

Now that our server is ready, we can configure our Android device. First let’s push the myphone.p12 bundle we created earlier:
adb push myphone.p12 /sdcard
Then we can import the bundle using Settings > Security > Install from storage. You should confirm that it shows the client key, client certificate, and CA certificate we packed earlier.



Next let’s configure the VPN client in Settings > More > VPN. Our VPN type is “IPsec Xauth RSA”, and we’ll use the client and CA certificates we just installed. You’ll also want to configure a trusted DNS server under advanced options. (Otherwise Android will use the DNS server obtained from the local network, which could live in a non-routable private network.)
Finally, we can connect to the VPN with the username and password we defined earlier.

Final notes

Configuring a certificate-based IPsec VPN is complex, and error messages along the way can be cryptic and frustrating, but hopefully this guide is enough to help you get a VPN server running.
Along the way, I found the L2TP/IPsec Gentoo wiki guide to be helpful, including commands forgenerating Android-compatible certificates, and details on configuring SNAT. Also an excellentsummary of key length recommendations, citing references from NIST and others.
If you’re interested in lower-level details, the IPsec HOWTO has sections on kernel configuration and racoon, and generating X.509 certificates.

from http://jsharkey.org/blog/2012/09/22/deploying-a-pure-ipsec-pki-vpn-server-for-android-devices/
-----------------

Notes about Android and IPsec on Linux

Here's some personal notes about the excellent Jeff Sharkey's article Deploying a pure-IPsec PKI VPN server for Android devices
My setup is a little bit different to that of Jeff, I have a 1Gbps fiber plan, a Linux server natted behind my ISP's router and my IPsec VPN server is running on a Linux container (LXC), so this container doesn't have a public IP address. The OS used in all the servers is Ubuntu Trusty 14.04. On the VPN client side I'm using Android 6.0 Mashmallow.

Server configuration

In addition to installing the packages
$ sudo apt-get install ipsec-tools racoon
I also installed the following packages
$ sudo apt-get install iptables openssl tcpdump
When installing the Debian racoon package, you have to chose the type of configuration, in my case I chose the direct mode.
I had to add 2 new port forwarding rules on my ISP's router to sent the traffic UDP on the ports 500 and 4500 to my Linux server, and on it I had to the same thing using iptables
$ sudo iptables -t nat -I PREROUTING -p udp -m udp --dport 4500 -j DNAT --to-destination 10.0.3.91:4500
$ sudo iptables -t nat -I PREROUTING -p udp -m udp --dport  500 -j DNAT --to-destination 10.0.3.91:500
Here the IP address 10.0.3.91 is assigned to the container running the IPsec VPN server.
In the /etc/racoon/racoon.conf file I had to change the public IP address used by Jeff by the container's private IP address:
listen {
    isakmp 10.0.3.91[500];
    isakmp_natt 10.0.3.91[4500];
}
` For more details about the configuration options you can see the racoon.conf's man page.
About the RSA keys, don't forget to convert your server's private key into RSA format using
$ openssl rsa -in myserver.key -out myserver-rsa.key
As the documentation says the output filename should not be the same as the input filename, so you also need to change it in your /etc/racoon/racoon.conf.

Android configuration

Here some details when configuring your VPN profile on your phone:
  • You don't need to install the adb tool to push your .p12 certificate file, you can download it from an URL, Android will detect the format and it will install it using the Android's certificate installer.
  • If you want to use the Always-on VPN option, you need to specify a server's public IP address (instead of its fqdn) and you also must specify an IP address for the DNS servers.

Troubleshooting

If you find some problems, you can always take a look at the /var/log/syslog file and use tcpdumpto inspect your network traffic.
It's also highly recommended to read the Section 2 of the IPsec HOWTO to understand the theory behind IPsec and its Linux Kernel implementation.
from http://seminar.io/2016/04/23/notes-about-android-and-ipsec-on-linux/
-------

在Windows 上,设置Cisco IPsec VPN (即IKEv1 vpn) 

 

IPSec  VPN/Cisco IPsec VPN/IKEv1 VPN这种类型的VPN在iOS、Mac和安卓系统上是系统自带默认支持的,但是在win系统上需要安装Shrew VPN客户端来连接,一般这类VPN都是提供以下四个信息:服务器IP(域名)、IPSec预共享密钥、用户名和密码,有了这些信息就可以按照下面教程安装使用了。
步骤1
首先打开浏览器应用程序。
我们在本教程中使用了Microsoft Edge
第2步
使用此URL下载Shrew VPN客户端https
//www.shrew.net/download/vpn/vpn-client-2.2.2-release.exe
第3步
下载完成后,单击“ 运行 ”。
如果您使用其他方式下载了安装文件,请在“下载”文件夹中找到它,右键单击它并选择“ 以管理员身份运行 ”。
步骤4
如果您收到用户帐户控制的警告,请单击“  ”。
第5步
单击“ 下一步 ”。
第6步
选择“ 标准版 ”,然后单击“ 下一步 ”。
第7步
点击“ 我同意 ”。
第8步
单击“ 下一步 ”。
第9步
单击“ 下一步 ”。
第10步
单击“ 完成 ”。
第11步
安装后,VPN Access Manager将显示在您的桌面上。双击它。
第12步
单击“ 添加 ”。
第13步
在“ 常规 ”选项卡中,“ 主机名或IP地址 ”是您的服务器地址。这是您在本教程开始时从客户专区获得的凭证。
如果您不确定从哪里获取它,请向上滚动页面,您可以在那里找到相关说明。
它不是“str-XXXXXX.reliablehosting.com”,这只是一个例子。
第14步
继续“ 身份验证 ”选项卡。
对于“ 身份验证方法 ”,选择“ Mutual PSK + XAuth ”。
在“ 凭据 ”选项卡中,输入“ 预共享密钥 ”。
您可以在客户区找到此密钥,即服务器地址所在的位置。
第15步
选择“ 阶段1 ”选项卡。
将“ Exchange Type ” 更改为“ main ”。
点击“ 保存 ”。
第16步
如果收到配置警告,请单击“ 确定 ”。
第17步
选择VPN连接,然后单击“ 连接 ”。
第18步
填写“ 用户名 ”和“ 密码 ”字段,您之前获得的凭据。
“ 用户名 ”是登录,不是您的电子邮件。
您也可以在客户区找到这些凭据。
单击“ 连接 ”。
第19步
单击“ 网络 ”选项卡以检查VPN状态。
请注意:很
遗憾,此应用程序不会自动保存您的凭据。此外,请记住,如果您关闭授权表单 – 即使您已连接到VPN – 它也会断开它。这就是为什么在使用VPN时需要最小化窗口但不关闭窗口的原因。
第20步
要确定您是否已成功连接,请在网络浏览器中访问strongvpn.com并在页面顶部检查您的IP地址

完成。

在Windows 10上连接IKEv1

1。打开VPN Access Manager
2。选择您的VPN连接,然后单击“ 连接 ”按钮。
3。输入用户名和密码,即可在客户区中找到的凭据。
4。单击“ 连接 ”。

在Windows 10上断开IKEv1连接

1。打开VPN Access Manager
2。选择您的VPN连接并双击它。
3。在“ 连接 ”选项卡中,单击“ 断开连接 ”。
来源:https://strongvpn.com/setup-windows-10-ipsec/
运行Access Manager点击File下的Preferences按照下图设置,可以让Shrew Soft VPN Connect 窗口连接后最小化到系统托盘(双击托盘图标显示)、保存VPN用户名(好像不能保存密码)和只在状态栏显示Access Manager窗口(方便连接上VPN以后直接关闭此窗口)
Shrew Soft VPN Client虽然很好用,不过其不能保存密码甚是不爽,现在我提供个让其保存密码的简单方法,在你的Shrew Soft VPN Client安装目录下找到ipsecc.exe创建一个快捷方式到桌面,然后右键此快捷方式点属性,然后运行此快捷方式就能启动VPN并无需输入密码自动连接。
注意:.exe”和-r之间有个空格,-r后面是你Access Manager里创建的VPN的连接名,-u后面是VPN用户名,-p后面是VPN密码,-a的意思是启动后自动连接VPN
VPS搭建IPsec VPN可以参考此文https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md 搭建的IPsec VPN连接稍有不同,参考此处
---------------

路由器上使用 Cisco IPSec VPN client


决定在一个闲置的路由器上试试加载 Cisco VPN。Cisco VPN 的好处不用多说了。快啊。
在一个神秘的路由器上刷好 openwrt 后在 gui 后台网页安装好 vpnc 这个包,简直没难度。ssh 进路由器,因为压根 vpnc 就没 gui,进去后创建个 vpnc 的 profile:
/etc/vpnc/config.conf 

IPSec gateway v4addr
IPSec ID ipsecclient
IPSec secret cisco123
Xauth username YOURUSERNAME
Xauth password YOURPASSWORD
NAT Traversal Mode cisco-udp
然后紧张的时候就来了。。。拨号,执行: vpnc /etc/vpnc/config.conf
如无意外,VPN的 banner 会显示出来,那样 VPN 就算连好了。你可以试试先 ping 下 twitter.com 这些不和谐的网站看看。
如果你ping通了,恭喜你。剩下的基本没啥了。无非就是处理下 dns 、死亡检测和国内路由了。dns的trick在于,要让每次vpn连接后自动更新 /tmp/resolv.conf.auto,否则你懂的,域名会被污染。解决这问题去把 /etc/vpnc/vpnc-script 里的 /etc/resolv.conf 全部替换成 /tmp/resolv.conf.auto 即可。
及至此,还有死亡检测要处理,如果 VPN 断了必须让它自动连接。我的做法很简单,grep ifconfig 如果没有 tun0 就启动 vpnc。比较暴力,反正我平时也不用翻墙路由器,不用细究。当然你可以试试写更靠谱的脚本,写完了记得分享给噢。。。
最后就是国内路由了,接下来更加暴力,这是添加国内路由的脚本:
route add -net 1.0.0.0/8 gw $gw
route add -net 14.0.0.0/8 gw $gw
route add -net 27.0.0.0/8 gw $gw
route add -net 36.0.0.0/8 gw $gw
route add -net 39.0.0.0/8 gw $gw
route add -net 42.0.0.0/8 gw $gw
route add -net 49.0.0.0/8 gw $gw
route add -net 58.0.0.0/8 gw $gw
route add -net 59.0.0.0/8 gw $gw
route add -net 60.0.0.0/8 gw $gw
route add -net 61.0.0.0/8 gw $gw
route add -net 101.0.0.0/8 gw $gw
route add -net 103.0.0.0/8 gw $gw
route add -net 106.0.0.0/8 gw $gw
route add -net 110.0.0.0/8 gw $gw
route add -net 111.0.0.0/8 gw $gw
route add -net 112.0.0.0/8 gw $gw
route add -net 113.0.0.0/8 gw $gw
route add -net 114.0.0.0/8 gw $gw
route add -net 115.0.0.0/8 gw $gw
route add -net 116.0.0.0/8 gw $gw
route add -net 117.0.0.0/8 gw $gw
route add -net 118.0.0.0/8 gw $gw
route add -net 119.0.0.0/8 gw $gw
route add -net 120.0.0.0/8 gw $gw
route add -net 121.0.0.0/8 gw $gw
route add -net 122.0.0.0/8 gw $gw
route add -net 123.0.0.0/8 gw $gw
route add -net 124.0.0.0/8 gw $gw
route add -net 125.0.0.0/8 gw $gw
route add -net 134.0.0.0/8 gw $gw
route add -net 139.0.0.0/8 gw $gw
route add -net 140.0.0.0/8 gw $gw
route add -net 144.0.0.0/8 gw $gw
route add -net 150.0.0.0/8 gw $gw
route add -net 153.0.0.0/8 gw $gw
route add -net 157.0.0.0/8 gw $gw
route add -net 159.0.0.0/8 gw $gw
route add -net 161.0.0.0/8 gw $gw
route add -net 162.0.0.0/8 gw $gw
route add -net 163.0.0.0/8 gw $gw
route add -net 166.0.0.0/8 gw $gw
route add -net 167.0.0.0/8 gw $gw
route add -net 168.0.0.0/8 gw $gw
route add -net 171.0.0.0/8 gw $gw
route add -net 175.0.0.0/8 gw $gw
route add -net 180.0.0.0/8 gw $gw
route add -net 182.0.0.0/8 gw $gw
route add -net 183.0.0.0/8 gw $gw
route add -net 202.0.0.0/8 gw $gw
route add -net 203.0.0.0/8 gw $gw
route add -net 210.0.0.0/8 gw $gw
route add -net 211.0.0.0/8 gw $gw
route add -net 218.0.0.0/8 gw $gw
route add -net 219.0.0.0/8 gw $gw
route add -net 220.0.0.0/8 gw $gw
route add -net 221.0.0.0/8 gw $gw
route add -net 222.0.0.0/8 gw $gw
route add -net 223.0.0.0/8 gw $gw
这个很黄很暴力的路由需要细细品味,个中自有滋味。。。
更稳定的更安全的方案大家慢慢折腾吧,我这个到此为止能用就行.
-----------

Cisco IPSec VPN For Debian vps

既然是Debian安装当然是apt-get:
1apt-get install racoon
然后是几个配置文件:
01# /etc/racoon/racoon.conf
02
03path pre_shared_key “/etc/racoon/psk.txt”;
04path certificate “/etc/racoon/certs”;
05
06listen {
07    isakmp SERVER.IP.ADDRESS [500];
08    isakmp_natt SERVER.IP.ADDRESS [4500];
09}
10  
11remote anonymous {
12    exchange_mode aggressive, main, base;
13    mode_cfg on;
14    proposal_check obey;
15    nat_traversal on;
16    generate_policy unique;
17    ike_frag on;
18    passive on;
19    dpd_delay 30;
20      
21    proposal {
22        lifetime time 28800 sec;
23        encryption_algorithm 3des;
24        hash_algorithm md5;
25        authentication_method xauth_psk_server;
26        dh_group 2;
27    }
28}
29  
30sainfo anonymous {
31    encryption_algorithm aes, 3des, blowfish;
32    authentication_algorithm hmac_sha1, hmac_md5;
33    compression_algorithm deflate;
34}
35  
36mode_cfg {
37    auth_source system;
38    dns4 8.8.8.8;
39    banner “/etc/racoon/motd”;
40    save_passwd on;
41    network4 10.12.0.100;
42    netmask4 255.255.255.0;
43    pool_size 100;
44    pfs_group 2;
45}
1# /etc/racoon/psk.txt
2
3# Group Name Group Secret
4GROUP.NAME GROUP.SECRET
设置好psk.txt的权限:
1chmod 600 /etc/racoon/psk.txt
1# /etc/racoon/motd
2
3# Banner
4Welcome to Cisco IPSec!

Account

用户验证用的是系统的用户系统, 简单的新建一个用户即可, 为了安全性shell可设为/bin/false.
1useradd -MN -b /tmp -s /bin/false USER
2passwd USER

iptables

添加以下规则以开放相应端口和NAT转发.
1iptables -A INPUT -p udp -–dport 500 -j ACCEPT
2iptables -A INPUT -p udp –dport 4500 -j ACCEPT
3iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
4iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT
重启服务器后以上规则将失效, 持久化参见这篇文章.

ipv4 forward

1# /etc/sysctl.conf
2
3net.ipv4.ip_forward=1
修改后使用如下命令使之生效:
1sysctl -p /etc/sysctl.conf

客户端

Linux Linux可以使用vpnc作为客户端, 配置文件如下:
1# /etc/vpnc/default.conf
2
3IPSec gateway SERVER.DOMAIN/IP
4IPSec ID GROUP.NAME
5IPSec secret GROUP.SECRET
6IKE Authmode psk
7Xauth username USER.NAME
8Xauth password USER.PASSWORD
9NAT Traversal Mode cisco-udp
之后可以使用vpnc-connect/vpnc-disconnect连接和断开VPN.
 from https://web.archive.org/web/20160313045440/http://archangelsdy.com/2012-07/cisco-ipsec-vpn-for-debian
------------

Cisco IPSec VPN for Debian vps

Unsatisfied with OpenVPN’s low speed to connect, I tried to setup a Cisco IPSec VPN recently. Its awesome speed proves to be a right choice. Here are brief steps on Debian.

Server

racoon

raccon is an Internet Key Exchange (IKE) daemon for automatically keying IPsec connections. We’ll use this tool to establish our IPSec connection.
Since we are on Debian, we can simply use apt-get to install it:
apt-get install racoon
And set its configuration files as follows:

racoon.conf

# /etc/racoon/racoon.conf

path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;

listen {
    isakmp SERVER.IP.ADDRESS [500];
    isakmp_natt SERVER.IP.ADDRESS [4500];
}

remote anonymous {
    exchange_mode aggressive, main, base;
    mode_cfg on;
    proposal_check obey;
    nat_traversal on;
    generate_policy unique;
    ike_frag on;
    passive on;
    dpd_delay 30;

    proposal {
        lifetime time 28800 sec;
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method xauth_psk_server;
        dh_group 2;
    }
}

sainfo anonymous {
    encryption_algorithm aes, 3des, blowfish;
    authentication_algorithm hmac_sha1, hmac_md5;
    compression_algorithm deflate;
}

mode_cfg {
    auth_source system;
    dns4 8.8.8.8;
    banner “/etc/racoon/motd”;
    save_passwd on;
    network4 10.12.0.100;
    netmask4 255.255.255.0;
    pool_size 100;
    pfs_group 2;
}

psk.txt

Pre-shared key:
# /etc/racoon/psk.txt

# Group Name Group Secret
GROUP.NAME GROUP.SECRET
And set its permissions to 600:
chmod 600 /etc/racoon/psk.txt

motd

Banner:
# /etc/racoon/motd

# Banner
Welcome to Cisco IPSec!

Accounts

To make it simple, we use system’s account system to validate our users:
useradd -MN -b /tmp -s /bin/false USER
passwd USER

iptables

Add the following rules to open relative ports and enable NAT.
iptables -A INPUT -p udp -–dport 500 -j ACCEPT
iptables -A INPUT -p udp –dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT
These rules may be lost after reboot. Consult this article to avoid this.

ipv4 forward

# /etc/sysctl.conf

net.ipv4.ip_forward=1
Run this command to enable this change:
sysctl -p /etc/sysctl.conf

Client

Linux

We can use vpnc as a client on Linux. Here is an example of its config:
# /etc/vpnc/default.conf

IPSec gateway SERVER.DOMAIN/IP
IPSec ID GROUP.NAME
IPSec secret GROUP.SECRET
IKE Authmode psk
Xauth username USER.NAME
Xauth password USER.PASSWORD
NAT Traversal Mode cisco-udp
Now we can connect or disconnect to the server using vpnc-connect or vpnc-disconnect.

Reference

Thanks to these articles for great help:
  • Pure IPSec VPN with IPSec-Tools/Racoon on CentOS
  • How to enable IP Forwarding
  • IPSec-tools
    from https://web.archive.org/web/20161127201454/http://diary.archangelsdy.com/blog/2012/07/29/cisco-ipsec-vpn-for-debian/
    -----------

    racoon/IPSec vpn设置

    1) 安装IPSec-tools/racoon
    </p> <p>wget <a href="ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm">ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm</a><br /> wget <a href="ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm">ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm</a><br /> yum localinstall --nogpgcheck ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm ipsec-tools-0.8.0-1.el5.pp.i386.rpm</p> <p>
    2) 配置racoon
    yum安装后默认的配置文件路径是/etc/racoon,一共需要关注三个文件,racoon.conf / psk.txt 和 motd,先修改racoon.conf
    </p> <p>path pre_shared_key "/etc/racoon/psk.txt";<br /> path certificate "/etc/racoon/certs";<br /> listen {<br /> isakmp 50.116.xx.xx [500];<br /> isakmp_natt 50.116.xx.xx [4500];<br /> }<br /> &nbsp;<br /> remote anonymous {<br /> exchange_mode aggressive, main, base;<br /> mode_cfg on;<br /> proposal_check obey;<br /> nat_traversal on;<br /> generate_policy unique;<br /> ike_frag on;<br /> passive on;<br /> dpd_delay 30;<br /> &nbsp;<br /> proposal {<br /> lifetime time 28800 sec;<br /> encryption_algorithm 3des;<br /> hash_algorithm md5;<br /> authentication_method xauth_psk_server;<br /> dh_group 2;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br /> }<br /> &nbsp;<br /> sainfo anonymous {<br /> encryption_algorithm aes, 3des, blowfish;<br /> authentication_algorithm hmac_sha1, hmac_md5;<br /> compression_algorithm deflate;<br /> }<br /> &nbsp;<br /> mode_cfg {<br /> auth_source system;<br /> dns4 8.8.8.8;<br /> banner "/etc/racoon/motd";<br /> save_passwd on;<br /> network4 10.12.0.100;<br /> netmask4 255.255.255.0;<br /> pool_size 100;<br /> pfs_group 2;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</p> <p>
    然后修改psk.txt
    </p> <p># Group Name Group Secret<br /> YOUR.GROUP.NAME YOUR.GROUP.SECRET</p> <p>
    最后是motd
    </p> <p>ANY.WORD #随便写</p> <p>
    3) 添加用户名密码
    </p> <p>&nbsp;</p> <div>useradd -MN -b /tmp -s /bin/false USER</div> <div>passwd YOUR.PASSWORD</div> <p>
    然后vi一下/etc/passwd把racoon用的用户的shell设置为/sbin/nologin使VPN用户无法使用shell,并且把根目录指向/tmp之类的
    4) 设置iptables
    </p> <p>iptables -A INPUT -p udp -&ndash;dport 500 -j ACCEPT<br /> iptables -A INPUT -p udp --dport 4500 -j ACCEPT<br /> iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE<br /> iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT</p> <p>
    5) 设置ipv4 forward
    修改/etc/sysctl.conf里的ipv4 forward字段值
    </p> <p>net.ipv4.ip_forward=1</p> <p>

    修改后使用如下命令使之生效:
    1 sysctl -p /etc/sysctl.conf
    至此服务器端设置成功!
    from http://www.wikai.info/2012_06_888.html 
  • ----------------------------------------------------
  •  
  • one key to install Cisco IPSec VPN on CentOS/Ubuntu/Debian/Fedora。
  • This is a one-key file to install Cisco IPSec VPN on CentOS/Ubuntu/Debian/Fedora Server. It will be stable when you connect your iPhone/Anroid/PC/Mac to your CentOS/Ubuntu Server with this tool in China. And the only thing you should do is typing several words based on the tips. So enjoy it if you have one VPS (CentOS/Ubuntu/Debian/Fedora) with XEN/KVM/OpenVZ.
    Tips: This code supports the following servers: Linode/DigitalOcean/Bandwagonhost and more.
    Pls remember, you must run this codes with your root user.
    If you want to one-key install Cisco IPSec VPN on your server, you could copy the following codes and run:
    wget --no-check-certificate https://raw.githubusercontent.com/lokyshin/Cisco-IPSec-VPN-Install/master/CIVInstall.sh && chmod +x CIVInstall.sh && bash CIVInstall.sh 2>&1 | tee civaws_install.log

  • 相关帖子:https://briteming.blogspot.com/2013/05/ipsec-toolsracoonipsec-vpn.html