Last active
December 15, 2015 11:03
-
-
Save OkamiSupport/4892f251e837ee708131 to your computer and use it in GitHub Desktop.
Cisco IPsec和ToughRadius对接记录
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
假设你Toughradius和CiscoIPSEC VPN都调试好了,请将目录定位到/usr/local/etc | |
编辑 strongswan.d/charon/eap-radius.conf | |
eap-radius { | |
accounting = yes | |
load = yes | |
dae { | |
enable = yes | |
listen = 0.0.0.0 | |
port = 3799 | |
} | |
forward { | |
} | |
servers { | |
server-a { | |
secret = *enter your radius secrets* | |
address = *enter your radius server IP* | |
auth_port = 1812 | |
acct_port = 1813 | |
} | |
} | |
xauth { | |
} | |
} | |
然后编辑ipsec.conf | |
config setup | |
uniqueids=never | |
conn iOS_xauth_psk | |
keyexchange=ikev1 | |
fragmentation=yes | |
ikelifetime = 12h | |
lifetime = 12h | |
rekey = yes | |
left=%defaultroute | |
leftauth=psk | |
leftsubnet=0.0.0.0/0 | |
right=%any | |
rightauth=psk | |
rightauth2=xauth-radius | |
rightsourceip=10.90.0.0/24 | |
auto=add | |
conn android_xauth_psk | |
keyexchange=ikev1 | |
ikelifetime = 12h | |
aggressive = yes | |
lifetime = 12h | |
rekey = yes | |
left=%defaultroute | |
leftauth=psk | |
leftsubnet=0.0.0.0/0 | |
right=%any | |
rightauth=psk | |
rightauth2=xauth-radius | |
rightsourceip=10.90.0.0/24 | |
auto=add | |
conn networkmanager-strongswan | |
keyexchange=ikev2 | |
ikelifetime = 12h | |
lifetime = 12h | |
rekey = yes | |
left=%defaultroute | |
leftauth=pubkey | |
leftsubnet=0.0.0.0/0 | |
leftcert=server.cert.pem | |
right=%any | |
rightauth=pubkey | |
rightsourceip=10.90.0.0/24 | |
rightcert=client.cert.pem | |
auto=add | |
conn windows7 | |
keyexchange=ikev2 | |
ike=aes256-sha1-modp1024! | |
rekey=no | |
ikelifetime = 12h | |
lifetime = 12h | |
rekey = yes | |
left=%defaultroute | |
leftauth=pubkey | |
leftsubnet=0.0.0.0/0 | |
leftcert=server.cert.pem | |
right=%any | |
rightauth=eap-mschapv2 | |
rightsourceip=10.90.0.0/24 | |
rightsendcert=never | |
eap_identity=%any | |
auto=add | |
conn L2TP-PSK | |
keyexchange=ikev1 | |
authby=secret | |
ikelifetime = 12h | |
lifetime = 12h | |
rekey = yes | |
leftprotoport=17/1701 | |
leftfirewall=no | |
rightprotoport=17/%any | |
type=transport | |
auto=add | |
将代码修改成上面的配置即可。 | |
rightsourceip可以改成你想要的网段。 | |
android使用ipsec vpn验证和ios的差不多,但是要多一个agreessive = yes ,不然无法连接服务器。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
非常感谢分享配置教程,建议对eap-radius.conf做如下修改
dae {
enable = yes
listen = 0.0.0.0
port = 3799
secret = enter your radius secrets
}
如果没有secret,dae功能无法启用