Last active
August 29, 2015 14:25
-
-
Save coconut49/5e96b62bbc866905da71 to your computer and use it in GitHub Desktop.
Racoon IPSEC VPN setup using IKEv1 and Linux Username and Password
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/sh | |
# 安装racoon | |
apt-get install racoon | |
# 配置racoon | |
cat << _EOF_ > /etc/racoon/racoon.conf | |
log notify; | |
path pre_shared_key "/etc/racoon/psk.txt"; | |
path certificate "/etc/racoon/certs"; | |
listen { | |
isakmp SERVER_IP [500]; ## 服务器IP地址 | |
isakmp_natt SERVER_IP [4500]; ## 服务器IP地址 | |
} | |
remote anonymous { | |
exchange_mode main,aggressive; | |
mode_cfg on; | |
proposal_check claim; #替换掉客户端的比如lifetime的配置。 | |
nat_traversal force; | |
generate_policy unique; | |
ike_frag on; | |
passive off; | |
esp_frag 1104; | |
dpd_delay 30; | |
proposal { | |
lifetime time 28800000 sec; ## 设置一个比较长的时间,避免OSX每小时断一次 | |
encryption_algorithm 3des; | |
hash_algorithm sha1; | |
authentication_method xauth_psk_server; | |
# authentication_method pre_shared_key; | |
dh_group modp1024; | |
} | |
} | |
sainfo anonymous { | |
encryption_algorithm aes, 3des, blowfish; | |
authentication_algorithm hmac_sha1, hmac_md5; | |
pfs_group 2; | |
lifetime time 100 hour; | |
compression_algorithm deflate; | |
} | |
mode_cfg { | |
auth_source system; ## 使用linux系统账户,考虑到安全性,下面会建立一个没有任何用处的账户。 | |
dns4 8.8.4.4,8.8.8.8; | |
save_passwd on; | |
banner ""; ## banner 设置为空可以取消登录的时候出现的提示,用#注销banner不起作用 | |
network4 10.100.0.10; | |
netmask4 255.255.255.0; | |
pool_size 100; | |
pfs_group 2; | |
} | |
_EOF_ | |
## 配置PSK密码 | |
cat << _EOF_ > /etc/racoon/psk.txt | |
# 格式为 GROUP_NAME PRE_SHARED_KEY | |
vpn vpn ## 例如群组 vpn, 密码vpn | |
* vpn ## 例如 任意群组,密码vpn | |
_EOF_ | |
### 设置权限,保证安全 | |
chmod 600 /etc/racoon/psk.txt | |
## 为VPN建立一个用户名密码,此账户没有其他的用处,只是用来做vpn的用户名密码 | |
#useradd -MN -b /tmp -s /bin/false USER | |
useradd -MN -b /tmp -s /bin/false vpn ## 比如建立一个叫做vpn的账户 | |
##修改账户名字 | |
passwd vpn | |
### 然后会提示输入密码 | |
### 启用NAT保证可以通过vps上网 | |
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE | |
## 如果vps上有严格的iptables规则,那么如下保证可以正常连接,否则无需下面的这个东西 | |
/sbin/iptables -A INPUT -p udp -–dport 500 -j ACCEPT | |
/sbin/iptables -A INPUT -p udp -–dport 4500 -j ACCEPT | |
/sbin/iptables -A FORWARD -s 10.100.0.0/24 -j ACCEPT | |
### 开启转发 | |
cat << _EOF_ >> /etc/sysctl.conf | |
net.ipv4.ip_forward=1 | |
net.ipv6.conf.all.forwarding = 1 | |
_EOF_ | |
sysctl -p | |
## 启动并加入开机启动 | |
/etc/init.d/racoon restart | |
update-rc.d racoon enable | |
### 可以在客户端拨号测试下啦,服务器就是vps的ip,用户名就是vpn,密码就是刚才提示你输入的密码,PSK也是vpn,群组可以填vpn,也可以不填。 | |
### 善后工作,保证重启没问题 | |
cp /etc/rc.local /etc/rc.local.backup | |
cat << _EOF_ > /etc/rc.local | |
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE | |
/sbin/iptables -A INPUT -p udp -–dport 500 -j ACCEPT | |
/sbin/iptables -A INPUT -p udp -–dport 4500 -j ACCEPT | |
/sbin/iptables -A FORWARD -s 10.100.0.0/24 -j ACCEPT | |
exit 0 | |
_EOF_ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment