咳咳。部署团委的创青春网站(Under Construction 2333),顺便弄了一下 Cisco 的 VPN。
比想像中容易配置,主要参考了MartianZ 菊苣的 blog 和另一篇博文。
1
2 | # apt-get install ipsec-tools
# apt-get install racoon
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46 | # /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp YOUR.IP.ADDRESS [500];
isakmp_natt YOUR.IP.ADDRESS [4500];
#上两行 YOUR.IP.ADDRESS 改为 VPS 的外网地址
}
remote anonymous {
exchange_mode aggressive, main, base;
mode_cfg on;
proposal_check obey;
nat_traversal on;
generate_policy unique;
ike_frag on;
passive on;
dpd_delay 30;
proposal {
lifetime time 28800 sec;
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method xauth_psk_server;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
mode_cfg {
auth_source system;
dns4 8.8.8.8;
banner "/etc/racoon/motd";
save_passwd on;
network4 10.1.1.100;#客户端获得的 IP 起始地址
netmask4 255.255.255.0;#客户端获得的地址的掩码
pool_size 100;#最大客户端数量
pfs_group 2;
}
|
1
2
3
4
5 | # /etc/racoon/psk.txt
YOUR.GROUP.NAME YOUR.GROUP.SECRET
# 前面是 Group Name,或者 vpnc 里配置的 IPSec ID
# 后面是 Secret,或者 vpnc 里的 IPSec secret
|
1
2
3
4 | # /etc/racoon/motd
Fuck GFW!
# 欢迎信息,貌似一定要填写?
|
添加用户名和密码
1
2 | # useradd -MN -b /tmp -s /sbin/nologin YOUR.USERNAME
# passwd YOUR.USERNAME
|
设置 iptables 的规则和 IPv4 forward
1
2
3
4
5 | # iptables -A INPUT -p udp --dport 500 -j ACCEPT
# iptables -A INPUT -p udp --dport 4500 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
# iptables -A FORWARD -s 10.1.1.0/24 -j ACCEPT
# iptables-save
|
1
2
3
4 | # /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
|
最后启动 ><
1
2 | # service racoon start
# chkconfig racoon on
|