6月 202012
 
1) 安装IPSec-tools/racoon

wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm
wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm
yum localinstall --nogpgcheck ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm ipsec-tools-0.8.0-1.el5.pp.i386.rpm

2) 配置IPSec-tools/racoon

yum安装后默认的配置文件路径是/etc/racoon,一共需要关注三个文件,racoon.conf / psk.txt 和 motd,先修改racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp 50.116.xx.xx [500];
isakmp_natt 50.116.xx.xx [4500];
}
 
remote anonymous {
exchange_mode aggressive, main, base;
mode_cfg on;
proposal_check obey;
nat_traversal on;
generate_policy unique;
ike_frag on;
passive on;
dpd_delay 30;
 
proposal {
lifetime time 28800 sec;
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method xauth_psk_server;
dh_group 2;
          }
}
 
sainfo anonymous {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
 
mode_cfg {
auth_source system;
dns4 8.8.8.8;
banner "/etc/racoon/motd";
save_passwd on;
network4 10.12.0.100;
netmask4 255.255.255.0;
pool_size 100;
pfs_group 2;
            }

然后修改psk.txt

# Group Name Group Secret
YOUR.GROUP.NAME YOUR.GROUP.SECRET

最后是motd

ANY.WORD #随便写

3) 添加用户名密码

 

useradd -MN -b /tmp -s /bin/false USER
passwd YOUR.PASSWORD

然后vi一下/etc/passwd把racoon用的用户的shell设置为/sbin/nologin使VPN用户无法使用shell,并且把根目录指向/tmp之类的

4) 设置iptables

iptables -A INPUT -p udp -–dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT

5) 设置ipv4 forward

修改/etc/sysctl.conf里的ipv4 forward字段值

net.ipv4.ip_forward=1

 

修改后使用如下命令使之生效:

1 sysctl -p /etc/sysctl.conf

至此服务器端设置成功!

  1条评论 到 “Linode+Centos6.2+racoon+IPSec设置”

  1. […] 配置文件参考了这篇文章和这篇文章, […]

 评论

您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*(必需)

*(必需)

Time limit is exhausted. Please reload CAPTCHA.

7,273 人阅读