Linode+Centos6.2+racoon+IPSec设置

1) 安装IPSec-tools/racoon

</p> <p>wget <a href="ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm">ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm</a><br /> wget <a href="ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm">ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm</a><br /> yum localinstall --nogpgcheck ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm ipsec-tools-0.8.0-1.el5.pp.i386.rpm</p> <p>

2) 配置IPSec-tools/racoon

yum安装后默认的配置文件路径是/etc/racoon,一共需要关注三个文件,racoon.conf / psk.txt 和 motd,先修改racoon.conf

</p> <p>path pre_shared_key "/etc/racoon/psk.txt";<br /> path certificate "/etc/racoon/certs";<br /> listen {<br /> isakmp 50.116.xx.xx [500];<br /> isakmp_natt 50.116.xx.xx [4500];<br /> }<br /> &nbsp;<br /> remote anonymous {<br /> exchange_mode aggressive, main, base;<br /> mode_cfg on;<br /> proposal_check obey;<br /> nat_traversal on;<br /> generate_policy unique;<br /> ike_frag on;<br /> passive on;<br /> dpd_delay 30;<br /> &nbsp;<br /> proposal {<br /> lifetime time 28800 sec;<br /> encryption_algorithm 3des;<br /> hash_algorithm md5;<br /> authentication_method xauth_psk_server;<br /> dh_group 2;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br /> }<br /> &nbsp;<br /> sainfo anonymous {<br /> encryption_algorithm aes, 3des, blowfish;<br /> authentication_algorithm hmac_sha1, hmac_md5;<br /> compression_algorithm deflate;<br /> }<br /> &nbsp;<br /> mode_cfg {<br /> auth_source system;<br /> dns4 8.8.8.8;<br /> banner "/etc/racoon/motd";<br /> save_passwd on;<br /> network4 10.12.0.100;<br /> netmask4 255.255.255.0;<br /> pool_size 100;<br /> pfs_group 2;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</p> <p>

然后修改psk.txt

</p> <p># Group Name Group Secret<br /> YOUR.GROUP.NAME YOUR.GROUP.SECRET</p> <p>

最后是motd

</p> <p>ANY.WORD #随便写</p> <p>

3) 添加用户名密码

</p> <p>&nbsp;</p> <div>useradd -MN -b /tmp -s /bin/false USER</div> <div>passwd YOUR.PASSWORD</div> <p>

然后vi一下/etc/passwd把racoon用的用户的shell设置为/sbin/nologin使VPN用户无法使用shell,并且把根目录指向/tmp之类的

4) 设置iptables

</p> <p>iptables -A INPUT -p udp -&ndash;dport 500 -j ACCEPT<br /> iptables -A INPUT -p udp --dport 4500 -j ACCEPT<br /> iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE<br /> iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT</p> <p>

5) 设置ipv4 forward

修改/etc/sysctl.conf里的ipv4 forward字段值

</p> <p>net.ipv4.ip_forward=1</p> <p>

 

修改后使用如下命令使之生效:

1 sysctl -p /etc/sysctl.conf

至此服务器端设置成功!