Pure IPsec VPN with IPsec-Tools/Racoon on CentOS

之前在VPS上折腾了OpenVPN给跑tomato fimrware的路由器用,折腾了StrongSWAN做IPSec VPN给iPhone/iPad用,然后因为觉得IPsec的效率会比OpenVPN要好,于是想把tomato上的OpenVPN也换成IPsec VPN,

 

怎么换呢?Tomato通过Optware能安装的只有vpnc这一个IPsec客户端,vpnc只支持IKE phase 1 aggressive mode,而服务器端的StrongSwan只支持main mode,这两个明显是八字不合的,然后有两条路:

1) 把Tomato换成OpenWRT,然后用StrongSwan/OpenSwan/racoon做客户端连StrongSwan Server

2) 把StrongSwan Server换成OpenSwan或者racoon支持aggressive mode,继续用vpnc做客户端

 

方案一试过,可惜行不通,

做法是去买了一台超便宜的无线猫,DB120跑OpenWRT,然后我在上面装过OpenSwan和StrongSwan试着和服务器端连,其中StrongSwan的包比较完整,OpenSwan有些功能模块没有编译好的安装包,然后比较不幸的是,虽然配置貌似正确用户验证能通过,但是路由和转发总是有问题,不是不能把数据包转发到VPN Server,就是能转发但是本地连接中断,相当折腾!
_DSC2375
不止如此,我甚至连服务器端都换成过OpenSwan改用aggressive mode,然后iPhone,OSX拨号上来的时候发现modecfg的split DNS支持貌似不匹配,因此无法推DNS到客户端,OSX倒还好,可以自己指定DNS server,iPhone就傻掉了,而且tomato上用vpnc 连接IKE phase I也过不去,所以只能放弃。

 

然后到方案二,这个是可以工作的方案,

 

把StongSwan换成的IPSec-Tools/racoon,然后iOS,OSX,windows,tomato神马的都可以拨上来了,省略痛苦的折腾过程,简单的步骤如下:

 

1) 安装IPSec-tools/racoon

我的VPS跑的是CentOS,可以自行编译,也可以通过yum安装,相比之下yum安装会容易一些,

 

wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm
wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm
yum localinstall --nogpgcheck ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm ipsec-tools-0.8.0-1.el5.pp.i386.rpm

 

如果要编译,可以使用以下参数:

configure –sysconfdir=/etc/racoon –enable-natt –enable-broken-natt –enable-hybrid –enable-dpd

如果提示需要内核头文件,可以参考这个文章:

http://blog.csdn.net/zhangyang0402/article/details/5732815

 

2) 配置IPSec-tools/racoon

yum安装后默认的配置文件路径是/etc/racoon,一共需要关注三个文件,racoon.conf / psk.txt 和 motd,逐个来

 

racoon.conf path 
 
pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp YOUR.IP.ADDRESS [500]; #YOUR.IP.ADDRESS改为VPS的外网地址
isakmp_natt YOUR.IP.ADDRESS [4500]; #YOUR.IP.ADDRESS改为VPS的外网地址
}
 
remote anonymous { 
exchange_mode aggressive, main, base; #同时支持IKE aggressive和main mode
mode_cfg on; #支持通过modcfg获取dns配置
proposal_check obey; #这里很奇怪,多数配置例子写的是proposal_check claim,即在协商中取短的lifetime并通告initiator,但在0.8版本用claim是不work的,只能配置成obey,即遵循initiator发出的lifetime
nat_traversal on; #开启NAT-T,必须的 
generate_policy unique; #这个貌似是为了支持多个客户端被NAT成同一个地址
ike_frag on; 
passive on;
dpd_delay 30; #dead peer detection的超时时间
 
proposal {
lifetime time 28800 sec;
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method xauth_psk_server; #Pre-share key+用户名/密码认证
dh_group 2;
          }
} 
 
sainfo anonymous {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
} 
 
mode_cfg {
auth_source system; #使用系统的用户名/密码体系认证,懒得再折腾其他的方法了
dns4 8.8.8.8;
banner "/etc/racoon/motd"; #banner,貌似vpnc必须要有banner才能work,真的吗?
save_passwd on;
network4 10.12.0.100; #客户端获得的IP起始地址
netmask4 255.255.255.0; #客户端获得的地址的掩码
pool_size 100; #最大客户端数量
pfs_group 2;

 

psk.txt # Group Name Group Secret
YOUR.GROUP.NAME YOUR.GROUP.SECRET #前面是Group Name, 或者vpnc里配置的IPSec ID,后面是Secret,或者vpnc里的IPSec secret

 

motd
ANY.WORD #随便写

 

3) 添加用户名密码

 

useradd YOUR.USERNAME
 
passwd YOUR.PASSWROD

 

然后vi一下/etc/passwd把racoon用的用户的shell设置为/sbin/nologin使VPN用户无法使用shell,并且把根目录指向/tmp之类的

 

 

4) 在Tomato Firmware的路由器上安装vpnc

要在tomato上用optware装软件的最好有一个U盘,当然也可以用jffs,optware的安装教程可以参考TomatoUSB的HOWTO

http://tomatousb.org/doc:optware

http://tomatousb.org/tut:optware-installation

 

ipkg update
ipkg install vpnc

 

5) 配置VPNC

vpnc的默认配置路径在/opt/etc/vpnc,没有多个服务器的话直接改default.conf也可以

 

IPSec gateway YOUR.VPN.GW #VPN服务器的地址或者域名
IPSec ID YOUR.GROUP.ID #对应刚才在psk.txt里设置的Group Name
IPSec secret YOUR.SECRET #对应刚才在psk.txt里设置的secret
Xauth username YOUR.USERNAME #用户名
Xauth password YOUR.PASSWORD #密码

 

6) 一些小tricky tuning

参考 @paveo 的文章们:

openwrt 下 vpncwatch 和 mtu 问题

路由器上使用 Cisco IPSec VPN client

CHNroutes

@paveo同学的A类路由表确实暴力,连我最爱的mobile01都上不去了,少少改一下:

由于发现了用ip -batch来添加3000行路由的时间也就是2-3秒,所以我们还是把chnroutes的全路由写一下好了~

 

#!/bin/sh
 
OLDGW=$(nvram get lan_gateway) #家里有两台路由器,用于连接VPN的路由器并非是PPPoE拨号的路由器,如果只有一台路由器,lan_gateway应改为wan_gateway
 
ip -batch
 
#chnrouts
route add 1.0.1.0/24 via $OLDGW metric 5
route add 1.0.2.0/23 via $OLDGW metric 5
route add 1.0.8.0/21 via $OLDGW metric 5
route add 1.0.32.0/19 via $OLDGW metric 5
route add 1.1.0.0/24 via $OLDGW metric 5
route add 1.1.2.0/23 via $OLDGW metric 5
......
route add 223.255.236.0/22 via $OLDGW metric 5
route add 223.255.252.0/23 via $OLDGW metric 5
 
EOF

 

还有就是用vpncwatch来启动vpnc,断线可以自动重连,

 

cd /opt/sbin/
wget http://p5.gfw.io/vpncwatch

 

然后可以把启动命令直接贴到Tomato WEBGUI的administration –> Scripts –> Init 里头

 

/opt/sbin/vpncwatch -c twitter.com -p 80 -i 30 vpnc /opt/etc/vpnc/default.conf

 

打完收工,不过折腾是没有止境的,下次又会折腾什么呢?

 

31 comments

    1. 22M可能有点悬,这个是我的E3000上Optware的目录,去掉配置备份都有30多M

      root@Linksys_E3000:/tmp/mnt/Key/Optware# du -d 1 -h
      44.0K ./etc
      17.3M ./lib
      537.0K ./sbin
      2.0K ./usr
      1.9M ./bin
      12.0M ./share
      1.9M ./cfg_backup
      2.7M ./include
      731.0K ./man
      9.0K ./var
      961.0K ./libexec
      91.0K ./openvpn
      164.0K ./chnroutes
      38.3M .

  1. 谢谢,有办法让迅雷 BT等软件设置不走VPN线路吗?
    我目前找到的笨方法为 迅雷服务器IP地址指向为ISP线路
    route add -net 迅雷服务器IP gw $OLDGW
    好象可以设置防火墙方式,限制部分端口跑VPN线路的,不知道有没更好的方法.

  2. 我想请问下 我按照你的方法安装。但是在启动后在iphone上无法使用 得到的回馈 是服务器不响应(vpn server did not respond)。请问这个是什么情况?我重启racoon 但是第二个是failed 不知道是不是有影响。还有在etc/racoon 路径下我没有mtod这个文件。
    /etc/init.d/racoon restart
    Flushing the IPsec SA/SP database: [ OK ]
    Shutting down the IKE key management daemon (racoon): [FAILED]
    Configuring the IPsec SA/SP database: [ OK ]
    Starting the IKE key management daemon (racoon): [ OK ]

  3. 不知为何,racoon配置总是不成功,完全是按照你的配置文件写的,racoon启动不了,将配置中的每行进行注释后在restart,发现就是remote anonymous这个设置过不去,即使在remote anonymous的{}里什么都不输入,发现只要是有这个配置选项存在,racoon就没法启动,如果将remote anonymous给注释掉,racoon就可以正常启动,不知怎么回事。

  4. strongswan 5.0.1支持aggressive mode了,但是我openwrt用vpnc链接却出现vpnc: response was invalid [1]: (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)错误,LZ有没空研究一下新strongswan与vpnc的链接呢?

  5. 2013-01-02 14:57:42: INFO: Using port 0
    2013-01-02 14:57:42: INFO: Released port 0
    2013-01-02 14:57:42: INFO: login failed for user “root”
    2013-01-02 14:57:42: ERROR: Attempt to release an unallocated address (port 0)
    2013-01-02 14:57:42: ERROR: mode config 6 from 113.116.xxx.77[4500], but we have no ISAKMP-SA.
    2013-01-02 14:57:42: ERROR: unknown Informational exchange received.

    求教

  6. I noticed your site’s ranking in google’s search results is very low.
    You are loosing a lot of traffic. You need hi PageRank backlinks to rank
    in top 10. I know – buying them is too expensive.
    It is better to own them. I know how to do that, simply google it:

    Polswor’s Backlinks Source

  7. Hi, I think your blog might be having browser coabttipilimy issues. When I look at your blog in Chrome, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, superb blog!

  8. Greate ρieces. Keeр writing such kind of information on your page.

    Im rᥱaⅼlʏ impressed by your site.
    ᕼi theгe, You have performed аn exсellent joƅ. I will
    definitely ⅾiցg it and in my view recommend to my friends.
    I’m confident they’ⅼl be benefited from this web site.

  9. You гeally make it appear so easy along with youг presentation һowever I in finding this topic to be actuaⅼly
    one thing that I think I’d neᴠer understand. It
    sort оf feels too complex and very wide for me. I’m taking a look аhead for your next publish, I’ll trү to get tҺe
    hold of it!

  10. When I initially cοmmented I appear to have сlicked on tһe -Notify me when new comments are addeⅾ-
    checkbox and from now on ᴡhеnever а comment is added I receive four emɑils wіth the same comment.
    Is therе a waу yⲟu can remove me from that seгvice?
    Thanks!

  11. Heⅼlo terrific blog! Does гunning a bloǥ similar
    to this take a great deal of work? I’ve virtualⅼy no understanding of computer progrɑmming
    however I had been hoping to start my own blog in tҺe near future.

    Anyways, if you have any ideas or tips for new blog owners please share.
    I know this is off subject howeνer I simply Һaⅾ to ask.
    Many thanks!

  12. lord,그러니까 Liancourt Riocks 에서는 있을 수 $니다.논리적으로 생각해 이 문헌으로부터 Usando는 Liancourt rocks는 아니라고 결론 붙일 수 있습니다.다릅니까?전문을 제대로 번역해 보세요.문장안에 Liancourt Rocks가 아닌 증거가 쓰여져 있을테니까.

Leave a Reply

Your email address will not be published.