知识共享许可协议
本作品采用知识共享署名-非商业性使用-禁止演绎 3.0 未本地化版本许可协议进行许可。

说明
在Parallels Desktop 10 for Mac 使用VPS实验没成功。
使用DO 和 Linode的VPS实验成功。
配置信息来源于网上。
更新源
yum install wget vim -y
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
yum makecache
下载软件
wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/x86_64/ipsec-tools-libs-0.8.0-1.el5.pp.x86_64.rpm

wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/aevseev/CentOS_CentOS-6/x86_64/ipsec-tools-0.8.0-25.3.x86_64.rpm
安装依赖包
yum install openssl098e-0.9.8e-18.el6_5.2.x86_64 -y
yum install compat-openldap-2.3.43-2.el6.x86_64 -y
安装
rpm -ivh ipsec-tools-libs-0.8.0-1.el5.pp.x86_64.rpm
rpm -ivh ipsec-tools-0.8.0-25.3.x86_64.rpm 
配置
  • 设置欢迎信息

    vim /etc/racoon/motd
    
    Welcome to Test IPSec VPN
    
  • 设置VPN组名和密钥

    vim /etc/racoon/psk.txt
    
    vpn 123123
    
  • 设置配置文件

    vim /etc/racoon/racoon.conf
    
    path include "/etc/racoon";
    #include "remote.conf";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/cert";
    #log debug;
    
    listen
    {
        isakmp 10.211.55.64 [500];
        isakmp_natt 10.211.55.64 [4500];
    }
    
    remote anonymous
    {
        exchange_mode main, aggressive, base;
        mode_cfg on;
        proposal_check obey;    # obey, strict, or claim
        nat_traversal on;
        generate_policy unique;
        ike_frag on;
        passive on;
        dpd_delay 30;
    
        proposal {
            lifetime time 28800 sec;
            encryption_algorithm 3des;
            hash_algorithm md5;
            authentication_method xauth_psk_server;
            dh_group 2;
        }
    }
    
    sainfo anonymous
    {
        encryption_algorithm 3des, aes, blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
    }
    
    mode_cfg
    {
        auth_source system;
        dns4 8.8.8.8, 114.114.114.114;
        banner "/etc/racoon/motd";
        save_passwd on;
        network4 192.168.0.100;
        netmask4 255.255.255.0;
        pool_size 100;
        pfs_group 2;
    }
    
添加系统的用户和密码
useradd -MN -b /tmp -s /sbin/nologin testvpn
passwd testvpn
开启转发
sed -i 's/^\(net.ipv4.ip_forward =\).*/\1 1/' /etc/sysctl.conf; sysctl -p 
设置防火墙规则
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
保存
service iptables save
启动
racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -d 
相关错误
  • ERROR: /etc/racoon/psk.txt has weak file permission

    chmod 700 /etc/racoon/psk.txt