编译配置racoon+radius+IKEv1
上篇用strongswan配置ikev1里面提到了使用racoon配置radius+ikev1+xauth-psk,说下具体步骤。
编译步骤摘自https://megapiranha.wordpress.com/2013/04/12/debian-squeeze-racoon-plus-radius-support-feat-cisco-vpn-client/,平台为Debian 6.0.7 i386
首先准备必要软件包:
apt-get install build-essential fakeroot dpkg-dev
apt-get source racoon
apt-get build-dep racoon
然后下载并编译libmd与libradius(修改过带tacacs的版本)
wget http://portal-to-web.de/tacacs/libmd.tar.gz && tar xzf libmd.tar.gz && cd libmd && mkdir -p /usr/local/man/man3
sed -i 's/O2/O2 -fPIC/g' Makefile
make install
cd ..
wget http://portal-to-web.de/tacacs/libradius-linux-20040827.tar.gz && tar xzf libradius-linux-20040827.tar.gz && cd libradius-linux
sed -i 's/O2/O2 -fPIC/g' Makefile
make install
其中添加-fPIC是在多个可执行文件调用该库时可以共用,而非复制多份。 然后编译racoon:
dpkg-source -x ipsec-tools_0.7.3-12.dsc
cd ipsec-tools-0.7.3
sed -i 's/context/context --with-libradius/g' debian/rules
sed -i 's/buggygetaddrinfo=yes/buggygetaddrinfo=no/g' configure
patch -p1 \< ../racoon-0.7.3.patch
ln -s /usr/local/lib/libradius.so /usr/lib/
fakeroot debian/rules binary
racoon有两个补丁,一个是允许在psk中使用通配符(*)来定义源IP,还有一个是去掉对于Windows的IPSec客户端IP格式的检查,我把这两个补丁整合到一起在这里下载:racoon-0.7.3
编译后会生成两个deb,分别用dpkg -i安装。
接下来是racoon的配置。
首先修改/etc/racoon/psk.txt:
your.group.name your.pre.shared.secret
group name是vpnc客户端里面的group name或者IPSec ID。PSK是IPSec Secret。
最后是/etc/racoon.conf:
#
# NOTE: This file will not be used if you use racoon-tool(8) to manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
# of this file.
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
path pre_shared_key "/etc/racoon/psk.txt";
listen {
adminsock disabled;
}
remote anonymous {
exchange_mode aggressive, main;
mode_cfg on;
proposal_check obey;
nat_traversal on;
generate_policy unique;
ike_frag on;
passive on;
dpd_delay 60;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method xauth_psk_server;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm aes 256, aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
mode_cfg {
auth_source radius;
accounting radius;
dns4 8.8.8.8;
banner "/etc/racoon/motd";
network4 vpn.client.ip.start;
netmask4 255.255.255.0;
save_passwd on;
pool_size 50;
}
network4推送的是vpn客户端ip的初始值,比如192.168.1.2。同时为了使用radius认证,还需要添加/etc/radius.conf(注意不是/etc/racoon/radius.conf,否则racoon启动时会提示could not initialize libradius)
auth localhost yourradiussecret
acct localhost yourradiussecret
搞定收工。 racoon提供L2TP的话必须有/etc/ipsec-tools.conf包含如下内容: 05/04更新:L2TP可以和IKEv1同时启用,修改后的ipsec-tools.conf:
flush;
spdflush;
spdadd vpn.server.ip.address[l2tp] 0.0.0.0/0 udp -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 vpn.server.ip.address[l2tp] udp -P in ipsec esp/transport//require;
racoon.conf里添加L2TP的proposal:
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
并且在启动racoon之前要先启动setkey,否则xl2tpd无法建立连接并会提示类似以下错误:
xl2tpd[4353]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
xl2tpd[4353]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
xl2tpd[4353]: Maximum retries exceeded for tunnel 38723. Closing.
xl2tpd[4353]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
xl2tpd[4353]: Connection 12 closed to vpn.client.ip.address, port 39283 (Timeout)
xl2tpd[4353]: control_finish: Peer requested tunnel 23 twice, ignoring second one.
xl2tpd[4353]: Unable to deliver closing message for tunnel 38723. Destroying anyway.
ps:用ios上不太稳定,用其他平台的vpnc无此问题,不知何故。 ps2:测试了Wheezy上面的racoon 0.8.0,可以正常使用。仍然需要那个补丁。
参考:
http://www.netbsd.org/docs/network/ipsec/rasvpn.html
http://lxzheng.blogspot.com/2012/09/centos-62-l2tpipsec.html