发现 ocserv 自动配置脚本一枚

2014-10-13 23:35:07 +08:00
 bigtan
https://www.stunnel.info/tag/ocserv

先放链接。
这个东西配置起来还是蛮麻烦的,有了一个自动配置脚本就舒爽多了
11236 次点击
所在节点    分享发现
32 条回复
yywudi
2014-11-28 17:05:18 +08:00
/@dynfeisu 首先确认password认证ok,radius服务器ok
然后我看你们在另一个主题回复的那个配置文件,再多加一行试试

/etc/pam.d/ocserv

# PAM Configuration for OpenConnect Server
# Created by tony, 11/13/13
# This is designed to work with RADIUS PAM Module
auth required /lib/security/pam_radius_auth.so
account required /lib/security/pam_radius_auth.so


当然这个文件需要添加radius服务器信息
/etc/pam_radius_auth.conf
ghovik
2015-03-26 00:18:20 +08:00
@chinni 能不能分享一个racoon配置的教程?我比较小白,配置了半天连不上..非常感谢~
chinni
2015-03-26 14:31:08 +08:00
@ghovik 上面的zip包里是有脚本的. 还有配置文件. 测试通过的.
ghovik
2015-03-26 16:58:41 +08:00
@chinni 感谢!可惜链接失效了,可否其它方式分享一下?ghovik#gmail
chinni
2015-03-26 17:12:32 +08:00
ghovik
2015-03-26 18:30:10 +08:00
@chinni 感谢!
能不能帮忙看一下log?我实在是有点捉急,搞不定:
`
Foreground mode.
2015-03-26 18:19:48: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2015-03-26 18:19:48: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/)
2015-03-26 18:19:48: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2015-03-26 18:19:48: INFO: Resize address pool from 0 to 100
2015-03-26 18:19:48: INFO: [VPS IP][4500] used for NAT-T
2015-03-26 18:19:48: INFO: [VPS IP][4500] used as isakmp port (fd=7)
2015-03-26 18:19:48: INFO: [VPS IP][500] used for NAT-T
2015-03-26 18:19:48: INFO: [VPS IP][500] used as isakmp port (fd=8)
2015-03-26 18:19:58: INFO: respond new phase 1 negotiation: [VPS IP][500]<=>[家里的 IP][9950]
2015-03-26 18:19:58: INFO: begin Aggressive mode.
2015-03-26 18:19:58: INFO: received broken Microsoft ID: FRAGMENTATION
2015-03-26 18:19:58: INFO: received Vendor ID: RFC 3947
2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2015-03-26 18:19:58: INFO: received Vendor ID: CISCO-UNITY
2015-03-26 18:19:58: INFO: received Vendor ID: DPD
2015-03-26 18:19:58: [[家里的 IP]] INFO: Selected NAT-T version: RFC 3947
2015-03-26 18:19:58: INFO: Adding remote and local NAT-D payloads.
2015-03-26 18:19:58: [[家里的 IP]] INFO: Hashing [家里的 IP][9950] with algo #2 (NAT-T forced)
2015-03-26 18:19:58: [[VPS IP]] INFO: Hashing [VPS IP][500] with algo #2 (NAT-T forced)
2015-03-26 18:19:58: INFO: Adding xauth VID payload.
2015-03-26 18:19:58: INFO: NAT-T: ports changed to: [家里的 IP][31334]<->[VPS IP][4500]
2015-03-26 18:19:58: INFO: NAT-D payload #0 doesn't match
2015-03-26 18:19:58: INFO: NAT-D payload #1 doesn't match
2015-03-26 18:19:58: [[家里的 IP]] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
2015-03-26 18:19:58: INFO: NAT detected: ME PEER
2015-03-26 18:19:58: INFO: Sending Xauth request
2015-03-26 18:19:58: INFO: ISAKMP-SA established [VPS IP][4500]-[家里的 IP][31334] spi:2214689180cd369e:af93ce0f86f5d50e
2015-03-26 18:19:58: INFO: Using port 0
2015-03-26 18:19:58: INFO: login succeeded for user "vpn"

大概过了不到半分钟,iPhone上面显示: 与VPN服务器协议失败

然后又过了一小段时间,出现下面的信息:

2015-03-26 18:20:53: [[家里的 IP]] INFO: DPD: remote (ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e) seems to be dead.
2015-03-26 18:20:53: INFO: purging ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e.
2015-03-26 18:20:53: INFO: purged ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e.
2015-03-26 18:20:53: INFO: ISAKMP-SA deleted [VPS IP][4500]-[家里的 IP][31334] spi:2214689180cd369e:af93ce0f86f5d50e
2015-03-26 18:20:53: INFO: Released port 0
`
贴一下我的配置.
/etc/racoon/racoon.conf
`
log info;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp 服务器IP地址 [500];
isakmp_natt 服务器IP地址 [4500];
}

remote anonymous {
exchange_mode main,aggressive;
mode_cfg on;
proposal_check claim; #替换掉客户端的比如lifetime的配置。
nat_traversal force;
generate_policy unique;
ike_frag on;
passive off;
dpd_delay 30;

proposal {
lifetime time 12 hour; ## 设置一个比较长的时间,避免OSX每小时断一次
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group modp1024;
}
}

sainfo anonymous {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
pfs_group 2;
lifetime time 100 hour;
compression_algorithm deflate;
}

mode_cfg {
auth_source system;
dns4 8.8.4.4,8.8.8.8;
save_passwd on;
banner "/etc/racoon/motd";
network4 10.100.0.10;
netmask4 255.255.255.0;
pool_size 100;
pfs_group 2;
}
`
/etc/racoon/psk.txt:
`
group group_password
`

非常感谢!
chinni
2015-03-26 22:00:36 +08:00
@ghovik 这我就不知道了...我看日志表示用户vpn登陆成功的. = =
ghovik
2015-03-26 22:40:55 +08:00
@chinni 感谢回复!
是的,日志上面显示用户'vpn'登陆成功,可是就是手机端还一直显示正在连接.然后过一会就提示说协议失败..我设置有没有问题?

iptables设置以及端口转发:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.100.0.0/24 -j ACCEPT
iptables --table nat --append POSTROUTING -o eth0 --jump MASQUERADE

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
chinni
2015-03-27 22:50:30 +08:00
@ghovik 系统设置没问题 具体问题我也不清楚.
以上.
ghovik
2015-03-29 21:59:11 +08:00
@chinni 感谢..抱歉又来打扰你,因为实在很想搞定.
能不能把你的配置文件发一份给我研究一下?racoon.conf, psk.txt, 还有对应的iptables的设置?
我的邮箱ghovik#gmail.com
非常感谢!
chinni
2015-03-30 09:32:36 +08:00
@ghovik 配置文件之前发你的里面都有.
ghovik
2015-03-30 11:36:43 +08:00
@chinni 谢谢..我就是按照那个来的..我觉得问题出在iptables规则上,我新手,不太理解,都是照copy..

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/138741

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX