服务器 Gind.cn
  1. 服务器 Gind.cn
  3. IPsec Xauth RSA – Debian 7和Android 4.4 VPN(永远在线)和Mac OS X 10.9.2 VPN(按需)
Intereting Posts
无法使用crossover ethernet从我的设备连接或ping到互联网 从vmware guest访问子网 阻止发件人域后缀 NAT到Linux中的networking名称空间 access.log中奇怪的Java用户代理 如何监控networking卡的饱和度? 故障排除Windows 2008关机问题 init.d脚本不在启动时启动 在手动安装ruby 1.8之后安装rubygems 无法连接到SQL数据库(可以重置密码) Windows 2000 Server失败的驱动器恢复 Ubuntu服务器安装在SCSIarrays上 如何理解Apache正在忙于什么? UNCpath由IP“没有networking提供商接受给定的networkingpath”失败,但使用主机名工作 我有一个共享的Linux驱动器上的LACCDB(Microsoft Accesslocking文件),我想要删除,以便我可以修改数据库

IPsec Xauth RSA – Debian 7和Android 4.4 VPN(永远在线)和Mac OS X 10.9.2 VPN(按需)

我使用以下指令成功安装了IPSec Xauth RSA: http : //jsharkey.org/blog/2012/09/22/deploying-a-pure-ipsec-pki-vpn-server-for-android-devices/

简单来说: 

apt-get install ipsec-tools racoon chmod 700 /etc/racoon/certs cd /etc/racoon/certs openssl req -new -x509 -extensions v3_ca -out myca.crt -keyout myca.key -days 3650 openssl req -new -keyout myserver.key -out myserver.csr -days 3650 openssl x509 -req -in myserver.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out myserver.crt chmod 600 myserver.key openssl rsa -in myserver.key -out myserver.key openssl req -new -keyout myphone.key -out myphone.csr -days 3650 openssl x509 -req -in myphone.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out myphone.crt openssl pkcs12 -export -in myphone.crt -inkey myphone.key -certfile myca.crt -name myphone -out myphone.p12

然后在racoon.conf中: 

 path certificate "/etc/racoon/certs"; timer { # NOTE: varies between carriers natt_keepalive 45 sec; } listen { isakmp 106.187.34.245[500]; isakmp_natt 106.187.34.245[4500]; } remote anonymous { exchange_mode aggressive,main; my_identifier asn1dn; certificate_type x509 "myserver.crt" "myserver.key"; ca_type x509 "myca.crt"; peers_certfile x509 "myphone.crt"; passive on; proposal_check strict; generate_policy on; nat_traversal force; proposal { encryption_algorithm aes256; hash_algorithm sha1; authentication_method xauth_rsa_server; dh_group modp1024; } } sainfo anonymous { encryption_algorithm aes256; authentication_algorithm hmac_sha1; compression_algorithm deflate; } log info; mode_cfg { auth_source system; conf_source local; accounting system; network4 10.44.0.0; netmask4 255.255.255.255; }

Android使用以下设置连接到VPN: 

 Type: IPSec Xauth RSA IPSec user certificate: myphone IPSec CA certificate: myphone IPSec server certificate: (received from server)

它连接成功。 我可以浏览网站(其中一些不加载,其中一些我有延迟,但现在可以),使用其他应用程序需要连接,所以它的工作原理。

不幸的是,我不知道如何将我的macbook连接到这个VPN。

我已经将证书导入到系统密钥链中,创build了Cisco IPSec VPN,select证书myphone作为机器证书,设置了user / pwd。 点击连接后,显示“无法validation服务器证书”。

在服务器上的系统日志中: 

 Apr 19 19:12:50 playground racoon: INFO: Adding remote and local NAT-D payloads. Apr 19 19:12:51 playground racoon: INFO: NAT-T: ports changed to: 2.30.143.181[4501]<->109.74.205.143[4500] Apr 19 19:12:51 playground racoon: INFO: KA found: 109.74.205.143[4500]->2.30.143.181[4501] (in_use=7) Apr 19 19:12:51 playground racoon: INFO: Sending Xauth request Apr 19 19:12:51 playground racoon: [2.30.143.181] INFO: received INITIAL-CONTACT Apr 19 19:12:51 playground racoon: INFO: ISAKMP-SA established 109.74.205.143[4500]-2.30.143.181[4501] spi:72cc05a48011e3e6:9b2eef1f1823779b Apr 19 19:12:51 playground racoon: ERROR: ignore information because the message is too short - 76 byte(s).

如果我在Android设备上更改IPSec服务器证书,它会显示类似的错误消息(太短),所以我猜想我需要在android设置中包含服务器证书,或者在Mac OS VPN设置中设置类似的选项configuration文件?)。

另外,如果你让我知道一些关于build立一个支持Android Always-On VPN连接和Mac OS X / iPhone On-demand VPN的Debian VPN服务器的工作解决scheme,