IPsec Xauth RSA - Debian 7 和 Android 4.4 VPN(始终开启)以及 Mac OS X 10.9.2 VPN(按需)

IPsec Xauth RSA - Debian 7 和 Android 4.4 VPN(始终开启)以及 Mac OS X 10.9.2 VPN(按需)

我使用以下说明成功安装了 IPSec Xauth RSA:http://jsharkey.org/blog/2012/09/22/deploying-a-pure-ipsec-pki-vpn-server-for-android-devices/

简单来说:

apt-get install ipsec-tools racoon
chmod 700 /etc/racoon/certs
cd /etc/racoon/certs
openssl req -new -x509 -extensions v3_ca -out myca.crt -keyout myca.key -days 3650
openssl req -new -keyout myserver.key -out myserver.csr -days 3650
openssl x509 -req -in myserver.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out myserver.crt
chmod 600 myserver.key
openssl rsa -in myserver.key -out myserver.key
openssl req -new -keyout myphone.key -out myphone.csr -days 3650
openssl x509 -req -in myphone.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out myphone.crt
openssl pkcs12 -export -in myphone.crt -inkey myphone.key -certfile myca.crt -name myphone -out myphone.p12

然后在 racoon.conf 中:

path certificate "/etc/racoon/certs";

timer {
    # NOTE: varies between carriers
    natt_keepalive 45 sec;
}

listen {
    isakmp 106.187.34.245[500];
    isakmp_natt 106.187.34.245[4500];
}

remote anonymous {
    exchange_mode aggressive,main;
    my_identifier asn1dn;

    certificate_type x509 "myserver.crt" "myserver.key";
    ca_type x509 "myca.crt";
    peers_certfile x509 "myphone.crt";

    passive on;
    proposal_check strict;
    generate_policy on;
    nat_traversal force;

    proposal {
        encryption_algorithm aes256;
        hash_algorithm sha1;
        authentication_method xauth_rsa_server;
        dh_group modp1024;
    }
}

sainfo anonymous {
    encryption_algorithm aes256;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}

log info;

mode_cfg {
    auth_source system;
    conf_source local;
    accounting system;
    network4 10.44.0.0;
    netmask4 255.255.255.255;
}

Android 使用以下设置连接到 VPN:

Type: IPSec Xauth RSA
IPSec user certificate: myphone
IPSec CA certificate: myphone
IPSec server certificate: (received from server)

连接成功。我可以浏览网站(有些网站无法加载,有些网站有延迟,但目前还好),可以使用其他需要连接的应用程序,这样它就可以正常工作了。

不幸的是,我不知道如何将我的 MacBook 连接到这个 VPN。

我已将证书导入系统钥匙串,创建 Cisco IPSec VPN,选择证书 myphone 作为机器证书,设置用户/密码。单击“连接”后,显示“无法验证服务器证书”。

在服务器上的系统日志中:

Apr 19 19:12:50 playground racoon: INFO: Adding remote and local NAT-D payloads.
Apr 19 19:12:51 playground racoon: INFO: NAT-T: ports changed to: 2.30.143.181[4501]<->109.74.205.143[4500]
Apr 19 19:12:51 playground racoon: INFO: KA found: 109.74.205.143[4500]->2.30.143.181[4501] (in_use=7)
Apr 19 19:12:51 playground racoon: INFO: Sending Xauth request
Apr 19 19:12:51 playground racoon: [2.30.143.181] INFO: received INITIAL-CONTACT
Apr 19 19:12:51 playground racoon: INFO: ISAKMP-SA established 109.74.205.143[4500]-2.30.143.181[4501] spi:72cc05a48011e3e6:9b2eef1f1823779b
Apr 19 19:12:51 playground racoon: ERROR: ignore information because the message is too short - 76 byte(s).

如果我在 Android 设备上更改 IPSec 服务器证书,它会显示类似的错误消息(太短),所以我猜测我需要在 android 设置中包含服务器证书或者在 Mac OS VPN 设置中设置类似的选项(可能在配置文件中?)。

另外,如果您能让我了解一些设置 Debian VPN 服务器的有效解决方案,支持 Android Always-On VPN 连接和 Mac OS X / iPhone 按需 VPN,我会很高兴。

相关内容