我使用以下说明成功安装了 IPSec Xauth RSA:http://jsharkey.org/blog/2012/09/22/deploying-a-pure-ipsec-pki-vpn-server-for-android-devices/
简单来说:
apt-get install ipsec-tools racoon
chmod 700 /etc/racoon/certs
cd /etc/racoon/certs
openssl req -new -x509 -extensions v3_ca -out myca.crt -keyout myca.key -days 3650
openssl req -new -keyout myserver.key -out myserver.csr -days 3650
openssl x509 -req -in myserver.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out myserver.crt
chmod 600 myserver.key
openssl rsa -in myserver.key -out myserver.key
openssl req -new -keyout myphone.key -out myphone.csr -days 3650
openssl x509 -req -in myphone.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out myphone.crt
openssl pkcs12 -export -in myphone.crt -inkey myphone.key -certfile myca.crt -name myphone -out myphone.p12
然后在 racoon.conf 中:
path certificate "/etc/racoon/certs";
timer {
# NOTE: varies between carriers
natt_keepalive 45 sec;
}
listen {
isakmp 106.187.34.245[500];
isakmp_natt 106.187.34.245[4500];
}
remote anonymous {
exchange_mode aggressive,main;
my_identifier asn1dn;
certificate_type x509 "myserver.crt" "myserver.key";
ca_type x509 "myca.crt";
peers_certfile x509 "myphone.crt";
passive on;
proposal_check strict;
generate_policy on;
nat_traversal force;
proposal {
encryption_algorithm aes256;
hash_algorithm sha1;
authentication_method xauth_rsa_server;
dh_group modp1024;
}
}
sainfo anonymous {
encryption_algorithm aes256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
log info;
mode_cfg {
auth_source system;
conf_source local;
accounting system;
network4 10.44.0.0;
netmask4 255.255.255.255;
}
Android 使用以下设置连接到 VPN:
Type: IPSec Xauth RSA
IPSec user certificate: myphone
IPSec CA certificate: myphone
IPSec server certificate: (received from server)
连接成功。我可以浏览网站(有些网站无法加载,有些网站有延迟,但目前还好),可以使用其他需要连接的应用程序,这样它就可以正常工作了。
不幸的是,我不知道如何将我的 MacBook 连接到这个 VPN。
我已将证书导入系统钥匙串,创建 Cisco IPSec VPN,选择证书 myphone 作为机器证书,设置用户/密码。单击“连接”后,显示“无法验证服务器证书”。
在服务器上的系统日志中:
Apr 19 19:12:50 playground racoon: INFO: Adding remote and local NAT-D payloads.
Apr 19 19:12:51 playground racoon: INFO: NAT-T: ports changed to: 2.30.143.181[4501]<->109.74.205.143[4500]
Apr 19 19:12:51 playground racoon: INFO: KA found: 109.74.205.143[4500]->2.30.143.181[4501] (in_use=7)
Apr 19 19:12:51 playground racoon: INFO: Sending Xauth request
Apr 19 19:12:51 playground racoon: [2.30.143.181] INFO: received INITIAL-CONTACT
Apr 19 19:12:51 playground racoon: INFO: ISAKMP-SA established 109.74.205.143[4500]-2.30.143.181[4501] spi:72cc05a48011e3e6:9b2eef1f1823779b
Apr 19 19:12:51 playground racoon: ERROR: ignore information because the message is too short - 76 byte(s).
如果我在 Android 设备上更改 IPSec 服务器证书,它会显示类似的错误消息(太短),所以我猜测我需要在 android 设置中包含服务器证书或者在 Mac OS VPN 设置中设置类似的选项(可能在配置文件中?)。
另外,如果您能让我了解一些设置 Debian VPN 服务器的有效解决方案,支持 Android Always-On VPN 连接和 Mac OS X / iPhone 按需 VPN,我会很高兴。