1
soli 2014-10-14 09:45:52 +08:00
赞!
我在配置过程中,用证书认证的话,ocserv 会崩溃。 |
2
lhbc 2014-10-14 13:16:35 +08:00
我是作者,过来冒个泡……
|
6
yywudi 2014-10-14 18:19:35 +08:00
@chinni 为何不能?我就在128M OVZ小鸡上跑了Debian 7 + ocserv + pam+远程radius认证,挺正常啊。
|
7
fanzc 2014-10-14 20:43:44 +08:00
密码认证有点麻烦,有没有证书认证的配置脚本?
|
10
chinni 2014-10-15 10:48:15 +08:00
@yywudi 我一直以为 ocserv 需要内核级别类似于ipsec 之类的支持的....原来是不要的么...我等下在ovz上测试下...
|
11
anyfc 2014-10-15 11:05:08 +08:00
求debian 7.0自动安装配置脚本
|
12
chinni 2014-10-15 11:15:18 +08:00
@yywudi 我在ovz上测试了 以前KVM下成功的 0.8.0 版本 使用 passwd文件 验证 拨号连接的时候一直说 401 验证错误. 但是在kvm的机器上是可以用的... 我迷茫了..
|
13
chinni 2014-10-15 11:19:01 +08:00
大家可以看看我整理的 0.8.0 的 服务端. 有 debian 和ubuntu的脚本. 可能需要有修改.
我kvm下测试通过 下载地址 https://www.dropbox.com/s/qeyftm9ixxgky8y/ocserv_full.zip?dl=0 |
14
yywudi 2014-10-15 11:36:27 +08:00
@chinni 我就参考了这篇文章啊 http://ttz.im/blog/2014/02/1131 用的是0.8.4 passwd文件测试OK,然后改用pam + radius 远程认证也没问题。
401验证错误是啥情况,ocserv的log有什么提示吗? |
15
chinni 2014-10-15 12:37:02 +08:00
|
21
yywudi 2014-11-28 17:05:18 +08:00 via Android
/@dynfeisu 首先确认password认证ok,radius服务器ok
然后我看你们在另一个主题回复的那个配置文件,再多加一行试试 /etc/pam.d/ocserv # PAM Configuration for OpenConnect Server # Created by tony, 11/13/13 # This is designed to work with RADIUS PAM Module auth required /lib/security/pam_radius_auth.so account required /lib/security/pam_radius_auth.so 当然这个文件需要添加radius服务器信息 /etc/pam_radius_auth.conf |
25
chinni 2015-03-26 17:12:32 +08:00
|
26
ghovik 2015-03-26 18:30:10 +08:00
@chinni 感谢!
能不能帮忙看一下log?我实在是有点捉急,搞不定: ` Foreground mode. 2015-03-26 18:19:48: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) 2015-03-26 18:19:48: INFO: @(#)This product linked OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/) 2015-03-26 18:19:48: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2015-03-26 18:19:48: INFO: Resize address pool from 0 to 100 2015-03-26 18:19:48: INFO: [VPS IP][4500] used for NAT-T 2015-03-26 18:19:48: INFO: [VPS IP][4500] used as isakmp port (fd=7) 2015-03-26 18:19:48: INFO: [VPS IP][500] used for NAT-T 2015-03-26 18:19:48: INFO: [VPS IP][500] used as isakmp port (fd=8) 2015-03-26 18:19:58: INFO: respond new phase 1 negotiation: [VPS IP][500]<=>[家里的 IP][9950] 2015-03-26 18:19:58: INFO: begin Aggressive mode. 2015-03-26 18:19:58: INFO: received broken Microsoft ID: FRAGMENTATION 2015-03-26 18:19:58: INFO: received Vendor ID: RFC 3947 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2015-03-26 18:19:58: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 2015-03-26 18:19:58: INFO: received Vendor ID: CISCO-UNITY 2015-03-26 18:19:58: INFO: received Vendor ID: DPD 2015-03-26 18:19:58: [[家里的 IP]] INFO: Selected NAT-T version: RFC 3947 2015-03-26 18:19:58: INFO: Adding remote and local NAT-D payloads. 2015-03-26 18:19:58: [[家里的 IP]] INFO: Hashing [家里的 IP][9950] with algo #2 (NAT-T forced) 2015-03-26 18:19:58: [[VPS IP]] INFO: Hashing [VPS IP][500] with algo #2 (NAT-T forced) 2015-03-26 18:19:58: INFO: Adding xauth VID payload. 2015-03-26 18:19:58: INFO: NAT-T: ports changed to: [家里的 IP][31334]<->[VPS IP][4500] 2015-03-26 18:19:58: INFO: NAT-D payload #0 doesn't match 2015-03-26 18:19:58: INFO: NAT-D payload #1 doesn't match 2015-03-26 18:19:58: [[家里的 IP]] ERROR: notification INITIAL-CONTACT received in aggressive exchange. 2015-03-26 18:19:58: INFO: NAT detected: ME PEER 2015-03-26 18:19:58: INFO: Sending Xauth request 2015-03-26 18:19:58: INFO: ISAKMP-SA established [VPS IP][4500]-[家里的 IP][31334] spi:2214689180cd369e:af93ce0f86f5d50e 2015-03-26 18:19:58: INFO: Using port 0 2015-03-26 18:19:58: INFO: login succeeded for user "vpn" 大概过了不到半分钟,iPhone上面显示: 与VPN服务器协议失败 然后又过了一小段时间,出现下面的信息: 2015-03-26 18:20:53: [[家里的 IP]] INFO: DPD: remote (ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e) seems to be dead. 2015-03-26 18:20:53: INFO: purging ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e. 2015-03-26 18:20:53: INFO: purged ISAKMP-SA spi=2214689180cd369e:af93ce0f86f5d50e. 2015-03-26 18:20:53: INFO: ISAKMP-SA deleted [VPS IP][4500]-[家里的 IP][31334] spi:2214689180cd369e:af93ce0f86f5d50e 2015-03-26 18:20:53: INFO: Released port 0 ` 贴一下我的配置. /etc/racoon/racoon.conf ` log info; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen { isakmp 服务器IP地址 [500]; isakmp_natt 服务器IP地址 [4500]; } remote anonymous { exchange_mode main,aggressive; mode_cfg on; proposal_check claim; #替换掉客户端的比如lifetime的配置。 nat_traversal force; generate_policy unique; ike_frag on; passive off; dpd_delay 30; proposal { lifetime time 12 hour; ## 设置一个比较长的时间,避免OSX每小时断一次 encryption_algorithm 3des; hash_algorithm sha1; authentication_method xauth_psk_server; dh_group modp1024; } } sainfo anonymous { encryption_algorithm aes, 3des, blowfish; authentication_algorithm hmac_sha1, hmac_md5; pfs_group 2; lifetime time 100 hour; compression_algorithm deflate; } mode_cfg { auth_source system; dns4 8.8.4.4,8.8.8.8; save_passwd on; banner "/etc/racoon/motd"; network4 10.100.0.10; netmask4 255.255.255.0; pool_size 100; pfs_group 2; } ` /etc/racoon/psk.txt: ` group group_password ` 非常感谢! |
28
ghovik 2015-03-26 22:40:55 +08:00
@chinni 感谢回复!
是的,日志上面显示用户'vpn'登陆成功,可是就是手机端还一直显示正在连接.然后过一会就提示说协议失败..我设置有没有问题? iptables设置以及端口转发: /sbin/iptables -t nat -A POSTROUTING -j MASQUERADE /sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT /sbin/iptables -A FORWARD -s 10.100.0.0/24 -j ACCEPT iptables --table nat --append POSTROUTING -o eth0 --jump MASQUERADE net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 |
30
ghovik 2015-03-29 21:59:11 +08:00
|