forked from kimiazhu/vpns
-
Notifications
You must be signed in to change notification settings - Fork 1
/
cisco_ipsec.sh
336 lines (309 loc) · 14.8 KB
/
cisco_ipsec.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
#!/bin/bash
clear
echo "======================================================";
echo " 欢迎您使用Casio IPSec VPN一键安装脚本"
echo "[提示] 经测试支持如下系统:CentOS/Ubuntu/Debian/Fedora"
echo " 并支持x86/64位版本,以及全部常用版本"
echo " Written by Lokyshin"
echo " http://lokyshin.com"
echo " Ver 2.0"
echo "======================================================";
echo ""
function ConfirmSys()
{
echo "[提示] 请确认您的系统: (1~4)"
select selectedSys in 'CentOS' 'Ubuntu' 'Debian' 'Fedora'; do break; done
if [ "$selectedSys" == 'CentOS' -o "$selectedSys" == 'Ubuntu' -o "$selectedSys" == 'Debian' -o "$selectedSys" == 'Fedora' ]; then
echo "您选择的系统为:${selectedSys}"
else
echo "您输入了错误选项"
exit
fi
}
function ConfirmCore()
{
echo "[提示] 请确认您的内核: (1~2)"
select selectedCore in 'Xen/KVM' 'OpenVZ'; do break; done
if [ "$selectedCore" == 'Xen/KVM' -o "$selectedCore" == 'OpenVZ' ]; then
echo "您确认的内核为:${selectedCore}"
else
echo "您输入了错误选项"
exit
fi
}
function ConfirmAgain()
{
echo "[提示] 请再次确认上面的选择是否正确: (1~2)"
select selectedAgain in '正确' '错误'; do break; done
if [ "$selectedAgain" == '错误' ]; then
echo "您输入了错误选项,即将退出。"
exit
fi
}
#开始编译安装Strongswan
ConfirmSys;
ConfirmCore;
ConfirmAgain;
echo "#开始编译安装Strongswan"
if [ "$selectedSys" == 'Ubuntu' -o "$selectedSys" == 'Debian' ]; then
apt-get update -y
apt-get install libpam0g-dev libssl-dev make gcc
else
yum update -y
yum install pam-devel openssl-devel make gcc
fi
wget http://download.strongswan.org/strongswan.tar.gz --no-check-certificate
tar xzf strongswan.tar.gz
cd strongswan-*
if [ "$selectedCore" == 'OpenVZ' ]; then
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
else
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
fi
make; make install
clear
ipsec version
echo ""
echo "如您看到了Ipsec的版本信息,代表Ipsec工作正常。"
#开始配置证书
echo "#开始配置证书"
echo "签名CA证书"
echo -n "请输入现在服务器ip地址或域名(请务必准确):"
read CNsan
echo -n "请输入您生成pkcs12证书名(任意):"
read pkcsname
echo "[提示] 接下来设置两次证书密码,请注意字符不显示。"
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=com, O=myvpn, CN=VPN CA" --ca --outform pem >ca.cert.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=CNsan" --san=\"$CNsan\" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=VPN Client" --outform pem > client.cert.pem
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "VPN CA" -out client.cert.p12
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r server.pem /usr/local/etc/ipsec.d/private/
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r client.pem /usr/local/etc/ipsec.d/private/
echo "完成。"
#开始配置Strongswan
echo "配置Strongswan..."
chmod -R 777 /usr/local/etc/ipsec.conf
echo "config setup" > /usr/local/etc/ipsec.conf
echo " uniqueids=never" >> /usr/local/etc/ipsec.conf
echo " " >> /usr/local/etc/ipsec.conf
echo "conn iOS_cert" >> /usr/local/etc/ipsec.conf
echo " keyexchange=ikev1" >> /usr/local/etc/ipsec.conf
echo " # strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1" >> /usr/local/etc/ipsec.conf
echo " fragmentation=yes" >> /usr/local/etc/ipsec.conf
echo " left=%defaultroute" >> /usr/local/etc/ipsec.conf
echo " leftauth=pubkey" >> /usr/local/etc/ipsec.conf
echo " leftsubnet=0.0.0.0/0" >> /usr/local/etc/ipsec.conf
echo " leftcert=server.cert.pem" >> /usr/local/etc/ipsec.conf
echo " right=%any" >> /usr/local/etc/ipsec.conf
echo " rightauth=pubkey" >> /usr/local/etc/ipsec.conf
echo " rightauth2=xauth" >> /usr/local/etc/ipsec.conf
echo " rightsourceip=10.31.2.0/24" >> /usr/local/etc/ipsec.conf
echo " rightcert=client.cert.pem" >> /usr/local/etc/ipsec.conf
echo " auto=add" >> /usr/local/etc/ipsec.conf
echo " " >> /usr/local/etc/ipsec.conf
echo "conn android_xauth_psk" >> /usr/local/etc/ipsec.conf
echo " keyexchange=ikev1" >> /usr/local/etc/ipsec.conf
echo " left=%defaultroute" >> /usr/local/etc/ipsec.conf
echo " leftauth=psk" >> /usr/local/etc/ipsec.conf
echo " leftsubnet=0.0.0.0/0" >> /usr/local/etc/ipsec.conf
echo " right=%any" >> /usr/local/etc/ipsec.conf
echo " rightauth=psk" >> /usr/local/etc/ipsec.conf
echo " rightauth2=xauth" >> /usr/local/etc/ipsec.conf
echo " rightsourceip=10.31.2.0/24" >> /usr/local/etc/ipsec.conf
echo " auto=add" >> /usr/local/etc/ipsec.conf
echo " " >> /usr/local/etc/ipsec.conf
echo "conn networkmanager-strongswan" >> /usr/local/etc/ipsec.conf
echo " keyexchange=ikev2" >> /usr/local/etc/ipsec.conf
echo " left=%defaultroute" >> /usr/local/etc/ipsec.conf
echo " leftauth=pubkey" >> /usr/local/etc/ipsec.conf
echo " leftsubnet=0.0.0.0/0" >> /usr/local/etc/ipsec.conf
echo " leftcert=server.cert.pem" >> /usr/local/etc/ipsec.conf
echo " right=%any" >> /usr/local/etc/ipsec.conf
echo " rightauth=pubkey" >> /usr/local/etc/ipsec.conf
echo " rightsourceip=10.31.2.0/24" >> /usr/local/etc/ipsec.conf
echo " rightcert=client.cert.pem" >> /usr/local/etc/ipsec.conf
echo " auto=add" >> /usr/local/etc/ipsec.conf
echo " " >> /usr/local/etc/ipsec.conf
echo "conn windows7" >> /usr/local/etc/ipsec.conf
echo " keyexchange=ikev2" >> /usr/local/etc/ipsec.conf
echo " ike=aes256-sha1-modp1024!" >> /usr/local/etc/ipsec.conf
echo " rekey=no" >> /usr/local/etc/ipsec.conf
echo " left=%defaultroute" >> /usr/local/etc/ipsec.conf
echo " leftauth=pubkey" >> /usr/local/etc/ipsec.conf
echo " leftsubnet=0.0.0.0/0" >> /usr/local/etc/ipsec.conf
echo " leftcert=server.cert.pem" >> /usr/local/etc/ipsec.conf
echo " right=%any" >> /usr/local/etc/ipsec.conf
echo " rightauth=eap-mschapv2" >> /usr/local/etc/ipsec.conf
echo " rightsourceip=10.31.2.0/24" >> /usr/local/etc/ipsec.conf
echo " rightsendcert=never" >> /usr/local/etc/ipsec.conf
echo " eap_identity=%any" >> /usr/local/etc/ipsec.conf
echo " auto=add" >> /usr/local/etc/ipsec.conf
echo "完成。"
chmod -R 644 /usr/local/etc/ipsec.conf
echo "配置Strongswan的配置文件..."
chmod -R 777 /usr/local/etc/strongswan.conf
echo "charon {" > /usr/local/etc/strongswan.conf
echo " load_modular = yes" >> /usr/local/etc/strongswan.conf
echo " duplicheck.enable = no" >> /usr/local/etc/strongswan.conf
echo " compress = yes" >> /usr/local/etc/strongswan.conf
echo " plugins {" >> /usr/local/etc/strongswan.conf
echo " include strongswan.d/charon/*.conf" >> /usr/local/etc/strongswan.conf
echo " }" >> /usr/local/etc/strongswan.conf
echo " dns1 = 8.8.8.8" >> /usr/local/etc/strongswan.conf
echo " dns2 = 8.8.4.4" >> /usr/local/etc/strongswan.conf
echo " nbns1 = 8.8.8.8" >> /usr/local/etc/strongswan.conf
echo " nbns2 = 8.8.4.4" >> /usr/local/etc/strongswan.conf
echo "}" >> /usr/local/etc/strongswan.conf
echo "include strongswan.d/*.conf" >> /usr/local/etc/strongswan.conf
echo "完成。"
chmod -R 600 /usr/local/etc/strongswan.conf
#开始配置PSK和XAUTH,以及用户名和密码
echo "#开始配置PSK和XAUTH,以及用户名和密码"
rm /usr/local/etc/ipsec.secrets -f
touch /usr/local/etc/ipsec.secrets
chmod -R 777 /usr/local/etc/ipsec.secrets
echo -n "输入您想配置的PSK(秘钥):"
read mypsk
echo -n "输入您想配置的XAUTH(授权方式):"
read myxauth
echo ": RSA server.pem" >> /usr/local/etc/ipsec.secrets
echo ": PSK \"$mypsk\"" >> /usr/local/etc/ipsec.secrets
echo ": XAUTH \"$myxauth\"" >> /usr/local/etc/ipsec.secrets
for ((i=1;i<1000;i++))
do
echo -n "输入您想配置的用户名:"
read name[$i]
echo -n "输入该用户的对应密码:"
read psw[$i]
echo "${name[$i]} %any : EAP \"${psw[$i]}\"" >> /usr/local/etc/ipsec.secrets
echo -n "需要追加用户请直接回车,如不需要请输入n并回车。"
read addconfirm
if [ "$addconfirm" == 'n' ]; then
n=$i
i=2000
fi
done
echo "完成。"
chmod -R 644 /usr/local/etc/ipsec.secrets
#开始配置防火墙
echo "#开始配置防火墙"
chmod -R 777 /etc/sysctl.conf
sed -i '/Controls IP packet forwarding/d' /etc/sysctl.conf
sed -i '/net.ipv4.ip_forward/d' /etc/sysctl.conf
echo "# Controls IP packet forwarding" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
chmod -R 644 /etc/sysctl.conf
sysctl -p
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
if [ "$selectedCore" == 'OpenVZ' ]; then
iptables -A INPUT -i venet0 -p esp -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE
else
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
fi
if [ "$selectedSys" == 'Ubuntu' -o "$selectedSys" == 'Debian' ]; then
rm /etc/iptables.rules -f
touch /etc/iptables.rules
chmod -R 777 /etc/iptables.rules
rm /etc/network/if-up.d/iptables -f
touch /etc/network/if-up.d/iptables
chmod -R 777 /etc/network/ip-up.d/iptables
iptables-save >> /etc/iptables.rules
cat > /etc/network/if-up.d/iptables<<EOF
#!/bin/sh
iptables-restore << /etc/iptables.rules
EOF
chmod +x /etc/network/if-up.d/iptables
else
service iptables save
fi
chmod -R 644 /etc/iptables.rules
echo "完成。"
#在登陆目录生成开机手动启动文件
echo "#在登陆目录生成开机手动启动文件"
cd ~
echo "#!/bin/bash" > startvpn.sh
echo "echo \"Starting Cisco Ipsec VPN ...\"" >> startvpn.sh
if [ "$selectedSys" == 'Ubuntu' -o "$selectedSys" == 'Debian' ]; then
echo "ipsec restart" >> startvpn.sh
else
echo "ipsec restart" >> startvpn.sh
fi
echo "iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> startvpn.sh
echo "iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT" >> startvpn.sh
echo "iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT" >> startvpn.sh
echo "iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT" >> startvpn.sh
if [ "$selectedCore" == 'OpenVZ' ]; then
echo "iptables -A INPUT -i venet0 -p esp -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT" >> startvpn.sh
echo "iptables -A FORWARD -j REJECT" >> startvpn.sh
echo "iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE" >> startvpn.sh
echo "iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE" >> startvpn.sh
echo "iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE" >> startvpn.sh
else
echo "iptables -A INPUT -i eth0 -p esp -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT" >> startvpn.sh
echo "iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT" >> startvpn.sh
echo "iptables -A FORWARD -j REJECT" >> startvpn.sh
echo "iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE" >> startvpn.sh
echo "iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE" >> startvpn.sh
echo "iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE" >> startvpn.sh
fi
echo "echo \"Cisco Ipsec VPN has been launched on your server now.\"" >> startvpn.sh
chmod -R 775 startvpn.sh
./startvpn.sh
clear
echo "======================================================";
echo " 恭喜您 已成功安装Casio IPSec VPN"
echo "[提示] 经测试支持如下系统:CentOS/Ubuntu/Debian/Fedora"
echo " 并支持x86/64位版本,以及全部常用版本"
echo " Written by Lokyshin"
echo " http://lokyshin.com"
echo " Ver 2.0"
echo "------------------------------------------------------"
echo " 您的配置如下"
echo "------------------------------------------------------"
echo " | PSK | XAUTH | 用户名 | 密 码 | "
for ((i=1;i<n+1;i++))
do
echo " | $mypsk | $myxauth| ${name[$i]} | ${psw[$i]} | "
done
echo "------------------------------------------------------"
echo "如您使用CentOS/Fedora,建议您重启系统以便优化内存占用。"
echo "每次重启服务器后,不要忘了手动运行bash startvpn.sh"
echo "您的用户配置文件位置在/usr/local/etc/ipsec.secrets"
echo "======================================================";
echo ""