dnf install ipsec-tools -y
firewall-cmd --add-service=ipsec --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --add-service=ipsec
firewall-cmd --add-masquerade
mv /etc/racoon/racoon.conf /etc/racoon/racoon.conf.001
cat >>/etc/racoon/racoon.conf<<EOF
log info;
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";
remote anonymous {
exchange_mode base,main,aggressive;
doi ipsec_doi;
situation identity_only;
verify_identifier on;
weak_phase1_check on;
ike_frag on;
#esp_frag 552;
initial_contact on;
passive on;
proposal_check obey;
support_proxy on;
generate_policy unique;
nat_traversal on;
dpd_delay = 30;
dpd_retry = 30;
dpd_maxfail = 800;
rekey off;
nonce_size 21;
mode_cfg = on;
proposal {
#des, 3des, blowfish, cast128, aes, camellia
#encryption_algorithm blowfish;
encryption_algorithm 3des;
# md5, sha1, sha256, sha384, sha512
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 2;
lifetime time 24 hour;
}
}
timer {
counter 5;
interval 10 sec;
persend 1;
phase1 15 sec;
phase2 10 sec;
natt_keepalive 20 sec;
}
listen {
# isakmp 192.168.1.73 [500];
# isakmp 192.168.1.73 [2500];
# isakmp_natt 192.168.1.73 [4500];
# strict_address;
}
sainfo anonymous {
lifetime time 24 hour ;
# des,3des,aes,blowfish,twofish,rijndael,camellia;
encryption_algorithm 3des,blowfish;
# hmac_md5,hmac_sha1,hmac_sha256,hmac_sha384,hmac_sha512,non_auth;
authentication_algorithm hmac_sha1,hmac_md5;
remoteid 0;
pfs_group modp8192;
#pfs_group 2;
compression_algorithm deflate;
}
padding {
randomize on;
randomize_length on;
maximum_length 26;
exclusive_tail on;
strict_check on;
strict_check off;
}
mode_cfg {
banner "/etc/racoon/motd";
#auth_source pam;
auth_source system;
accounting system;
conf_source local;
pfs_group 2;
default_domain "localhost";
network4 192.168.100.1;
netmask4 255.255.255.0;
dns4 8.8.8.8,8.8.4.4;
wins4 8.8.8.8,8.8.4.4;
pool_size 254;
save_passwd on;
}
EOF
echo "success" > /etc/racoon/motd
echo "racoon racoon" >> /etc/racoon/psk.txt
adduser -m -s /sbin/nologin racoon
echo 'racoon' | passwd --stdin racoon
systemctl start racoon
tail -f /var/log/messages
tcpdump port 500
配置完成后无法上网 没有找到原因