https://computingforgeeks.com/build-ipsec-vpn-server-with-ipsec-l2tp-and-cisco-ipsec-linux/ https://github.com/hwdsl2/setup-ipsec-vpn Setup IPsec VPN server on Ubuntu 18.04 / Ubuntu 16.04 / Debian You should have updated your system packages before running the deployment script. This is a fully automated IPsec VPN server setup, no user input needed. ########開始 wget https://git.io/vpnsetup -O vpnsetup.sh sudo sh vpnsetup.sh ###下一步###下一步###下一步##### Your VPN login details will be randomly generated and displayed on the screen when finished. If you would like to define your own VPN credentials, edit vpnsetup.sh before execution. sudo vim vpnsetup.sh Set your values inside single quotes YOUR_IPSEC_PSK='' YOUR_USERNAME='' YOUR_PASSWORD='' The run vpnsetup.sh sudo sh vpnsetup.sh Sample output: ************************** WARNING *********************************** The ipsec service is currently disabled. To enable this service issue: systemctl enable ipsec.service ********************************************************************** ../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck ## Creating VPN configuration.. ## Updating sysctl settings.. ## Updating IPTables rules... ## Enabling services on boot... ## Starting services... ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: 159.88.127.33 IPsec PSK: EvA6M5wDZw4kbgL8 Username: vpnuser Password: TNotmZ7EmGyRa2CY Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes Setup VPN clients: https://git.io/vpnclients ================================================ ###下一步###下一步###下一步##### Enable ipsec service to start on boot sudo systemctl enable ipsec This deployment Includes sysctl.conf optimizations for improved performance. # Added by hwdsl2 VPN script kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth0.rp_filter = 0 net.core.wmem_max = 12582912 net.core.rmem_max = 12582912 net.ipv4.tcp_rmem = 10240 87380 12582912 net.ipv4.tcp_wmem = 10240 87380 12582912 All VPN traffic is encapsulated in UDP – does not need ESP protocol. ###下一步###下一步###下一步##### Manage VPN Users By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read IPSec VPN User management. The IPsec PSK (pre-shared key) is stored in./etc/ipsec.secrets All VPN users share the same IPsec PSK. You can set a new one by changing the line: %any %any : PSK "your_new_ipsec_pre_shared_key" For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is: "your_vpn_username_1" l2tpd "your_vpn_password_1" * "your_vpn_username_2" l2tpd "your_vpn_password_2" * For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. The format of this file is: your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk ... ... Passwords in this file are salted and hashed. This step can be done using e.g. the openssl utility: # The output will be your_vpn_password_1_hashed ####重要########重要########重要#### 將cisco ipsec 加密 openssl passwd -1 'your_vpn_password_1' ####重要########重要########重要#### Finally, restart services if you changed to a new PSK. sudo service ipsec restart || sudo systemctl restart ipsec sudo service xl2tpd restart || sudo systemctl restart xl2tpd For add, edit or remove VPN users, a restart is normally not required. sudo service ipsec restart || sudo systemctl restart ipsec sudo service xl2tpd restart || sudo systemctl restart xl2tpd ###下一步###下一步###下一步##### Connecting your Computer to the VPN The final step is to connect your computer or device to use the VPN. Refer to the following guides for this. Configure IPsec/L2TP VPN Clients Configure IPsec/XAuth (“Cisco IPsec”) VPN Clients How-To: IKEv2 VPN for Windows 7 and above If you get an error when trying to connect, see Troubleshooting. You have installed your very own IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian. Enjoy using it. ###下一步###下一步###下一步##### ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: 1.160.17.66 IPsec PSK: kbtvpn57 Username: hckao Password: kbt236 Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes Setup VPN clients: https://git.io/vpnclients ================================================ 安裝過程 hckao@h96:~$ sudo sh vpnsetup.sh [sudo] password for hckao: ## VPN setup in progress... Please be patient. ## Populating apt-get cache... Hit:2 http://ports.ubuntu.com bionic InRelease Get:3 http://ports.ubuntu.com bionic-security InRelease [88.7 kB] Hit:4 http://ports.ubuntu.com bionic-updates InRelease Hit:5 http://ports.ubuntu.com bionic-backports InRelease Hit:1 https://apt.armbian.com bionic InRelease Get:6 http://ports.ubuntu.com bionic-security/main armhf Packages [291 kB] Get:7 http://ports.ubuntu.com bionic-security/main arm64 Packages [312 kB] Get:8 http://ports.ubuntu.com bionic-security/universe armhf Packages [459 kB] Get:9 http://ports.ubuntu.com bionic-security/universe arm64 Packages [507 kB] Fetched 1658 kB in 4s (415 kB/s) Reading package lists... ## Installing packages required for setup... Reading package lists... Building dependency tree... Reading state information... grep is already the newest version (3.1-2). iproute2 is already the newest version (4.15.0-2ubuntu1). iptables is already the newest version (1.6.1-2ubuntu2). net-tools is already the newest version (1.60+git20161116.90da8a0-1ubuntu1). sed is already the newest version (4.4-2). dnsutils is already the newest version (1:9.11.3+dfsg-1ubuntu1.8). wget is already the newest version (1.19.4-1ubuntu2.2). openssl is already the newest version (1.1.1-1ubuntu2.1~18.04.3). Suggested packages: gawk-doc The following NEW packages will be installed: gawk 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 353 kB of archives. After this operation, 1520 kB of additional disk space will be used. Get:1 http://ports.ubuntu.com bionic/main arm64 gawk arm64 1:4.1.4+dfsg-1build1 [353 kB] Fetched 353 kB in 2s (188 kB/s) Selecting previously unselected package gawk. (Reading database ... 46565 files and directories currently installed.) Preparing to unpack .../gawk_1%3a4.1.4+dfsg-1build1_arm64.deb ... Unpacking gawk (1:4.1.4+dfsg-1build1) ... Setting up gawk (1:4.1.4+dfsg-1build1) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... ## Trying to auto discover IP of this server... In case the script hangs here for more than a few minutes, press Ctrl-C to abort. Then edit it and manually enter IP. ## Installing packages required for the VPN... Reading package lists... Building dependency tree... Reading state information... bison is already the newest version (2:3.0.4.dfsg-1build1). flex is already the newest version (2.6.4-6). make is already the newest version (4.1-9.1ubuntu1). make set to manually installed. gcc is already the newest version (4:7.4.0-1ubuntu2.3). gcc set to manually installed. ppp is already the newest version (2.4.7-2+2ubuntu1.1). The following additional packages will be installed: libcurl3-nss libevent-2.1-6 libevent-core-2.1-6 libevent-extra-2.1-6 libevent-openssl-2.1-6 libevent-pthreads-2.1-6 libnspr4 libnss3 libpcre16-3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libsepol1-dev Suggested packages: libcurl4-doc libidn11-dev libkrb5-dev libldap2-dev librtmp-dev libssh2-1-dev zlib1g-dev The following NEW packages will be installed: libcap-ng-dev libcap-ng-utils libcurl3-nss libcurl4-nss-dev libevent-2.1-6 libevent-core-2.1-6 libevent-dev libevent-extra-2.1-6 libevent-openssl-2.1-6 libevent-pthreads-2.1-6 libnspr4 libnspr4-dev libnss3 libnss3-dev libnss3-tools libpam0g-dev libpcre16-3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libselinux1-dev libsepol1-dev pkg-config xl2tpd 0 upgraded, 24 newly installed, 0 to remove and 0 not upgraded. Need to get 4550 kB of archives. After this operation, 20.6 MB of additional disk space will be used. Get:1 http://ports.ubuntu.com bionic/main arm64 libcap-ng-dev arm64 0.7.7-3.1 [21.1 kB] Get:2 http://ports.ubuntu.com bionic/universe arm64 libcap-ng-utils arm64 0.7.7-3.1 [14.3 kB] Get:3 http://ports.ubuntu.com bionic/main arm64 libnspr4 arm64 2:4.18-1ubuntu1 [93.3 kB] Get:4 http://ports.ubuntu.com bionic-security/main arm64 libnss3 arm64 2:3.35-2ubuntu2.2 [960 kB] Get:5 http://ports.ubuntu.com bionic-security/main arm64 libcurl3-nss arm64 7.58.0-2ubuntu3.7 [185 kB] Get:6 http://ports.ubuntu.com bionic-security/main arm64 libcurl4-nss-dev arm64 7.58.0-2ubuntu3.7 [274 kB] Get:7 http://ports.ubuntu.com bionic/main arm64 libevent-2.1-6 arm64 2.1.8-stable-4build1 [109 kB] Get:8 http://ports.ubuntu.com bionic/main arm64 libevent-core-2.1-6 arm64 2.1.8-stable-4build1 [70.7 kB] Get:9 http://ports.ubuntu.com bionic/main arm64 libevent-extra-2.1-6 arm64 2.1.8-stable-4build1 [45.8 kB] Get:10 http://ports.ubuntu.com bionic/main arm64 libevent-pthreads-2.1-6 arm64 2.1.8-stable-4build1 [5044 B] Get:11 http://ports.ubuntu.com bionic/main arm64 libevent-openssl-2.1-6 arm64 2.1.8-stable-4build1 [9976 B] Get:12 http://ports.ubuntu.com bionic/main arm64 libevent-dev arm64 2.1.8-stable-4build1 [246 kB] Get:13 http://ports.ubuntu.com bionic/main arm64 libnspr4-dev arm64 2:4.18-1ubuntu1 [196 kB] Get:14 http://ports.ubuntu.com bionic-security/main arm64 libnss3-dev arm64 2:3.35-2ubuntu2.2 [224 kB] Get:15 http://ports.ubuntu.com bionic-security/universe arm64 libnss3-tools arm64 2:3.35-2ubuntu2.2 [738 kB] Get:16 http://ports.ubuntu.com bionic-updates/main arm64 libpam0g-dev arm64 1.1.8-3.6ubuntu2.18.04.1 [107 kB] Get:17 http://ports.ubuntu.com bionic/main arm64 libpcre16-3 arm64 2:8.39-9 [121 kB] Get:18 http://ports.ubuntu.com bionic/main arm64 libpcre32-3 arm64 2:8.39-9 [113 kB] Get:19 http://ports.ubuntu.com bionic/main arm64 libpcrecpp0v5 arm64 2:8.39-9 [15.1 kB] Get:20 http://ports.ubuntu.com bionic/main arm64 libpcre3-dev arm64 2:8.39-9 [459 kB] Get:21 http://ports.ubuntu.com bionic/main arm64 libsepol1-dev arm64 2.7-1 [293 kB] Get:22 http://ports.ubuntu.com bionic/main arm64 libselinux1-dev arm64 2.7-2build2 [143 kB] Get:23 http://ports.ubuntu.com bionic/main arm64 pkg-config arm64 0.29.1-0ubuntu2 [42.8 kB] Get:24 http://ports.ubuntu.com bionic-updates/universe arm64 xl2tpd arm64 1.3.10-1ubuntu1 [62.2 kB] Fetched 4550 kB in 6s (746 kB/s) Selecting previously unselected package libcap-ng-dev. (Reading database ... 46712 files and directories currently installed.) Preparing to unpack .../00-libcap-ng-dev_0.7.7-3.1_arm64.deb ... Unpacking libcap-ng-dev (0.7.7-3.1) ... Selecting previously unselected package libcap-ng-utils. Preparing to unpack .../01-libcap-ng-utils_0.7.7-3.1_arm64.deb ... Unpacking libcap-ng-utils (0.7.7-3.1) ... Selecting previously unselected package libnspr4:arm64. Preparing to unpack .../02-libnspr4_2%3a4.18-1ubuntu1_arm64.deb ... Unpacking libnspr4:arm64 (2:4.18-1ubuntu1) ... Selecting previously unselected package libnss3:arm64. Preparing to unpack .../03-libnss3_2%3a3.35-2ubuntu2.2_arm64.deb ... Unpacking libnss3:arm64 (2:3.35-2ubuntu2.2) ... Selecting previously unselected package libcurl3-nss:arm64. Preparing to unpack .../04-libcurl3-nss_7.58.0-2ubuntu3.7_arm64.deb ... Unpacking libcurl3-nss:arm64 (7.58.0-2ubuntu3.7) ... Selecting previously unselected package libcurl4-nss-dev:arm64. Preparing to unpack .../05-libcurl4-nss-dev_7.58.0-2ubuntu3.7_arm64.deb ... Unpacking libcurl4-nss-dev:arm64 (7.58.0-2ubuntu3.7) ... Selecting previously unselected package libevent-2.1-6:arm64. Preparing to unpack .../06-libevent-2.1-6_2.1.8-stable-4build1_arm64.deb ... Unpacking libevent-2.1-6:arm64 (2.1.8-stable-4build1) ... Selecting previously unselected package libevent-core-2.1-6:arm64. Preparing to unpack .../07-libevent-core-2.1-6_2.1.8-stable-4build1_arm64.deb ... Unpacking libevent-core-2.1-6:arm64 (2.1.8-stable-4build1) ... Selecting previously unselected package libevent-extra-2.1-6:arm64. Preparing to unpack .../08-libevent-extra-2.1-6_2.1.8-stable-4build1_arm64.deb ... Unpacking libevent-extra-2.1-6:arm64 (2.1.8-stable-4build1) ... Selecting previously unselected package libevent-pthreads-2.1-6:arm64. Preparing to unpack .../09-libevent-pthreads-2.1-6_2.1.8-stable-4build1_arm64.deb ... Unpacking libevent-pthreads-2.1-6:arm64 (2.1.8-stable-4build1) ... Selecting previously unselected package libevent-openssl-2.1-6:arm64. Preparing to unpack .../10-libevent-openssl-2.1-6_2.1.8-stable-4build1_arm64.deb ... Unpacking libevent-openssl-2.1-6:arm64 (2.1.8-stable-4build1) ... Selecting previously unselected package libevent-dev. Preparing to unpack .../11-libevent-dev_2.1.8-stable-4build1_arm64.deb ... Unpacking libevent-dev (2.1.8-stable-4build1) ... Selecting previously unselected package libnspr4-dev. Preparing to unpack .../12-libnspr4-dev_2%3a4.18-1ubuntu1_arm64.deb ... Unpacking libnspr4-dev (2:4.18-1ubuntu1) ... Selecting previously unselected package libnss3-dev:arm64. Preparing to unpack .../13-libnss3-dev_2%3a3.35-2ubuntu2.2_arm64.deb ... Unpacking libnss3-dev:arm64 (2:3.35-2ubuntu2.2) ... Selecting previously unselected package libnss3-tools. Preparing to unpack .../14-libnss3-tools_2%3a3.35-2ubuntu2.2_arm64.deb ... Unpacking libnss3-tools (2:3.35-2ubuntu2.2) ... Selecting previously unselected package libpam0g-dev:arm64. Preparing to unpack .../15-libpam0g-dev_1.1.8-3.6ubuntu2.18.04.1_arm64.deb ... Unpacking libpam0g-dev:arm64 (1.1.8-3.6ubuntu2.18.04.1) ... Selecting previously unselected package libpcre16-3:arm64. Preparing to unpack .../16-libpcre16-3_2%3a8.39-9_arm64.deb ... Unpacking libpcre16-3:arm64 (2:8.39-9) ... Selecting previously unselected package libpcre32-3:arm64. Preparing to unpack .../17-libpcre32-3_2%3a8.39-9_arm64.deb ... Unpacking libpcre32-3:arm64 (2:8.39-9) ... Selecting previously unselected package libpcrecpp0v5:arm64. Preparing to unpack .../18-libpcrecpp0v5_2%3a8.39-9_arm64.deb ... Unpacking libpcrecpp0v5:arm64 (2:8.39-9) ... Selecting previously unselected package libpcre3-dev:arm64. Preparing to unpack .../19-libpcre3-dev_2%3a8.39-9_arm64.deb ... Unpacking libpcre3-dev:arm64 (2:8.39-9) ... Selecting previously unselected package libsepol1-dev:arm64. Preparing to unpack .../20-libsepol1-dev_2.7-1_arm64.deb ... Unpacking libsepol1-dev:arm64 (2.7-1) ... Selecting previously unselected package libselinux1-dev:arm64. Preparing to unpack .../21-libselinux1-dev_2.7-2build2_arm64.deb ... Unpacking libselinux1-dev:arm64 (2.7-2build2) ... Selecting previously unselected package pkg-config. Preparing to unpack .../22-pkg-config_0.29.1-0ubuntu2_arm64.deb ... Unpacking pkg-config (0.29.1-0ubuntu2) ... Selecting previously unselected package xl2tpd. Preparing to unpack .../23-xl2tpd_1.3.10-1ubuntu1_arm64.deb ... Unpacking xl2tpd (1.3.10-1ubuntu1) ... Setting up libsepol1-dev:arm64 (2.7-1) ... Setting up libpam0g-dev:arm64 (1.1.8-3.6ubuntu2.18.04.1) ... Setting up libevent-2.1-6:arm64 (2.1.8-stable-4build1) ... Setting up libevent-core-2.1-6:arm64 (2.1.8-stable-4build1) ... Setting up libcap-ng-utils (0.7.7-3.1) ... Setting up libevent-openssl-2.1-6:arm64 (2.1.8-stable-4build1) ... Setting up libcap-ng-dev (0.7.7-3.1) ... Setting up libnspr4:arm64 (2:4.18-1ubuntu1) ... Setting up libnspr4-dev (2:4.18-1ubuntu1) ... Setting up pkg-config (0.29.1-0ubuntu2) ... Setting up libevent-pthreads-2.1-6:arm64 (2.1.8-stable-4build1) ... Processing triggers for libc-bin (2.27-3ubuntu1) ... Processing triggers for systemd (237-3ubuntu10.23) ... Setting up xl2tpd (1.3.10-1ubuntu1) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Setting up libpcrecpp0v5:arm64 (2:8.39-9) ... Setting up libpcre32-3:arm64 (2:8.39-9) ... Setting up libpcre16-3:arm64 (2:8.39-9) ... Setting up libevent-extra-2.1-6:arm64 (2.1.8-stable-4build1) ... Setting up libpcre3-dev:arm64 (2:8.39-9) ... Setting up libnss3:arm64 (2:3.35-2ubuntu2.2) ... Setting up libnss3-dev:arm64 (2:3.35-2ubuntu2.2) ... Setting up libevent-dev (2.1.8-stable-4build1) ... Setting up libnss3-tools (2:3.35-2ubuntu2.2) ... Setting up libselinux1-dev:arm64 (2.7-2build2) ... Setting up libcurl3-nss:arm64 (7.58.0-2ubuntu3.7) ... Setting up libcurl4-nss-dev:arm64 (7.58.0-2ubuntu3.7) ... Processing triggers for systemd (237-3ubuntu10.23) ... Processing triggers for libc-bin (2.27-3ubuntu1) ... ## Installing Fail2Ban to protect SSH... Reading package lists... Building dependency tree... Reading state information... Suggested packages: mailx monit sqlite3 Recommended packages: python whois python3-pyinotify python3-systemd The following NEW packages will be installed: fail2ban 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 329 kB of archives. After this operation, 1739 kB of additional disk space will be used. Get:1 http://ports.ubuntu.com bionic/universe arm64 fail2ban all 0.10.2-2 [329 kB] Fetched 329 kB in 2s (180 kB/s) Selecting previously unselected package fail2ban. (Reading database ... 47697 files and directories currently installed.) Preparing to unpack .../fail2ban_0.10.2-2_all.deb ... Unpacking fail2ban (0.10.2-2) ... Setting up fail2ban (0.10.2-2) ... Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service -> /lib/systemd/system/fail2ban.service. Processing triggers for systemd (237-3ubuntu10.23) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... ## Compiling and installing Libreswan... 2019-06-25 19:45:26 URL:https://codeload.github.com/libreswan/libreswan/tar.gz/v3.29 [3848730/3848730] -> "libreswan-3.29.tar.gz" [1] Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: libsystemd-dev 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 184 kB of archives. After this operation, 738 kB of additional disk space will be used. Get:1 http://ports.ubuntu.com bionic-updates/main arm64 libsystemd-dev arm64 237-3ubuntu10.23 [184 kB] Fetched 184 kB in 2s (103 kB/s) Selecting previously unselected package libsystemd-dev:arm64. (Reading database ... 48122 files and directories currently installed.) Preparing to unpack .../libsystemd-dev_237-3ubuntu10.23_arm64.deb ... Unpacking libsystemd-dev:arm64 (237-3ubuntu10.23) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Setting up libsystemd-dev:arm64 (237-3ubuntu10.23) ... a - x509dn.o a - asn1.o a - oid.o a - constants.o a - alloc.o a - diag.o a - id.o a - initaddr.o a - initsaid.o a - initsubnet.o a - keyblobtoid.o a - lex.o a - lswconf.o a - lswfips.o a - rangetosubnet.o a - sameaddr.o a - secrets.o a - subnettot.o a - subnettypeof.o a - ttoaddr.o a - ttodata.o a - ttoprotoport.o a - ttosa.o a - ttosubnet.o a - ttoul.o a - secitem_chunk.o a - base64_pubkey.o a - lswnss.o a - lsw_passert_fail.o a - alg_byname.o a - certs.o a - addr_lookup.o a - log_ip.o a - af_info.o a - fd.o a - kernel_alg.o a - kernel_sadb.o a - role.o a - addrtot.o a - addrtypeof.o a - anyaddr.o a - datatot.o a - goodmask.o a - satot.o a - ultot.o a - proposals.o a - v1_proposals.o a - v2_proposals.o a - esp_info.o a - ah_info.o a - ike_info.o a - ckaid.o a - chunk.o a - shunk.o a - ip_address.o a - ip_endpoint.o a - ip_range.o a - ip_subnet.o a - lmod.o a - lset.o a - deltatime.o a - realtime.o a - monotime.o a - debug.o a - impair.o a - keywords.o a - dbg.o a - DBG_dump.o a - DBG_log.o a - log_to_log.o a - libreswan_exit_log_errno.o a - libreswan_log_errno.o a - libreswan_pexpect.o a - libreswan_pexpect_log.o a - libreswan_bad_case.o a - rate_log.o a - libreswan_log.o a - libreswan_log_rc.o a - fmtbuf.o a - lswlog.o a - lswlog_dbg.o a - lswlog_nss_error.o a - lswlog_nss_ckm.o a - lswlog_nss_ckf.o a - lswlog_nss_cka.o a - lswlog_nss_secitem.o a - lswlog_source_line.o a - lswlog_sanitized.o a - lswlog_errno.o a - lswlog_bytes.o a - lswlog_enum_lset_short.o a - lswlog_realtime.o a - lswlog_monotime.o a - lswlog_to_file_stream.o a - lswlog_pexpect.o a - lswlog_passert.o a - ike_alg.o a - ike_alg_test.o a - ike_alg_encrypt_chacha20_poly1305.o a - ike_alg_encrypt_nss_aead_ops.o a - ike_alg_encrypt_nss_cbc_ops.o a - ike_alg_encrypt_nss_ctr_ops.o a - ike_alg_encrypt_nss_gcm_ops.o a - ike_alg_desc.o a - ike_alg_3des.o a - ike_alg_aes.o a - ike_alg_camellia.o a - ike_alg_dh.o a - ike_alg_md5.o a - ike_alg_none.o a - ike_alg_serpent.o a - ike_alg_sha1.o a - ike_alg_sha2.o a - ike_alg_twofish.o a - nss_copies.o a - sanitizestring.o a - pfkey_sock.o a - pfkey_error.o a - pfkey_v2_build.o a - pfkey_v2_ext_bits.o a - pfkey_v2_parse.o a - pfkey_v2_debug.o a - /opt/src/libreswan-3.29/OBJ.linux.arm/lib/libswan/version.o a - serpent.o a - serpent_cbc.o a - twofish.o a - twofish_cbc.o a - whacklib.o a - aliascomp.o a - confread.o a - confwrite.o a - starterwhack.o a - starterlog.o a - parser.tab.o a - lex.yy.o a - keywords.o a - interfaces.o a - lswlog.o a - libreswan_exit.o IN ipsec.secrets.in -> ../../OBJ.linux.arm/programs/configs/ipsec.secrets IN ipsec.conf.in -> ../../OBJ.linux.arm/programs/configs/ipsec.conf IN clear.in -> ../../OBJ.linux.arm/programs/configs/clear IN clear-or-private.in -> ../../OBJ.linux.arm/programs/configs/clear-or-private IN private-or-clear.in -> ../../OBJ.linux.arm/programs/configs/private-or-clear IN private.in -> ../../OBJ.linux.arm/programs/configs/private IN block.in -> ../../OBJ.linux.arm/programs/configs/block IN portexcludes.conf.in -> ../../OBJ.linux.arm/programs/configs/portexcludes.conf IN _plutorun.in -> ../../OBJ.linux.arm/programs/_plutorun/_plutorun IN _stackmanager.in -> ../../OBJ.linux.arm/programs/_stackmanager/_stackmanager IN _secretcensor.in -> ../../OBJ.linux.arm/programs/_secretcensor/_secretcensor IN _updown.in -> ../../OBJ.linux.arm/programs/_updown/_updown IN _unbound-hook.in -> ../../OBJ.linux.arm/programs/_unbound-hook/_unbound-hook IN auto.in -> ../../OBJ.linux.arm/programs/auto/auto IN barf.in -> ../../OBJ.linux.arm/programs/barf/barf IN verify.in -> ../../OBJ.linux.arm/programs/verify/verify IN show.in -> ../../OBJ.linux.arm/programs/show/show IN ipsec.in -> ../../OBJ.linux.arm/programs/ipsec/ipsec IN look.in -> ../../OBJ.linux.arm/programs/look/look IN newhostkey.in -> ../../OBJ.linux.arm/programs/newhostkey/newhostkey IN setup.in -> ../../OBJ.linux.arm/programs/setup/setup IN _updown.netkey.in -> ../../OBJ.linux.arm/programs/_updown.netkey/_updown.netkey IN ipsec.service.in -> ../../OBJ.linux.arm/initsystems/systemd/ipsec.service IN libreswan.conf.in -> ../../OBJ.linux.arm/initsystems/systemd/libreswan.conf ../../OBJ.linux.arm/programs/pluto/pluto -> /usr/local/libexec/ipsec/pluto ../../OBJ.linux.arm/programs/whack/whack -> /usr/local/libexec/ipsec/whack ../../OBJ.linux.arm/programs/addconn/addconn -> /usr/local/libexec/ipsec/addconn ../../OBJ.linux.arm/programs/configs/ipsec.conf -> /etc/ipsec.conf ../../OBJ.linux.arm/programs/configs/ipsec.secrets -> /etc/ipsec.secrets ../../OBJ.linux.arm/programs/configs/ipsec.conf -> /usr/local/share/doc/libreswan/ipsec.conf-sample ../../OBJ.linux.arm/programs/configs/ipsec.secrets -> /usr/local/share/doc/libreswan/ipsec.secrets-sample ../../OBJ.linux.arm/programs/configs/clear -> /etc/ipsec.d/policies/clear ../../OBJ.linux.arm/programs/configs/clear-or-private -> /etc/ipsec.d/policies/clear-or-private ../../OBJ.linux.arm/programs/configs/private-or-clear -> /etc/ipsec.d/policies/private-or-clear ../../OBJ.linux.arm/programs/configs/private -> /etc/ipsec.d/policies/private ../../OBJ.linux.arm/programs/configs/block -> /etc/ipsec.d/policies/block ../../OBJ.linux.arm/programs/configs/portexcludes.conf -> /etc/ipsec.d/policies/portexcludes.conf ../../OBJ.linux.arm/programs/_plutorun/_plutorun -> /usr/local/libexec/ipsec/_plutorun ../../OBJ.linux.arm/programs/_stackmanager/_stackmanager -> /usr/local/libexec/ipsec/_stackmanager ../../OBJ.linux.arm/programs/_secretcensor/_secretcensor -> /usr/local/libexec/ipsec/_secretcensor ../../OBJ.linux.arm/programs/_updown/_updown -> /usr/local/libexec/ipsec/_updown ../../OBJ.linux.arm/programs/_unbound-hook/_unbound-hook -> /usr/local/libexec/ipsec/_unbound-hook ../../OBJ.linux.arm/programs/auto/auto -> /usr/local/libexec/ipsec/auto ../../OBJ.linux.arm/programs/barf/barf -> /usr/local/libexec/ipsec/barf ../../OBJ.linux.arm/programs/verify/verify -> /usr/local/libexec/ipsec/verify ../../OBJ.linux.arm/programs/show/show -> /usr/local/libexec/ipsec/show ../../OBJ.linux.arm/programs/ipsec/ipsec -> /usr/local/sbin/ipsec ../../OBJ.linux.arm/programs/look/look -> /usr/local/libexec/ipsec/look ../../OBJ.linux.arm/programs/newhostkey/newhostkey -> /usr/local/libexec/ipsec/newhostkey ../../OBJ.linux.arm/programs/rsasigkey/rsasigkey -> /usr/local/libexec/ipsec/rsasigkey ../../OBJ.linux.arm/programs/setup/setup -> /usr/local/libexec/ipsec/setup ../../OBJ.linux.arm/programs/showhostkey/showhostkey -> /usr/local/libexec/ipsec/showhostkey ../../OBJ.linux.arm/programs/readwriteconf/readwriteconf -> /usr/local/libexec/ipsec/readwriteconf ../../OBJ.linux.arm/programs/_import_crl/_import_crl -> /usr/local/libexec/ipsec/_import_crl ../../OBJ.linux.arm/programs/algparse/algparse -> /usr/local/libexec/ipsec/algparse ../../OBJ.linux.arm/programs/cavp/cavp -> /usr/local/libexec/ipsec/cavp ../../OBJ.linux.arm/programs/_updown.netkey/_updown.netkey -> /usr/local/libexec/ipsec/_updown.netkey running: systemctl --system daemon-reload running: systemd-tmpfiles --create /usr/lib/tmpfiles.d/libreswan.conf DESTDIR='' ************************** WARNING *********************************** The ipsec service is currently disabled. To enable this service issue: systemctl enable ipsec.service ********************************************************************** ../../OBJ.linux.arm/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck ../../OBJ.linux.arm/testing/ipcheck/ipcheck -> /usr/local/libexec/ipsec/ipcheck ../../OBJ.linux.arm/testing/fmtcheck/fmtcheck -> /usr/local/libexec/ipsec/fmtcheck ../../OBJ.linux.arm/testing/timecheck/timecheck -> /usr/local/libexec/ipsec/timecheck ## Creating VPN configuration... ## Updating sysctl settings... ## Updating IPTables rules... ## Enabling services on boot... ## Starting services... ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: 36.230.17.62 IPsec PSK: kbtvpn57 Username: hckao Password: kbt236 Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes Setup VPN clients: https://git.io/vpnclients ================================================ hckao@h96:~$ 重點操作 ######################################## Enable ipsec service to start on boot sudo systemctl enable ipsec This deployment Includes sysctl.conf optimizations for improved performance. ##################################### The IPsec PSK (pre-shared key) is stored in. /etc/ipsec.secrets All VPN users share the same IPsec PSK. You can set a new one by changing the line: %any %any : PSK "your_new_ipsec_pre_shared_key" ######################################## For IPsec/L2TP, VPN users are specified in /etc/ppp/chap-secrets. The format of this file is: "your_vpn_username_1" l2tpd "your_vpn_password_1" * "your_vpn_username_2" l2tpd "your_vpn_password_2" * ########################### For IPsec/XAuth ("Cisco IPsec"), VPN users are specified in /etc/ipsec.d/passwd. The format of this file is: your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk ... ... Passwords in this file are salted and hashed. This step can be done using e.g. the openssl utility: # The output will be your_vpn_password_1_hashed openssl passwd -1 'your_vpn_password_1' ###################################### Finally, restart services if you changed to a new PSK. For add, edit or remove VPN users, a restart is normally not required. sudo service ipsec restart || sudo systemctl restart ipsec sudo service xl2tpd restart || sudo systemctl restart xl2tpd ##########################