search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
modified: n.fq
[GalaxyCodeBases.git] / etc / Server / Cisco-IPSec-VPN-Install / CIVInstall.sh
blob0c32b7bf2d46d274749b61cd6d5eb4c32e70e344
1 #!/bin/bash
2 clear
3 echo "======================================================";
4 echo " 欢迎您使用Casio IPSec VPN一键安装脚本"
5 echo "[提示] 经测试支持如下系统:CentOS/Ubuntu/Debian/Fedora"
6 echo " 并支持x86/64位版本,以及全部常用版本"
7 echo " Written by Lokyshin"
8 echo " http://lokyshin.com"
9 echo " Ver 2.0"
10 echo "======================================================";
11 echo ""
12
13 function ConfirmSys()
14 {
15 echo "[提示] 请确认您的系统: (1~4)"
16 select selectedSys in 'CentOS' 'Ubuntu' 'Debian' 'Fedora'; do break; done
17
18 if [ "$selectedSys" == 'CentOS' -o "$selectedSys" == 'Ubuntu' -o "$selectedSys" == 'Debian' -o "$selectedSys" == 'Fedora' ]; then
19 echo "您选择的系统为:${selectedSys}"
20 else
21 echo "您输入了错误选项"
22 exit
23 fi
24 }
25
26 function ConfirmCore()
27 {
28 echo "[提示] 请确认您的内核: (1~2)"
29 select selectedCore in 'Xen/KVM' 'OpenVZ'; do break; done
30
31 if [ "$selectedCore" == 'Xen/KVM' -o "$selectedCore" == 'OpenVZ' ]; then
32 echo "您确认的内核为:${selectedCore}"
33 else
34 echo "您输入了错误选项"
35 exit
36 fi
37 }
38
39 function ConfirmAgain()
40 {
41 echo "[提示] 请再次确认上面的选择是否正确: (1~2)"
42 select selectedAgain in '正确' '错误'; do break; done
43
44 if [ "$selectedAgain" == '错误' ]; then
45 echo "您输入了错误选项,即将退出。"
46 exit
47 fi
48 }
49
50 #开始编译安装Strongswan
51 ConfirmSys;
52 ConfirmCore;
53 ConfirmAgain;
54
55 echo "#开始编译安装Strongswan"
56 if [ "$selectedSys" == 'Ubuntu' -o "$selectedSys" == 'Debian' ]; then
57 sudo apt-get update
58 sudo apt-get install libpam0g-dev libssl-dev make gcc
59 else
60 yum update
61 yum install pam-devel openssl-devel make gcc
62 fi
63
64 sudo wget http://download.strongswan.org/strongswan.tar.gz
65 tar xzf strongswan.tar.gz
66 cd strongswan-*
67
68 if [ "$selectedCore" == 'OpenVZ' ]; then
69 ./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
70 else
71 ./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
72 fi
73
74 sudo make; sudo make install
75 clear
76 ipsec version
77 echo ""
78 echo "如您看到了Ipsec的版本信息,代表Ipsec工作正常。"
79
80 #开始配置证书
81 echo "#开始配置证书"
82 echo "签名CA证书"
83 echo -n "请输入现在服务器ip地址或域名(请务必准确):"
84 read CNsan
85 echo -n "请输入您生成pkcs12证书名(任意):"
86 read pkcsname
87 echo "[提示] 接下来设置两次证书密码,请注意字符不显示。"
88 ipsec pki --gen --outform pem > ca.pem
89 ipsec pki --self --in ca.pem --dn "C=com, O=myvpn, CN=VPN CA" --ca --outform pem >ca.cert.pem
90 ipsec pki --gen --outform pem > server.pem
91 ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=CNsan" --san=\"$CNsan\" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
92 ipsec pki --gen --outform pem > client.pem
93 ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=myvpn, CN=VPN Client" --outform pem > client.cert.pem
94 openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "VPN CA" -out client.cert.p12
95
96 sudo cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
97 sudo cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
98 sudo cp -r server.pem /usr/local/etc/ipsec.d/private/
99 sudo cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
100 sudo cp -r client.pem /usr/local/etc/ipsec.d/private/
101 echo "完成。"
102
103 #开始配置Strongswan
104 echo "配置Strongswan..."
105 sudo chmod -R 777 /usr/local/etc/ipsec.conf
106 echo "config setup" > /usr/local/etc/ipsec.conf
107 echo " uniqueids=never" >> /usr/local/etc/ipsec.conf
108 echo " " >> /usr/local/etc/ipsec.conf
109 echo "conn iOS_cert" >> /usr/local/etc/ipsec.conf
110 echo " keyexchange=ikev1" >> /usr/local/etc/ipsec.conf
111 echo " # strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1" >> /usr/local/etc/ipsec.conf
112 echo " fragmentation=yes" >> /usr/local/etc/ipsec.conf
113 echo " left=%defaultroute" >> /usr/local/etc/ipsec.conf
114 echo " leftauth=pubkey" >> /usr/local/etc/ipsec.conf
115 echo " leftsubnet=0.0.0.0/0" >> /usr/local/etc/ipsec.conf
116 echo " leftcert=server.cert.pem" >> /usr/local/etc/ipsec.conf
117 echo " right=%any" >> /usr/local/etc/ipsec.conf
118 echo " rightauth=pubkey" >> /usr/local/etc/ipsec.conf
119 echo " rightauth2=xauth" >> /usr/local/etc/ipsec.conf
120 echo " rightsourceip=10.31.2.0/24" >> /usr/local/etc/ipsec.conf
121 echo " rightcert=client.cert.pem" >> /usr/local/etc/ipsec.conf
122 echo " auto=add" >> /usr/local/etc/ipsec.conf
123 echo " " >> /usr/local/etc/ipsec.conf
124 echo "conn android_xauth_psk" >> /usr/local/etc/ipsec.conf
125 echo " keyexchange=ikev1" >> /usr/local/etc/ipsec.conf
126 echo " left=%defaultroute" >> /usr/local/etc/ipsec.conf
127 echo " leftauth=psk" >> /usr/local/etc/ipsec.conf
128 echo " leftsubnet=0.0.0.0/0" >> /usr/local/etc/ipsec.conf
129 echo " right=%any" >> /usr/local/etc/ipsec.conf
130 echo " rightauth=psk" >> /usr/local/etc/ipsec.conf
131 echo " rightauth2=xauth" >> /usr/local/etc/ipsec.conf
132 echo " rightsourceip=10.31.2.0/24" >> /usr/local/etc/ipsec.conf
133 echo " auto=add" >> /usr/local/etc/ipsec.conf
134 echo " " >> /usr/local/etc/ipsec.conf
135 echo "conn networkmanager-strongswan" >> /usr/local/etc/ipsec.conf
136 echo " keyexchange=ikev2" >> /usr/local/etc/ipsec.conf
137 echo " left=%defaultroute" >> /usr/local/etc/ipsec.conf
138 echo " leftauth=pubkey" >> /usr/local/etc/ipsec.conf
139 echo " leftsubnet=0.0.0.0/0" >> /usr/local/etc/ipsec.conf
140 echo " leftcert=server.cert.pem" >> /usr/local/etc/ipsec.conf
141 echo " right=%any" >> /usr/local/etc/ipsec.conf
142 echo " rightauth=pubkey" >> /usr/local/etc/ipsec.conf
143 echo " rightsourceip=10.31.2.0/24" >> /usr/local/etc/ipsec.conf
144 echo " rightcert=client.cert.pem" >> /usr/local/etc/ipsec.conf
145 echo " auto=add" >> /usr/local/etc/ipsec.conf
146 echo " " >> /usr/local/etc/ipsec.conf
147 echo "conn windows7" >> /usr/local/etc/ipsec.conf
148 echo " keyexchange=ikev2" >> /usr/local/etc/ipsec.conf
149 echo " ike=aes256-sha1-modp1024!" >> /usr/local/etc/ipsec.conf
150 echo " rekey=no" >> /usr/local/etc/ipsec.conf
151 echo " left=%defaultroute" >> /usr/local/etc/ipsec.conf
152 echo " leftauth=pubkey" >> /usr/local/etc/ipsec.conf
153 echo " leftsubnet=0.0.0.0/0" >> /usr/local/etc/ipsec.conf
154 echo " leftcert=server.cert.pem" >> /usr/local/etc/ipsec.conf
155 echo " right=%any" >> /usr/local/etc/ipsec.conf
156 echo " rightauth=eap-mschapv2" >> /usr/local/etc/ipsec.conf
157 echo " rightsourceip=10.31.2.0/24" >> /usr/local/etc/ipsec.conf
158 echo " rightsendcert=never" >> /usr/local/etc/ipsec.conf
159 echo " eap_identity=%any" >> /usr/local/etc/ipsec.conf
160 echo " auto=add" >> /usr/local/etc/ipsec.conf
161 echo "完成。"
162 sudo chmod -R 644 /usr/local/etc/ipsec.conf
163
164 echo "配置Strongswan的配置文件..."
165 sudo chmod -R 777 /usr/local/etc/strongswan.conf
166 echo "charon {" > /usr/local/etc/strongswan.conf
167 echo " load_modular = yes" >> /usr/local/etc/strongswan.conf
168 echo " duplicheck.enable = no" >> /usr/local/etc/strongswan.conf
169 echo " compress = yes" >> /usr/local/etc/strongswan.conf
170 echo " plugins {" >> /usr/local/etc/strongswan.conf
171 echo " include strongswan.d/charon/*.conf" >> /usr/local/etc/strongswan.conf
172 echo " }" >> /usr/local/etc/strongswan.conf
173 echo " dns1 = 8.8.8.8" >> /usr/local/etc/strongswan.conf
174 echo " dns2 = 8.8.4.4" >> /usr/local/etc/strongswan.conf
175 echo " nbns1 = 8.8.8.8" >> /usr/local/etc/strongswan.conf
176 echo " nbns2 = 8.8.4.4" >> /usr/local/etc/strongswan.conf
177 echo "}" >> /usr/local/etc/strongswan.conf
178 echo "include strongswan.d/*.conf" >> /usr/local/etc/strongswan.conf
179 echo "完成。"
180 sudo chmod -R 600 /usr/local/etc/strongswan.conf
181
182 #开始配置PSK和XAUTH,以及用户名和密码
183 echo "#开始配置PSK和XAUTH,以及用户名和密码"
184 sudo rm /usr/local/etc/ipsec.secrets -f
185 sudo touch /usr/local/etc/ipsec.secrets
186 sudo chmod -R 777 /usr/local/etc/ipsec.secrets
187 echo -n "输入您想配置的PSK(秘钥):"
188 read mypsk
189 echo -n "输入您想配置的XAUTH(授权方式):"
190 read myxauth
191 echo ": RSA server.pem" >> /usr/local/etc/ipsec.secrets
192 echo ": PSK \"$mypsk\"" >> /usr/local/etc/ipsec.secrets
193 echo ": XAUTH \"$myxauth\"" >> /usr/local/etc/ipsec.secrets
194
195 for ((i=1;i<1000;i++))
196 do
197 echo -n "输入您想配置的用户名:"
198 read name[$i]
199 echo -n "输入该用户的对应密码:"
200 read psw[$i]
201 echo "${name[$i]} %any : EAP \"${psw[$i]}\"" >> /usr/local/etc/ipsec.secrets
202 echo -n "需要追加用户请直接回车,如不需要请输入n并回车。"
203 read addconfirm
204 if [ "$addconfirm" == 'n' ]; then
205 n=$i
206 i=2000
207 fi
208 done
209 echo "完成。"
210 sudo chmod -R 644 /usr/local/etc/ipsec.secrets
211
212 #开始配置防火墙
213 echo "#开始配置防火墙"
214 sudo chmod -R 777 /etc/sysctl.conf
215 sudo sed -i '/Controls IP packet forwarding/d' /etc/sysctl.conf
216 sudo sed -i '/net.ipv4.ip_forward/d' /etc/sysctl.conf
217 echo "# Controls IP packet forwarding" >> /etc/sysctl.conf
218 echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
219 sudo chmod -R 644 /etc/sysctl.conf
220 sudo sysctl -p
221
222 sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
223 sudo iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT
224 sudo iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT
225 sudo iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT
226
227 if [ "$selectedCore" == 'OpenVZ' ]; then
228 sudo iptables -A INPUT -i venet0 -p esp -j ACCEPT
229 sudo iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
230 sudo iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT
231 sudo iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
232 sudo iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT
233 sudo iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
234 sudo iptables -A FORWARD -j REJECT
235 sudo iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE
236 sudo iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE
237 sudo iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE
238 else
239 sudo iptables -A INPUT -i eth0 -p esp -j ACCEPT
240 sudo iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
241 sudo iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
242 sudo iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
243 sudo iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
244 sudo iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
245 sudo iptables -A FORWARD -j REJECT
246 sudo iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
247 sudo iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
248 sudo iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
249 fi
250
251 if [ "$selectedSys" == 'Ubuntu' -o "$selectedSys" == 'Debian' ]; then
252 sudo rm /etc/iptables.rules -f
253 sudo touch /etc/iptables.rules
254 sudo chmod -R 777 /etc/iptables.rules
255 sudo rm /etc/network/if-up.d/iptables -f
256 sudo touch /etc/network/if-up.d/iptables
257 sudo chmod -R 777 /etc/network/ip-up.d/iptables
258 iptables-save >> /etc/iptables.rules
259 cat > /etc/network/if-up.d/iptables<<EOF
260 #!/bin/sh
261 iptables-restore << /etc/iptables.rules
262 EOF
263 chmod +x /etc/network/if-up.d/iptables
264 else
265 service iptables save
266 fi
267 sudo chmod -R 644 /etc/iptables.rules
268 echo "完成。"
269
270 #在登陆目录生成开机手动启动文件
271 echo "#在登陆目录生成开机手动启动文件"
272 cd ~
273 echo "#!/bin/bash" > startvpn.sh
274 echo "echo \"Starting Cisco Ipsec VPN ...\"" >> startvpn.sh
275 if [ "$selectedSys" == 'Ubuntu' -o "$selectedSys" == 'Debian' ]; then
276 echo "sudo ipsec restart" >> startvpn.sh
277 else
278 echo "ipsec restart" >> startvpn.sh
279 fi
280
281 echo "sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> startvpn.sh
282 echo "sudo iptables -A FORWARD -s 10.31.0.0/24 -j ACCEPT" >> startvpn.sh
283 echo "sudo iptables -A FORWARD -s 10.31.1.0/24 -j ACCEPT" >> startvpn.sh
284 echo "sudo iptables -A FORWARD -s 10.31.2.0/24 -j ACCEPT" >> startvpn.sh
285
286 if [ "$selectedCore" == 'OpenVZ' ]; then
287 echo "sudo iptables -A INPUT -i venet0 -p esp -j ACCEPT" >> startvpn.sh
288 echo "sudo iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT" >> startvpn.sh
289 echo "sudo iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT" >> startvpn.sh
290 echo "sudo iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT" >> startvpn.sh
291 echo "sudo iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT" >> startvpn.sh
292 echo "sudo iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT" >> startvpn.sh
293 echo "sudo iptables -A FORWARD -j REJECT" >> startvpn.sh
294 echo "sudo iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE" >> startvpn.sh
295 echo "sudo iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE" >> startvpn.sh
296 echo "sudo iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE" >> startvpn.sh
297 else
298 echo "sudo iptables -A INPUT -i eth0 -p esp -j ACCEPT" >> startvpn.sh
299 echo "sudo iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT" >> startvpn.sh
300 echo "sudo iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT" >> startvpn.sh
301 echo "sudo iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT" >> startvpn.sh
302 echo "sudo iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT" >> startvpn.sh
303 echo "sudo iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT" >> startvpn.sh
304 echo "sudo iptables -A FORWARD -j REJECT" >> startvpn.sh
305 echo "sudo iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE" >> startvpn.sh
306 echo "sudo iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE" >> startvpn.sh
307 echo "sudo iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE" >> startvpn.sh
308 fi
309
310 echo "echo \"Cisco Ipsec VPN has been launched on your server now.\"" >> startvpn.sh
311
312 chmod -R 775 startvpn.sh
313 ./startvpn.sh
314 clear
315
316 echo "======================================================";
317 echo " 恭喜您 已成功安装Casio IPSec VPN"
318 echo "[提示] 经测试支持如下系统:CentOS/Ubuntu/Debian/Fedora"
319 echo " 并支持x86/64位版本,以及全部常用版本"
320 echo " Written by Lokyshin"
321 echo " http://lokyshin.com"
322 echo " Ver 2.0"
323 echo "------------------------------------------------------"
324 echo " 您的配置如下"
325 echo "------------------------------------------------------"
326 echo " | PSK | XAUTH | 用户名 | 密 码 | "
327 for ((i=1;i<n+1;i++))
328 do
329 echo " | $mypsk $myxauth ${name[$i]} ${psw[$i]} | "
330 done
331 echo "------------------------------------------------------"
332 echo "如您使用CentOS/Fedora,建议您重启系统以便优化内存占用。"
333 echo "每次重启服务器后,不要忘了手动运行bash startvpn.sh"
334 echo "您的用户配置文件位置在/usr/local/etc/ipsec.secrets"
335 echo "======================================================";
336 echo ""
A place to share codes with mates