标签 windows 下的文章

windows使用ikev2遇到的坑,及批处理batch脚本和powershell脚本

给公司测试ikev2 vpn,mac和ios一切正常,但是发现windows手动添加vpn有不少坑,总结一下,并附上批处理脚本(实际调用powershell)
以下在windows10下测试,ikev2服务器使用ubuntu下strongswan,代理所有路由,ikev2服务器安装脚本见之前文章https://www.willnet.net/index.php/archives/100/

坑1:
windows默认不支持DH2048_AES256协商协议
现象:提示策略匹配错误
解决办法:添加注册表项,不需要重启生效

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters里新建类型为DWORD的NegotiateDH2048_AES256 键,值设置为1

0 禁用AES-256-CBC和MODP-2048
1 启用AES-256-CBC和MODP-2048
2 强制使用AES-256-CBC和MODP-2048

坑2:
windows默认不支持Symmetric NAT类型路由器后的ikev2服务器
现象:提示809错误,或者提示路由器不支持nat
解决办法:添加注册表项,并需要重启生效

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent里新建类型为DWORD的AssumeUDPEncapsulationContextOnSendRule 键,值设置为2

0
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
1
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
2
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.

坑3:
windows手动添加的vpn默认没有开启默认路由
现象:连接成功,但是对外ip没有改变
解决办法:手动添加修改或者使用powershell新建vpn连接,手动路径:控制面板网络和 Internet网络连接,vpn网卡,属性,网络,ipv4,属性,高级,勾选在远程网络上使用默认网关

坑4:
windows10默认开启了smart multi-homed name resolution功能
现象:有线网络下连接vpn后不使用vpn的dns
解决办法:修改vpn网卡的跃点数,小于有线网卡即可。脚本自动解决待更新

批处理脚本如下,实际是使用批处理调用powershell命令,由于需要修改注册表,需要管理员权限运行

install.cmd

@echo off&PUSHD %~DP0 &TITLE ikev2 VPN安装/卸载程序
mode con cols=160 lines=50
set TempFile_Name=%SystemRoot%\System32\BatTestUACin_SysRt%Random%.batemp
( echo "BAT Test UAC in Temp" >%TempFile_Name% ) 1>nul 2>nul
if exist %TempFile_Name% (
del %TempFile_Name% 1>nul 2>nul&&goto :address
) else (
echo;请以管理员身份运行,按任意键退出 &&goto :end
)

:address
cls
echo;请输入办公地点:
echo;1:北京
echo;2:成都
echo;3:重庆
set/p choose1=请输入选项并按回车:
echo %choose1%|findstr /i "[123]">nul&&goto :install
goto :address

:install
cls
echo;请选择安装或者卸载VPN(ikev2):
echo;i:安装
echo;u:卸载
echo;q:退出
set/p choose2=请输入选项并按回车:
echo %choose2%|findstr /i "[iuq]">nul&&goto :%choose1%%choose2%
goto :install

:1i
cls
echo;安装北京VPN
echo;===========================
echo;***步骤1:删除同名VPN***
(powershell -Command "& {Remove-VpnConnection -Name "北京办公室" -Force -PassThru;}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤2:安装新的VPN***
powershell -Command "& {Add-VpnConnection -Name "北京办公室" -ServerAddress "beijing.example.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType "Ikev2" -PassThru;}"
echo;成功
echo;
echo;***步骤3:清理注册表***
(powershell -Command "& {Remove-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256"; Remove-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule ";}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤4:添加注册表***
(powershell -Command "& {New-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256" -value 1 -propertyType dword; New-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule " -value 2 -propertyType dword;}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤5:设置注册表***
powershell -Command "& {Set-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256" -value 1; Set-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule " -value 2;}"
echo;成功
echo;
echo;***步骤6:重启电脑***
echo;按任意键重启电脑,或按右上角 X 退出后手动重启电脑
pause>nul
shutdown -r -t 0
goto :end

:1u
cls
echo;卸载北京VPN
echo;===========================
(powershell -Command "& {Remove-VpnConnection -Name "北京办公室" -Force -PassThru;}") 1>nul 2>nul
echo;成功,按任意键退出...
goto :end

:2i
cls
echo;安装成都VPN
echo;===========================
echo;***步骤1:删除同名VPN***
(powershell -Command "& {Remove-VpnConnection -Name "成都办公室" -Force -PassThru;}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤2:安装新的VPN***
powershell -Command "& {Add-VpnConnection -Name "成都办公室" -ServerAddress "chengdu.example.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType "Ikev2" -PassThru;}"
echo;成功
echo;
echo;***步骤3:清理注册表***
(powershell -Command "& {Remove-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256"; Remove-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule ";}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤4:添加注册表***
(powershell -Command "& {New-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256" -value 1 -propertyType dword; New-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule " -value 2 -propertyType dword;}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤5:设置注册表***
powershell -Command "& {Set-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256" -value 1; Set-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule " -value 2;}"
echo;成功
echo;
echo;***步骤6:重启电脑***
echo;按任意键重启电脑,或按右上角 X 退出后手动重启电脑
pause>nul
shutdown -r -t 0
goto :end

:2u
cls
echo;卸载成都VPN
echo;===========================
(powershell -Command "& {Remove-VpnConnection -Name "成都办公室" -Force -PassThru;}") 1>nul 2>nul
echo;成功,按任意键退出...
goto :end

:3i
cls
echo;安装重庆VPN
echo;===========================
echo;***步骤1:删除同名VPN***
(powershell -Command "& {Remove-VpnConnection -Name "重庆办公室" -Force -PassThru;}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤2:安装新的VPN***
powershell -Command "& {Add-VpnConnection -Name "重庆办公室" -ServerAddress "chongqing.example.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType "Ikev2" -PassThru;}"
echo;成功
echo;
echo;***步骤3:清理注册表***
(powershell -Command "& {Remove-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256"; Remove-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule ";}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤4:添加注册表***
(powershell -Command "& {New-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256" -value 1 -propertyType dword; New-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule " -value 2 -propertyType dword;}") 1>nul 2>nul
echo;成功
echo;
echo;***步骤5:设置注册表***
powershell -Command "& {Set-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256" -value 1; Set-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule " -value 2;}"
echo;成功
echo;
echo;***步骤6:重启电脑***
echo;按任意键重启电脑,或按右上角 X 退出后手动重启电脑
pause>nul
shutdown -r -t 0
goto :end

:3u
cls
echo;卸载重庆VPN
echo;===========================
(powershell -Command "& {Remove-VpnConnection -Name "重庆办公室" -Force -PassThru;}") 1>nul 2>nul
echo;成功,按任意键退出...
goto :end

:end
pause>nul

powershell脚本,需要以管理员身份运行powershell然后执行install.ps1
install.ps1

Remove-VpnConnection -Name "成都办公室" -Force

Add-VpnConnection -Name "成都办公室" -ServerAddress "chengdu.example.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType "Ikev2"

Remove-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256"

Remove-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule"

New-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256" -value 1 -propertyType dword

New-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule" -value 2 -propertyType dword

Set-ItemProperty HKLM:\System\CurrentControlSet\Services\Rasman\Parameters -name "NegotiateDH2048_AES256" -value 1

Set-ItemProperty HKLM:\System\CurrentControlSet\Services\PolicyAgent -name "AssumeUDPEncapsulationContextOnSendRule " -value 2

windows批处理一键安装网络打印机脚本

晚上撸了一个新轮子。
此脚本主要有两部分, 1 ,创建 tcp/ip 端口, 2 ,创建打印机。网上关于创建端口部分 90%都是使用注册表注入的方式,此方式需要重启电脑或重启打印服务,我的方法使用系统自带的 prnport.vbs 脚本,不需要重启。

欢迎指点。

m126nw.bat

@echo off
rem "rem"是注释,"@echo off"是不显示命令提示符"C:\Users\admin>"
echo;***欢迎使用打印机安装程序***
echo;按任意键开始安装,或按右上角 X 退出安装
pause>nul
rem ">nul"使命令输出不显示
echo;创建打印机 TCP/IP 端口: IP_172.16.10.251
cscript %~dp0\m126drivers\prnport.vbs -a -r IP_172.16.10.251 -h 172.16.10.251  -o raw
rem "%~dp0"是脚本所在目录,这里有个坑,官方例子里没有 -o raw 这个参数,但是没有这个参数会报参数无效
rem "prnport.vbs"实际目录是 C:\Windows\System32\Printing_Admin_Scripts\zh-CN ,此处复制到驱动目录
echo;删除同名打印机
rundll32 printui.dll,PrintUIEntry /dl /n "HP LaserJet Pro MFP M126nw" /q
rem 此处删除同名打印机,否则会出现打印机副本
echo;创建打印机: HP LaserJet Pro MFP M126nw
rundll32 printui.dll,PrintUIEntry /if /b "HP LaserJet Pro MFP M126nw" /f %~dp0\m126drivers\hpcm125126.inf /r "IP_172.16.10.251" /m "HP LaserJet Pro MFP M125-M126 PCLmS" /z
rem 此处注意 /m 后面的参数为 inf 文件里面的设备名称,/b 后面的为自定义打印机名称,此处也可以使用 vbs 脚本安装,脚本目录同上
echo;打印机安装完成
echo;按任意键退出...
pause>nul