关于pe的 rras功能。(当路由器使用)
本帖最后由 liker 于 2023-11-16 23:53 编辑系统服务器的名称: routing and remote access
路由与远程访问 服务。
system中文件:ias*.dll
服务器和文件均启动 但在 ipconfig /all 中查看路由功能还是关闭状态。
服务依赖数个,其中没有显示的 eventlog。这个好像也是必须的。
有没有大佬研究的呢?
默认出来的 system 注册表中均没有此服务。
原装系统估计是在 安装系统中创建成功。
==============
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. If not already there, create a new REG_DWORD value named IPEnableRouter. Set IPEnableRouter to 1 and reboot. Packet forwarding should now be enabled.
不是有专用的软路由固件么,何必难为PE呢??? 本帖最后由 liker 于 2023-11-16 23:32 编辑
--thewindowsclub.com/routing-and-remote-access-service-rras-not-starting
The most important registry settings for RRAS in Windows Server 2003 reside in the registry under the following keys:
[*]HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess — Routing and Remote Access service and router interface configuration information
[*]HKEY_LOCAL_MACHINE\Software\Microsoft\Router — Router component configuration information
[*]HKEY_LOCAL_MACHINE\Software\Microsoft\RouterPhonebook — Router phone book settings
=========================================================================
Registry entries that Routing and Remote Access adds in Windows Server 2008
IntroductionThis article lists the registry entries that Routing and Remote Access adds in Windows Server 2008.
Registry entries for Secure Socket Tunneling Protocol
Note Secure Socket Tunneling Protocol (SSTP) is a new VPN tunneling protocol that is introduced in Windows Server 2008.ListenerPortRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: ListenerPort
Data type: REG_DWORD
Default value: 0
You can use the ListenerPort registry entry to change the server-side TCP port on which the SSTP server listens. You can set this value to any valid 16-bit port number. If the value is set to 0, the SSTP server listens on the default port number, depending on the value of the UseHTTPS registry entry. For example, if the UseHTTP-S registry entry is set to 1, the default listener port number is 443. If the UseHTTPS registry entry is set to 0, the default listener port number is 80. The ListenerPort registry entry is typically useful in configurations where the VPN server is behind a Network Address Translation (NAT) router or behind a reverse proxy. Notice that SSTP clients always connect to the TCP 443 port. This behavior cannot be configured from the clients.UseHTTPSRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: UseHTTPS
Data type: REG_DWORD
Default value: 1
You can use the UseHTTPS registry entry to specify whether the SSTP server should listen on the HTTPS port or on the HTTP port. The SSTP server listens on the HTTP port if the value is set to 0. If the value is set to 1, the SSTP server listens on the HTTPS port. This registry entry is typically helpful in load-balancing scenarios. For example, a reverse Web proxy or an SSL load balancer may be configured to receive an HTTPS connection and open an HTTP connection to a remote access server.NoCertRevocationCheckRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: NoCertRevocationCheck
Data type: REG_DWORD
You can use this registry entry to enable or to disable the SSL certificate revocation check that the VPN client performs during the SSL negotiation phase. Certificate revocation check will be performed if the value is set to 0. If the value is set to 1, certificate revocation check will be skipped. Notice that you should set this value to 1 only for debugging. Do not set this value to 1 in your production environment. By default, certificate revocation check is performed.Sha256EnabledRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: Sha256Enabled
Data type: REG_DWORD
You can use the Sha256Enabled registry entry to enable SHA256 support for SSTP crypto binding. If this value is set to 1, SHA256 is enabled. In this case, the Sha256CertificateHash registry entry should contain an appropriate certificate hash. By default, Windows Vista clients support only SHA256. You may want to enable SHA1 on the server side if SSTP is supported on clients that do not support SHA256. If both SHA1 and SHA256 are enabled, SSTP will use the stronger crypto algorithm. By default, this registry setting is enabled.Sha256CertificateHashRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: Sha256CertificateHash
Data type: REG_BINARY
The Sha256CertificateHash registry entry contains a certificate hash that is computed by SHA256. If the UseHTTPS registry entry is set to 1, Routing and Remote Access automatically populates the certificate hash the first time that Routing and Remote Access starts. To do this, Routing and Remote Access finds a computer certificate from the certificate store, and then Routing and Remote Access writes the hash to the Sha256CertificateHash registry entry.Sha1EnabledRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: Sha1Enabled
Data type: REG_DWORD
You can use the Sha1Enabled registry entry to enable SHA1 support for SSTP crypto binding. If this value is set to 1, SHA1 is enabled. In this case, the Sha1CertificateHash registry entry will contain an appropriate certificate hash. By default, Windows Vista clients support only SHA256. You may have to enable SHA1 on the server side if SSTP is supported on clients that do not support SHA256. If both SHA1 and SHA256 are enabled, SSTP will use the stronger crypto algorithm. By default, this registry setting is disabled.Sha1CertificateHashRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: Sha1CertificateHash
Data type: REG_BINARY
The Sha1CertificateHash registry entry contains a certificate hash that SHA1 computes. If the UseHTTPS registry entry is set to 1, Routing and Remote Access automatically populates the certificate hash the first time that Routing and Remote Access starts. To do this, Routing and Remote Access finds a computer certificate from the certificate store, and then Routing and Remote Access writes the hash to the Sha1CertificateHash registry entry. However, if the UseHTTPS registry entry is set to 0, you must manually deploy the certificate hashes to make sure that the VPN server and the SSL load balancer trust one another.ServerUriRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: ServerUri
Data type: REG_SZ
The ServerUri registry entry is set to a value that contains the following value:sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
You must not change this registry entry because it is read-only. This registry entry is typically useful in load-balancing scenarios. The load balancer receives an HTTPS connection that is specific to this URI, and then the load balancer redirects the connection to a remote access server. For example, if the server name is server.contoso.com, the exact HTTPS URI is as follows:----server.contoso.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
Registry entries for IPv6 supportNote IPv6 refers to Internet Protocol version 6.EnableInRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6
Registry entry: EnableIn
Data type: REG_DWORD
Default value: 1
IPv6-based remote access and demand-dial routing are enabled if the EnableIn registry value is set to 1. If this value is set to 0, IPv6-based remote access and demand-dial routing are disabled.AllowNetworkAccessRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6
Registry entry: AllowNetworkAccess
Data type: REG_DWORD
IPv6 forwarding is enabled if the AllowNetworkAccess registry entry value is set to 1. If this value is set to 0, IPv6 forwarding is disabled.FromRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6\StaticPrefixPool\0
Registry entry: From
Data type: REG_DWORD
The From registry entry specifies the starting prefix of the static IPv6 prefix pool.ToRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6\StaticPrefixPool\0
Registry entry: To
Data type: REG_DWORD
The To registry entry specifies the ending prefix of the static IPv6 prefix pool.Registry entries for VPN tunnel encryption levelsAllowPPTPWeakCryptoRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
Registry entry: AllowPPTPWeakCrypto
Data type: REG_DWORD
Default value: 0
You can use the AllowPPTPWeakCrypto registry entry to enable the 40-bit encryption level and the 56-bit encryption level for PPTP tunnels. By default, these weak encryption levels are disabled.AllowL2TPWeakCryptoRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
Registry entry: AllowL2TPWeakCrypto
Data type: REG_DWORD
Default value: 0
You can use the AllowL2TPWeakCrypto registry entry to enable the Message Digest 5 (MD5) encryption level and the Data Encryption Standard (DES) encryption level for Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) tunnels. By default, these weak encryption levels are disabled.
========================================================================= 本帖最后由 liker 于 2023-11-16 23:05 编辑
learn.microsoft.com/en-us/windows/win32/rras/routing-and-remote-access-registry-layout
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan
\PPP
\ControlProtocols
\Builtin
Path: REG_EXPAND_SZ: %SystemRoot%\System32\rasppp.dll
\Chap
Path: REG_EXPAND_SZ: %SystemRoot%\System32\raschap.dll
\EAP
\<typeID>
ConfigCLSID: REG_SZ: <guid>
ConfigUiPath: REG_EXPAND_SZ: %SystemRoot%\System32\rastls.dll
FriendlyName: REG_SZ: Public Key Based Authentication (EAP-TLS)
IdentityUIPath: REG_EXPAND_SZ: %SystemRoot%\System32\rastls.dll
InvokePasswordDialog: REG_DWORD: 0
InvokeUsernameDialog: REG_DWORD: 0
Path: REG_EXPAND_SZ: %SystemRoot%\System32\rastls.dll
\<typeID>
FriendlyName: REG_SZ: MD5 CHAP
InvokePasswordDialog: REG_DWORD: 0x1
InvokeUsernameDialog: REG_DWORD: 0x1
Path: REG_EXPAND_SZ: %SystemRoot%\System32\raschap.dll
StandaloneSupported: REG_DWORD: 0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess
\Accounting
\Providers
ActiveProvider: REG_SZ: . . . \<guid>
ConfigCLSID: REG_SZ: <guid>
DisplayName: REG_SZ: Radius Accounting
Path: REG_EXPAND_SZ: %SystemRoot%\System32\rasrad.dll
Vendor: REG_SZ: Microsoft
. . .
\Authentication
\Providers
ActiveProvider: REG_SZ: . . . \<guid>
ConfigCLSID: REG_SZ: <guid>
DisplayName: REG_SZ: Radius Authentication
Path: REG_EXPAND_SZ: %SystemRoot%\System32\rasrad.dll
Vendor: REG_SZ: Microsoft
\<guid>
ConfigCLSID: REG_SZ: <guid>
DisplayName: REG_SZ: NT Authentication
Path: REG_EXPAND_SZ: %SystemRoot%\System32\rasauth.dll
Vendor: REG_SZ: Microsoft
. . .
\DemandDialManager
DLLPath: REG_EXPAND_SZ: . . .
< RAS parameters and DDM parameters >
\Interfaces
\0
Enabled: REG_DWORD: (0/1)
InterfaceName: REG_SZ: CorpHQ
Type: REG_DWORD: (Internal/Dedicated/Loopback)
\IP
InterfaceInfo: REG_BINARY: . . .
ProtocolID: REG_DWORD: 0x0021
\IPX
InterfaceInfo: REG_BINARY: . . .
ProtocolID: REG_DWORD: 0x002B
. . .
\N
InterfaceName: REG_SZ: IntelEtherExpressPro2
. . .
\Parameters
LANOnlyMode: REG_DWORD: (0/1)
ServerFlags: REG_DWORD: . . .
ServiceDLL: REG_EXPAND_SZ: %SystemRoot%\System32\mprdim.dll
\RouterManagers
\IP
DLLPath: REG_SZ: . . .
GlobalInFilter: REG_BSZ: < filter set name > . . .
GlobalInfo: REG_BINARY: . . .
GlobalInterfaceInfo: REG_BINARY: . . .
ProtocolID: REG_DWORD: 0x0021
. . .
\IPX
DLLPath: REG_SZ: . . .
GlobalInFilter: REG_BSZ: < filter set name > . . .
GlobalInfo: REG_BINARY: . . .
GlobalInterfaceInfo: REG_BINARY: . . .
ProtocolID: REG_DWORD: 0x002B
. . .
. . .
HKEY_LOCAL_MACHINE\Software\Microsoft
\Router
\CurrentVersion
\RouterManagers
\IP
\OSPF
ConfigDll: REG_SZ: ipadmin.dll
DllName: REG_SZ: ospf.dll
ProtocolID: REG_DWORD: 0xD
Title: REG_SZ: Open Shortest Path First
\IPBOOTP
. . .
\IPRIP
. . .
\IPX
\IpxRip
ConfigDll: REG_SZ: ipxadmin.dll
DllName: REG_SZ: IPXRIP.DLL
ProtocolID: REG_DWORD: 0x20000
Title: REG_SZ: RIP for Ipx
\IpxSap
. . .
. . .
\UIConfigDlls
<guid1>: REG_SZ: ifadmin.dll
<guid2>: REG_SZ: ipadmin.dll
<guid3>: REG_SZ: ipxadmin.dll
<guid4>: REG_SZ: ddmadmin.dll 本帖最后由 liker 于 2023-11-16 23:31 编辑
Registry Hive HKEY_CURRENT_USER
Registry Path Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04}
Value Name Restrict_Run
Value Type REG_DWORD
Enabled Value 0
Disabled Value 1
以上为:MMC中显示 rrasmgmt.msc
blog.csdn.net/NOWSHUT/article/details/127115870
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
SvcHostSplitDisable=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess
SvcHostSplitDisable=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
DisabledComponents=0xFFFFFFFF
Title: RRAS NetBIOS gateway is enabledDescription:The RRAS NetBIOS gateway is enabled. This lets remote users access network resources. To disable the gateway, set the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ip\AllowNetworkAccess to 0.
This days implementing VPN solution is almost a daily task … I encountered a bug that has been around for some time now. If you deploy RRAS on Windows Server 2019 that is not DHCP server it does not request / reserve IP addresses from DHCP (that runs on some other server).
Everything works perfectly if you assign static range of IP addresses but I just want to manage VPN client IP addresses by using DHCP server.
In System log in Event viewer you will receive Event ID 20167 with information:
RoutingDomainID- {: No IP address is available to hand out to the dial-in client.
After a quick search I found the article on MS forums that states:
Add this registry entries to your VPN server and reboot it.
reg add “HKLM\SYSTEM\CurrentControlSet\Services\Dhcp” /v RequiredPrivileges /d “SeChangeNotifyPrivilege”\0″SeCreateGlobalPrivilege”\0″SeImpersonatePrivilege”\0 /t REG_MULTI_SZ /f 谢谢分享 很久没用过这个功能了,早年2003系统时,机房服务器我就是5个网卡搞得软路由。再之后没搞过了,都是用的路由器。 谢谢分享 谢谢分享 谢谢分享
页:
[1]