无忧启动论坛

 找回密码
 注册
搜索
系统gho:最纯净好用系统下载站投放广告、加入VIP会员,请联系 微信:wuyouceo
查看: 1865|回复: 10
打印 上一主题 下一主题

[讨论] 关于pe的 rras功能。(当路由器使用)

[复制链接]
跳转到指定楼层
1#
发表于 2023-11-16 21:42:12 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
本帖最后由 liker 于 2023-11-16 23:53 编辑

系统服务器的名称: routing and remote access

路由与远程访问 服务。
system中文件:ias*.dll
服务器和文件均启动   但在 ipconfig /all 中查看路由功能还是关闭状态。
服务依赖数个,其中没有显示的 eventlog。这个好像也是必须的。

有没有大佬研究的呢?
默认出来的 system 注册表中均没有此服务。
原装系统估计是在 安装系统中创建成功。

==============
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. If not already there, create a new REG_DWORD value named IPEnableRouter. Set IPEnableRouter to 1 and reboot. Packet forwarding should now be enabled.
2#
发表于 2023-11-16 21:49:57 | 只看该作者
不是有专用的软路由固件么,何必难为PE呢???
回复

使用道具 举报

3#
 楼主| 发表于 2023-11-16 22:24:50 | 只看该作者
本帖最后由 liker 于 2023-11-16 23:32 编辑

--thewindowsclub.com/routing-and-remote-access-service-rras-not-starting


The most important registry settings for RRAS in Windows Server 2003 reside in the registry under the following keys:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess — Routing and Remote Access service and router interface configuration information
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Router — Router component configuration information
  • HKEY_LOCAL_MACHINE\Software\Microsoft\RouterPhonebook — Router phone book settings
=========================================================================
[size=13.3333px]Registry entries that Routing and Remote Access adds in Windows Server 2008
Introduction
This article lists the registry entries that Routing and Remote Access adds in Windows Server 2008.


Registry entries for Secure Socket Tunneling Protocol
Note Secure Socket Tunneling Protocol (SSTP) is a new VPN tunneling protocol that is introduced in Windows Server 2008.ListenerPortRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: ListenerPort
Data type: REG_DWORD
Default value: 0

You can use the ListenerPort registry entry to change the server-side TCP port on which the SSTP server listens. You can set this value to any valid 16-bit port number. If the value is set to 0, the SSTP server listens on the default port number, depending on the value of the UseHTTPS registry entry. For example, if the UseHTTP-S registry entry is set to 1, the default listener port number is 443. If the UseHTTPS registry entry is set to 0, the default listener port number is 80. The ListenerPort registry entry is typically useful in configurations where the VPN server is behind a Network Address Translation (NAT) router or behind a reverse proxy. Notice that SSTP clients always connect to the TCP 443 port. This behavior cannot be configured from the clients.UseHTTPSRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: UseHTTPS
Data type: REG_DWORD
Default value: 1

You can use the UseHTTPS registry entry to specify whether the SSTP server should listen on the HTTPS port or on the HTTP port. The SSTP server listens on the HTTP port if the value is set to 0. If the value is set to 1, the SSTP server listens on the HTTPS port. This registry entry is typically helpful in load-balancing scenarios. For example, a reverse Web proxy or an SSL load balancer may be configured to receive an HTTPS connection and open an HTTP connection to a remote access server.NoCertRevocationCheckRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: NoCertRevocationCheck
Data type: REG_DWORD

You can use this registry entry to enable or to disable the SSL certificate revocation check that the VPN client performs during the SSL negotiation phase. Certificate revocation check will be performed if the value is set to 0. If the value is set to 1, certificate revocation check will be skipped. Notice that you should set this value to 1 only for debugging. Do not set this value to 1 in your production environment. By default, certificate revocation check is performed.Sha256EnabledRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: Sha256Enabled
Data type: REG_DWORD

You can use the Sha256Enabled registry entry to enable SHA256 support for SSTP crypto binding. If this value is set to 1, SHA256 is enabled. In this case, the Sha256CertificateHash registry entry should contain an appropriate certificate hash. By default, Windows Vista clients support only SHA256. You may want to enable SHA1 on the server side if SSTP is supported on clients that do not support SHA256. If both SHA1 and SHA256 are enabled, SSTP will use the stronger crypto algorithm. By default, this registry setting is enabled.Sha256CertificateHashRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: Sha256CertificateHash
Data type: REG_BINARY

The Sha256CertificateHash registry entry contains a certificate hash that is computed by SHA256. If the UseHTTPS registry entry is set to 1, Routing and Remote Access automatically populates the certificate hash the first time that Routing and Remote Access starts. To do this, Routing and Remote Access finds a computer certificate from the certificate store, and then Routing and Remote Access writes the hash to the Sha256CertificateHash registry entry.Sha1EnabledRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: Sha1Enabled
Data type: REG_DWORD

You can use the Sha1Enabled registry entry to enable SHA1 support for SSTP crypto binding. If this value is set to 1, SHA1 is enabled. In this case, the Sha1CertificateHash registry entry will contain an appropriate certificate hash. By default, Windows Vista clients support only SHA256. You may have to enable SHA1 on the server side if SSTP is supported on clients that do not support SHA256. If both SHA1 and SHA256 are enabled, SSTP will use the stronger crypto algorithm. By default, this registry setting is disabled.Sha1CertificateHashRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: Sha1CertificateHash
Data type: REG_BINARY

The Sha1CertificateHash registry entry contains a certificate hash that SHA1 computes. If the UseHTTPS registry entry is set to 1, Routing and Remote Access automatically populates the certificate hash the first time that Routing and Remote Access starts. To do this, Routing and Remote Access finds a computer certificate from the certificate store, and then Routing and Remote Access writes the hash to the Sha1CertificateHash registry entry. However, if the UseHTTPS registry entry is set to 0, you must manually deploy the certificate hashes to make sure that the VPN server and the SSL load balancer trust one another.ServerUriRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Registry entry: ServerUri
Data type: REG_SZ

The ServerUri registry entry is set to a value that contains the following value:sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
You must not change this registry entry because it is read-only. This registry entry is typically useful in load-balancing scenarios. The load balancer receives an HTTPS connection that is specific to this URI, and then the load balancer redirects the connection to a remote access server. For example, if the server name is server.contoso.com, the exact HTTPS URI is as follows:----server.contoso.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
Registry entries for IPv6 supportNote IPv6 refers to Internet Protocol version 6.EnableInRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6

Registry entry: EnableIn
Data type: REG_DWORD
Default value: 1

IPv6-based remote access and demand-dial routing are enabled if the EnableIn registry value is set to 1. If this value is set to 0, IPv6-based remote access and demand-dial routing are disabled.AllowNetworkAccessRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6

Registry entry: AllowNetworkAccess
Data type: REG_DWORD

IPv6 forwarding is enabled if the AllowNetworkAccess registry entry value is set to 1. If this value is set to 0, IPv6 forwarding is disabled.FromRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6\StaticPrefixPool\0

Registry entry: From
Data type: REG_DWORD

The From registry entry specifies the starting prefix of the static IPv6 prefix pool.ToRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IPv6\StaticPrefixPool\0

Registry entry: To
Data type: REG_DWORD

The To registry entry specifies the ending prefix of the static IPv6 prefix pool.Registry entries for VPN tunnel encryption levelsAllowPPTPWeakCryptoRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

Registry entry: AllowPPTPWeakCrypto
Data type: REG_DWORD
Default value: 0

You can use the AllowPPTPWeakCrypto registry entry to enable the 40-bit encryption level and the 56-bit encryption level for PPTP tunnels. By default, these weak encryption levels are disabled.AllowL2TPWeakCryptoRegistry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

Registry entry: AllowL2TPWeakCrypto
Data type: REG_DWORD
Default value: 0

You can use the AllowL2TPWeakCrypto registry entry to enable the Message Digest 5 (MD5) encryption level and the Data Encryption Standard (DES) encryption level for Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) tunnels. By default, these weak encryption levels are disabled.








=========================================================================
回复

使用道具 举报

4#
 楼主| 发表于 2023-11-16 22:32:52 | 只看该作者
本帖最后由 liker 于 2023-11-16 23:05 编辑

learn.microsoft.com/en-us/windows/win32/rras/routing-and-remote-access-registry-layout


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan
    \PPP
        \ControlProtocols
            \Builtin
                Path: REG_EXPAND_SZ: %SystemRoot%\System32\rasppp.dll
            \Chap
                Path: REG_EXPAND_SZ: %SystemRoot%\System32\raschap.dll
        \EAP
            \<typeID>
                ConfigCLSID: REG_SZ: <guid>
                ConfigUiPath: REG_EXPAND_SZ: %SystemRoot%\System32\rastls.dll
                FriendlyName: REG_SZ: Public Key Based Authentication (EAP-TLS)
                IdentityUIPath: REG_EXPAND_SZ: %SystemRoot%\System32\rastls.dll
                InvokePasswordDialog: REG_DWORD: 0
                InvokeUsernameDialog: REG_DWORD: 0
                Path: REG_EXPAND_SZ: %SystemRoot%\System32\rastls.dll
            \<typeID>
                FriendlyName: REG_SZ: MD5 CHAP
                InvokePasswordDialog: REG_DWORD: 0x1
                InvokeUsernameDialog: REG_DWORD: 0x1
                Path: REG_EXPAND_SZ: %SystemRoot%\System32\raschap.dll
                StandaloneSupported: REG_DWORD: 0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess
    \Accounting
        \Providers
            ActiveProvider: REG_SZ: . . .             \<guid>
                ConfigCLSID: REG_SZ: <guid>
                DisplayName: REG_SZ: Radius Accounting
                Path: REG_EXPAND_SZ: %SystemRoot%\System32\rasrad.dll
                Vendor: REG_SZ: Microsoft
             . . .
    \Authentication
        \Providers
            ActiveProvider: REG_SZ: . . .             \<guid>
                ConfigCLSID: REG_SZ: <guid>
                DisplayName: REG_SZ: Radius Authentication
                Path: REG_EXPAND_SZ: %SystemRoot%\System32\rasrad.dll
                Vendor: REG_SZ: Microsoft
            \<guid>
                ConfigCLSID: REG_SZ: <guid>
                DisplayName: REG_SZ: NT Authentication
                Path: REG_EXPAND_SZ: %SystemRoot%\System32\rasauth.dll
                Vendor: REG_SZ: Microsoft
             . . .
    \DemandDialManager
        DLLPath: REG_EXPAND_SZ: . . .
        < RAS parameters and DDM parameters >
    \Interfaces
        \0
            Enabled: REG_DWORD: (0/1)
            InterfaceName: REG_SZ: CorpHQ
            Type: REG_DWORD: (Internal/Dedicated/Loopback)
                \IP
                    InterfaceInfo: REG_BINARY: . . .
                    ProtocolID: REG_DWORD: 0x0021
                \IPX
                    InterfaceInfo: REG_BINARY: . . .
                    ProtocolID: REG_DWORD: 0x002B
                . . .
        \N
            InterfaceName: REG_SZ: IntelEtherExpressPro2
            . . .
    \Parameters
        LANOnlyMode: REG_DWORD: (0/1)
        ServerFlags: REG_DWORD: . . .
        ServiceDLL: REG_EXPAND_SZ: %SystemRoot%\System32\mprdim.dll
    \RouterManagers
        \IP
            DLLPath: REG_SZ: . . .
            GlobalInFilter: REG_BSZ: < filter set name > . . .
            GlobalInfo: REG_BINARY: . . .
            GlobalInterfaceInfo: REG_BINARY: . . .
            ProtocolID: REG_DWORD: 0x0021
            . . .
            \IPX
            DLLPath: REG_SZ: . . .
            GlobalInFilter: REG_BSZ: < filter set name > . . .
            GlobalInfo: REG_BINARY: . . .
            GlobalInterfaceInfo: REG_BINARY: . . .
            ProtocolID: REG_DWORD: 0x002B
            . . .
        . . .

HKEY_LOCAL_MACHINE\Software\Microsoft
    \Router
        \CurrentVersion
            \RouterManagers
                \IP
                    \OSPF
                        ConfigDll: REG_SZ: ipadmin.dll
                        DllName: REG_SZ: ospf.dll
                        ProtocolID: REG_DWORD: 0xD
                        Title: REG_SZ: Open Shortest Path First
                    \IPBOOTP
                        . . .
                    \IPRIP
                        . . .
                \IPX
                    \IpxRip
                        ConfigDll: REG_SZ: ipxadmin.dll
                        DllName: REG_SZ: IPXRIP.DLL
                        ProtocolID: REG_DWORD: 0x20000
                        Title: REG_SZ: RIP for Ipx
                    \IpxSap
                        . . .
                    . . .
            \UIConfigDlls
                <guid1>: REG_SZ: ifadmin.dll
                <guid2>: REG_SZ: ipadmin.dll
                <guid3>: REG_SZ: ipxadmin.dll
                <guid4>: REG_SZ: ddmadmin.dll
回复

使用道具 举报

5#
 楼主| 发表于 2023-11-16 22:45:38 | 只看该作者
本帖最后由 liker 于 2023-11-16 23:31 编辑

Registry Hive        HKEY_CURRENT_USER
Registry Path        Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04}
Value Name        Restrict_Run
Value Type        REG_DWORD
Enabled Value        0
Disabled Value        1


以上为:MMC中显示 rrasmgmt.msc

blog.csdn.net/NOWSHUT/article/details/127115870



Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
SvcHostSplitDisable=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess
SvcHostSplitDisable=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
DisabledComponents=0xFFFFFFFF
Title: RRAS NetBIOS gateway is enabled
Description:The RRAS NetBIOS gateway is enabled. This lets remote users access network resources. To disable the gateway, set the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ip\AllowNetworkAccess to 0.





回复

使用道具 举报

6#
 楼主| 发表于 2023-11-16 22:49:58 | 只看该作者
This days implementing VPN solution is almost a daily task … I encountered a bug that has been around for some time now. If you deploy RRAS on Windows Server 2019 that is not DHCP server it does not request / reserve IP addresses from DHCP (that runs on some other server).
Everything works perfectly if you assign static range of IP addresses but I just want to manage VPN client IP addresses by using DHCP server.

In System log in Event viewer you will receive Event ID 20167 with information:
RoutingDomainID- {: No IP address is available to hand out to the dial-in client.

After a quick search I found the article on MS forums that states:

Add this registry entries to your VPN server and reboot it.

reg add “HKLM\SYSTEM\CurrentControlSet\Services\Dhcp” /v RequiredPrivileges /d “SeChangeNotifyPrivilege”\0″SeCreateGlobalPrivilege”\0″SeImpersonatePrivilege”\0 /t REG_MULTI_SZ /f
回复

使用道具 举报

7#
发表于 2023-11-16 22:52:05 | 只看该作者
谢谢分享
回复

使用道具 举报

8#
发表于 2023-11-17 09:13:49 | 只看该作者
很久没用过这个功能了,早年2003系统时,机房服务器我就是5个网卡搞得软路由。再之后没搞过了,都是用的路由器。
回复

使用道具 举报

9#
发表于 2023-11-17 10:19:16 | 只看该作者
谢谢分享
回复

使用道具 举报

10#
发表于 2023-11-17 12:52:11 | 只看该作者
谢谢分享
回复

使用道具 举报

11#
发表于 2024-2-10 13:41:29 | 只看该作者
谢谢分享
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|捐助支持|无忧启动 ( 闽ICP备05002490号-1 )

闽公网安备 35020302032614号

GMT+8, 2024-12-1 18:32

Powered by Discuz! X3.3

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表