Chinaunix首页 | 论坛 | 博客
  • 博客访问: 523971
  • 博文数量: 53
  • 博客积分: 2265
  • 博客等级: 大尉
  • 技术积分: 574
  • 用 户 组: 普通用户
  • 注册时间: 2007-08-15 16:50
文章分类

全部博文(53)

文章存档

2019年(1)

2018年(2)

2016年(2)

2015年(1)

2014年(6)

2013年(5)

2012年(7)

2011年(16)

2010年(13)

分类: BSD

2018-08-09 15:54:35

参考Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)



建立该服务,有两种方法

一,基于mpd5和ipsec_tools
二,基于mpd5和strongswan

在FreeBSD下建立L2TP服务器,没有OpenBSD下省心,一是得编译FreeBSD内核支持IPSec ,二是iOS和android下的L2TP加密协议不同,两者不能同时可用。本文针对了iOS下的L2TP Server设置,尚未能同时兼容Android。



1.编译内核
首先,编译内核支持从IPSec, 在ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.3-RELEASE (本文使用的是amd64平台下的)上下载src.txz

平台下的下载放到 / 下,然后解压, 解压完后,进入目录 :cd /usr/src/sys/amd64/conf
复制 GENERIC GENERIC_IPSec
修改该文件,支持IPSec

由于各FreeBSD下对IPSec支持的参数各不相同,在FreeBSD 10.3-RELEASE ,增加如下
# IPSEC
options         IPSEC
options         IPSEC_NAT_T
device          crypto



但在
FreeBSD 11.1-RELEASE 下 , 则如下:
options         IPSEC                   # IP (v4/v6) security
device          crypto                  # Required by IPSEC


最后执行编译内核命令, 漫长等待后,重启就好:

cd /usr/src
make buildkernel KERNCONF=GENERIC_IPSec
make installkernel KERNCONF=GENERIC_IPSec

重启后,uname -a 看看是否如 root@bsd:/usr/obj/usr/src/sys/GENERIC_IPSec  amd64


2.软件安装
需要用到的两个package为:mpd5 , ipsec-tools

其中ipsec-tools 需要修改源代码安装。

mpd5的安装比较简单,执行命令就可: pkg install mpd5


而 ipsec-tools则需要改下 /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon/localconf.c   (注意:各系统,软件版本不同)


进入ports目录:

cd /usr/ports/security/ipsec-tools/files

下载包
:
make fetch


解压:

make extract

由于下载的时候,顺带下载了一个diff文件,在目录 /usr/ports/security/ipsec-tools/files
root@bsd:/usr/ports/security/ipsec-tools/files # more wildcard-psk.diff
--- src/racoon/localconf.c      9 Sep 2006 16:22:09 -0000       1.4
+++ src/racoon/localconf.c      11 Jul 2008 20:58:55 -0000
@@ -211,7 +211,8 @@ getpsk(str, len)
                if (*p == '\0')
                        continue;       /* no 2nd parameter */
                p--;
-               if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+               if (strcmp(buf, "*") == 0
+                || (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
                        p++;
                        keylen = 0;
                        for (q = p; *q != '\0' && *q != '\n'; q++)


修改源代码,可以直接找到文件 /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon/localconf.c
查找到如下这句:
if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {

把这句替换为:

               if (strcmp(buf, "*") == 0
                || (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
                        p++;
                        keylen = 0;
                        for (q = p; *q != '\0' && *q != '\n'; q++)

或者直接复制以下文件
/usr/ports/security/ipsec-tools/files/wildcard-psk.diff
/usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/

复制完后,执行如下:
cd /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/
patch < wildcard-psk.diff


打完补丁后,安装 ipsec-tools

cd /usr/ports/security/ipsec-tools
make install




3.配置
打完补丁后
mpd5配置,配置文件为: /usr/local/etc/mpd5/mpd.conf
用户和密码文件:/usr/local/etc/mpd5/mpd.secret
注意以下配置文件里,就是 你的公网IP 改成各自的 , 还有网段别和自己的内网冲突。

/usr/local/etc/mpd5/mpd.conf
内容如下:
startup:
        # configure mpd users
        set user super pSuper admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server
        load pptp_server


l2tp_server:
# Define dynamic IP address pool - these are the IP addresses which will be
# allocated to our remote clients when they join the LAN
# REPLACE w.x.y.from - w.x.y.to with the IP addresses mpd5 will allocate IP address range.
# e.g.  set ippool add pool_l2tp w.x.y.150 w.x.y.199
        set ippool add pool_l2tp 192.168.10.20 192.168.10.150

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
       # This is the internal IP and netmask of the box
       # REPLACE w.x.y.z with the IP address for your VPN server
        set ipcp ranges 192.168.10.1/32 ippool pool_l2tp
       # an accessible DNS server for clients to use
       # REPLACE w.x.y.dns with the IP address for your DNS server
       # e.g. set ipcp dns w.x.y.50
        set ipcp dns 8.8.4.4
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap
        set link keep-alive 10 60
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
       # REPLACE with the IP address racoon will listen on (if behind NAT, this is the INSIDE IP)
       # Unfortunately, you can not specify multiple IPs here, so just comment the next line if you need that
        set l2tp self 你的公网IP
        #set l2tp enable length
# Allow to accept calls
        set link enable incoming

pptp_server:

# Define dynamic IP address pool.
        set ippool add pool1 192.168.11.151 192.168.11.180

# Create clonable bundle template named B
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.1.1/32 ippool pool1
        set ipcp dns 8.8.4.4
        #set ipcp nbns 192.168.1.4
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Create clonable link template named L
        create link template L pptp
# Set bundle template to use
        set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
#       load radius
        set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1460
# Configure PPTP
        set pptp self 你的公网IP
# Allow to accept calls
        set link enable incoming



用户和密码文件:/usr/local/etc/mpd5/mpd.secret

内容格式如下:
admin1  admin123
admin2  admin234
admin3  admin345


ipsec_tools配置
其配置目录为:/usr/local/etc/racoon
目录下有三个文件:psk.txt      racoon.conf    setkey.conf

psk.txt为预共享密匙,格式如下:

* yoursharepsk


racoon.conf为主要配置文件,注意配置文件里,你的公网IP  填入自己的实际情况IP,内容为:

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen
{
    # REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP)
        isakmp           你的公网IP [500];
        isakmp_natt      你的公网IP [4500];
}

remote anonymous
{
        exchange_mode    main, aggressive;
#       doi ipsec_doi;
        situation identity_only;
        passive          on;
#       initial_contact off;
        proposal_check   obey;
#        support_proxy    on;
        nat_traversal    on;
        generate_policy  on;
        verify_identifier off;
        ike_frag         on;
        dpd_delay        20;
        send_cr off;
        send_cert off;

        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
        proposal {
                # WinXP pararmeters.
                encryption_algorithm 3des;

                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
        proposal {
                # android pararmeters.
                encryption_algorithm aes;
                hash_algorithm sha256;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }

}

sainfo anonymous
{
        lifetime time 24 hour;
        #encryption_algorithm     aes,3des;
        #authentication_algorithm hmac_sha1;
        encryption_algorithm aes, 3des, cast128, blowfish 448, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5, hmac_sha256 ;

        compression_algorithm    deflate;
        pfs_group                modp1024;
}


setkey.conf文件内容为:

flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;



最后,PF的设置和开机启动,在/etc/rc.conf 写入如下:
pf_enable="YES"
pf_flags=""
pf_rules="/etc/pf.conf"
mpd_enable="YES"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"

PF配置:


以下PF规则视个人实际情况设定,简单如下:

WAN="em0"  #该网卡口是你的外网网口
set limit {states 1000000, frags 50000 }
set block-policy drop
scrub in
set skip on lo0

nat on $WAN inet from any to any -> $WAN

block in on $WAN all
pass out quick inet all


pass in quick on $WAN inet proto {tcp udp} from any to $WAN port {1701 1723 500 4500}
pass in quick on $WAN inet proto { icmp udp gre ipencap esp ah } from any to ($WAN)
pass quick on {ng0 ng1}

-----------------------

二,基于mpd5和strongswan的设置
mpd5和上面一样,

下面是strongswan的设置:
设置文件  /usr/local/etc/ipsec.conf ,/usr/local/etc/ipsec.secrets

其中的/usr/local/etc/ipsec.conf内容如下:

conn L2TP/IPsec-PSK
    keyexchange = ikev1
    type = transport
    leftauth = psk
    rightauth = psk
    left = %defaultroute
    right = %any
    auto = add

/usr/local/etc/ipsec.secrets 为PSK密码,格式如下
: PSK "mypsk"


注意:上面两种方法,目前只支持iOS, Android下尚未解决,待解决。OpenBSD平台下的都支持iOS和Android,请转到该文 http://blog.chinaunix.net/uid-7573623-id-5787870.html



阅读(4348) | 评论(0) | 转发(0) |
0

上一篇:OpenBSD下的L2TP

下一篇:Exim 设置DKIM

给主人留下些什么吧!~~