参考
Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)
建立该服务,有两种方法
一,基于mpd5和ipsec_tools
二,基于mpd5和strongswan
在FreeBSD下建立L2TP服务器,没有OpenBSD下省心,一是得编译FreeBSD内核支持IPSec ,二是iOS和android下的L2TP加密协议不同,两者不能同时可用。本文针对了iOS下的L2TP Server设置,尚未能同时兼容Android。
1.编译内核
首先,编译内核支持从IPSec, 在ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.3-RELEASE (本文使用的是amd64平台下的)上下载src.txz
平台下的下载放到 / 下,然后解压, 解压完后,进入目录 :cd /usr/src/sys/amd64/conf
复制 GENERIC 为 GENERIC_IPSec , 修改该文件,支持IPSec
由于各FreeBSD下对IPSec支持的参数各不相同,在FreeBSD 10.3-RELEASE ,增加如下
# IPSEC
options IPSEC
options IPSEC_NAT_T
device crypto
但在FreeBSD 11.1-RELEASE 下 , 则如下:
options IPSEC # IP (v4/v6) security
device crypto # Required by IPSEC
最后执行编译内核命令, 漫长等待后,重启就好:
cd /usr/src
make buildkernel KERNCONF=GENERIC_IPSec
make installkernel KERNCONF=GENERIC_IPSec
重启后,uname -a 看看是否如 root@bsd:/usr/obj/usr/src/sys/GENERIC_IPSec amd64
2.软件安装
需要用到的两个package为:mpd5 , ipsec-tools
其中ipsec-tools 需要修改源代码安装。
mpd5的安装比较简单,执行命令就可: pkg install mpd5
而 ipsec-tools则需要改下 /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon/localconf.c (注意:各系统,软件版本不同)
进入ports目录:
cd /usr/ports/security/ipsec-tools/files
下载包:
make fetch
解压:
make extract
由于下载的时候,顺带下载了一个diff文件,在目录 /usr/ports/security/ipsec-tools/files
root@bsd:/usr/ports/security/ipsec-tools/files # more wildcard-psk.diff
--- src/racoon/localconf.c 9 Sep 2006 16:22:09 -0000 1.4
+++ src/racoon/localconf.c 11 Jul 2008 20:58:55 -0000
@@ -211,7 +211,8 @@ getpsk(str, len)
if (*p == '\0')
continue; /* no 2nd parameter */
p--;
- if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+ if (strcmp(buf, "*") == 0
+ || (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
p++;
keylen = 0;
for (q = p; *q != '\0' && *q != '\n'; q++)
修改源代码,可以直接找到文件 /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon/localconf.c
查找到如下这句:
if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
把这句替换为:
if (strcmp(buf, "*") == 0
|| (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
p++;
keylen = 0;
for (q = p; *q != '\0' && *q != '\n'; q++)
或者直接复制以下文件
/usr/ports/security/ipsec-tools/files/wildcard-psk.diff
到 /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/
复制完后,执行如下:
cd /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/
patch < wildcard-psk.diff
打完补丁后,安装 ipsec-tools
cd /usr/ports/security/ipsec-tools
make install
3.配置
打完补丁后
mpd5配置,配置文件为: /usr/local/etc/mpd5/mpd.conf
用户和密码文件:/usr/local/etc/mpd5/mpd.secret
注意以下配置文件里,就是 你的公网IP 改成各自的 , 还有网段别和自己的内网冲突。
/usr/local/etc/mpd5/mpd.conf内容如下:
startup:
# configure mpd users
set user super pSuper admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load l2tp_server
load pptp_server
l2tp_server:
# Define dynamic IP address pool - these are the IP addresses which will be
# allocated to our remote clients when they join the LAN
# REPLACE w.x.y.from - w.x.y.to with the IP addresses mpd5 will allocate IP address range.
# e.g. set ippool add pool_l2tp w.x.y.150 w.x.y.199
set ippool add pool_l2tp 192.168.10.20 192.168.10.150
# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
# This is the internal IP and netmask of the box
# REPLACE w.x.y.z with the IP address for your VPN server
set ipcp ranges 192.168.10.1/32 ippool pool_l2tp
# an accessible DNS server for clients to use
# REPLACE w.x.y.dns with the IP address for your DNS server
# e.g. set ipcp dns w.x.y.50
set ipcp dns 8.8.4.4
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
# Create clonable link template named L_l2tp
create link template L_l2tp l2tp
# Set bundle template to use
set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap
set link keep-alive 10 60
# We reducing link mtu to avoid ESP packet fragmentation.
set link mtu 1280
# Configure L2TP
# REPLACE with the IP address racoon will listen on (if behind NAT, this is the INSIDE IP)
# Unfortunately, you can not specify multiple IPs here, so just comment the next line if you need that
set l2tp self 你的公网IP
#set l2tp enable length
# Allow to accept calls
set link enable incoming
pptp_server:
# Define dynamic IP address pool.
set ippool add pool1 192.168.11.151 192.168.11.180
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.1.1/32 ippool pool1
set ipcp dns 8.8.4.4
#set ipcp nbns 192.168.1.4
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
# load radius
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self 你的公网IP
# Allow to accept calls
set link enable incoming
用户和密码文件:/usr/local/etc/mpd5/mpd.secret
内容格式如下:
admin1 admin123
admin2 admin234
admin3 admin345
ipsec_tools配置
其配置目录为:/usr/local/etc/racoon
目录下有三个文件:psk.txt racoon.conf setkey.conf
psk.txt为预共享密匙,格式如下:
* yoursharepsk
racoon.conf为主要配置文件,注意配置文件里,你的公网IP 填入自己的实际情况IP,内容为:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
listen
{
# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP)
isakmp 你的公网IP [500];
isakmp_natt 你的公网IP [4500];
}
remote anonymous
{
exchange_mode main, aggressive;
# doi ipsec_doi;
situation identity_only;
passive on;
# initial_contact off;
proposal_check obey;
# support_proxy on;
nat_traversal on;
generate_policy on;
verify_identifier off;
ike_frag on;
dpd_delay 20;
send_cr off;
send_cert off;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal {
# WinXP pararmeters.
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal {
# android pararmeters.
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
lifetime time 24 hour;
#encryption_algorithm aes,3des;
#authentication_algorithm hmac_sha1;
encryption_algorithm aes, 3des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5, hmac_sha256 ;
compression_algorithm deflate;
pfs_group modp1024;
}
setkey.conf文件内容为:
flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
最后,PF的设置和开机启动,在/etc/rc.conf 写入如下:
pf_enable="YES"
pf_flags=""
pf_rules="/etc/pf.conf"
mpd_enable="YES"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
PF配置:
以下PF规则视个人实际情况设定,简单如下:
WAN="em0" #该网卡口是你的外网网口
set limit {states 1000000, frags 50000 }
set block-policy drop
scrub in
set skip on lo0
nat on $WAN inet from any to any -> $WAN
block in on $WAN all
pass out quick inet all
pass in quick on $WAN inet proto {tcp udp} from any to $WAN port {1701 1723 500 4500}
pass in quick on $WAN inet proto { icmp udp gre ipencap esp ah } from any to ($WAN)
pass quick on {ng0 ng1}
-----------------------
二,基于mpd5和strongswan的设置
mpd5和上面一样,
下面是strongswan的设置:
设置文件 /usr/local/etc/ipsec.conf ,/usr/local/etc/ipsec.secrets
其中的/usr/local/etc/ipsec.conf内容如下:
conn L2TP/IPsec-PSK
keyexchange = ikev1
type = transport
leftauth = psk
rightauth = psk
left = %defaultroute
right = %any
auto = add
而/usr/local/etc/ipsec.secrets 为PSK密码,格式如下
: PSK "mypsk"
注意:上面两种方法,目前只支持iOS, Android下尚未解决,待解决。OpenBSD平台下的都支持iOS和Android,请转到该文 http://blog.chinaunix.net/uid-7573623-id-5787870.html
阅读(4061) | 评论(0) | 转发(0) |
