FreeBSD下的L2TP Server

栏目: 服务器 · 发布时间: 6年前

内容简介:在FreeBSD下建立L2TP服务器,没有OpenBSD下省心,一是得编译FreeBSD内核支持IPSec ,二是iOS和android下的L2TP加密协议不同,两者不能同时可用。本文针对了iOS下的L2TP Server设置,尚未能同时兼容Android。由于各FreeBSD下对IPSec支持的参数各不相同,在

在FreeBSD下建立L2TP服务器,没有OpenBSD下省心,一是得编译FreeBSD内核支持IPSec ,二是iOS和android下的L2TP加密协议不同,两者不能同时可用。本文针对了iOS下的L2TP Server设置,尚未能同时兼容Android。

1. 编译内核

首先,编译内核支持从IPSec, 在ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.3-RELEASE (本文使用的是amd64平台下的)上下载

src.txz

平台下的下载放到 / 下,然后解压, 解压完后,进入目录 : cd /usr/src/sys/amd64/conf

复制 GENERIC

GENERIC_IPSec

修改该文件,支持IPSec

由于各FreeBSD下对IPSec支持的参数各不相同,在 FreeBSD 10.3-RELEASE , 增加如下

# IPSEC

options         IPSEC

options         IPSEC_NAT_T

device          crypto

但在 FreeBSD 11.1-RELEASE 下 , 则如下:

options         IPSEC                   # IP (v4/v6) security

device          crypto                  # Required by IPSEC

最后执行编译内核命令, 漫长等待后,重启就好:

cd /usr/src

make buildkernel KERNCONF=GENERIC_IPSec

make installkernel KERNCONF=GENERIC_IPSec

重启后, uname -a 看看是否如 root@bsd:/usr/obj/usr/src/sys/GENERIC_IPsec  amd64

2.软件安装

需要用到的两个package为: mpd5 , ipsec-tools

其中ipsec-tools 需要修改源代码安装。

mpd5的安装比较简单,执行命令就可: pkg install mpd5

而 ipsec-tools则需要改下

/usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon/localconf.c   (注意:各系统,软件版本不同)


进入ports目录:


cd /usr/ports/security/ipsec-tools/files


:

make fetch

解压:

make extract

由于下载的时候,顺带下载了一个diff文件,在目录 /usr/ports/security/ipsec-tools/files

root@bsd:/usr/ports/security/ipsec-tools/files # more wildcard-psk.diff

--- src/racoon/localconf.c      9 Sep 2006 16:22:09 -0000       1.4

+++ src/racoon/localconf.c      11 Jul 2008 20:58:55 -0000

@@ -211,7 +211,8 @@ getpsk(str, len)

if (*p == '\0')

continue;       /* no 2nd parameter */

p--;

-               if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {

+               if (strcmp(buf, "*") == 0

+                || (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {

p++;

keylen = 0;

for (q = p; *q != '\0' && *q != '\n'; q++)

修改源代码,可以直接找到文件 /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon/localconf.c

查找到如下这句:

if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {

把这句替换为:

if (strcmp(buf, "*") == 0

|| (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {

p++;

keylen = 0;

for (q = p; *q != '\0' && *q != '\n'; q++)

或者直接复制以下文件

/usr/ports/security/ipsec-tools/files/wildcard-psk.diff

/usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/

复制完后,执行如下:

cd /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/

patch<

wildcard-psk.diff

打完补丁后,安装 ipsec-tools

cd /usr/ports/security/ipsec-tools

make install

3.配置

打完补丁后

mpd5配置,配置文件为: /usr/local/etc/mpd5/mpd.conf

用户和密码文件: /usr/local/etc/mpd5/mpd.secret

注意以下配置文件里,就是 你的公网IP 改成各自的 , 还有网段别和自己的内网冲突。


内容如下:

startup:

# configure mpd users

set user super pSuper admin

# configure the console

set console self 127.0.0.1 5005

set console open

# configure the web server

set web self 0.0.0.0 5006

set web open

default:

load l2tp_server

load pptp_server

l2tp_server:

# Define dynamic IP address pool - these are the IP addresses which will be

# allocated to our remote clients when they join the LAN

# REPLACE w.x.y.from - w.x.y.to with the IP addresses mpd5 will allocate IP address range.

# e.g.  set ippool add pool_l2tp w.x.y.150 w.x.y.199

set ippool add pool_l2tp 192.168.10.20 192.168.10.150

# Create clonable bundle template named B_l2tp

create bundle template B_l2tp

set iface enable proxy-arp

set iface enable tcpmssfix

set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.

# This is the internal IP and netmask of the box

# REPLACE w.x.y.z with the IP address for your VPN server

set ipcp ranges 192.168.10.1/32 ippool pool_l2tp

# an accessible DNS server for clients to use

# REPLACE w.x.y.dns with the IP address for your DNS server

# e.g. set ipcp dns w.x.y.50

set ipcp dns 8.8.4.4

# The five lines below enable Microsoft Point-to-Point encryption

# (MPPE) using the ng_mppc(8) netgraph node type.

set bundle enable compression

set ccp yes mppc

set mppc yes e40

set mppc yes e128

set mppc yes stateless

# Create clonable link template named L_l2tp

create link template L_l2tp l2tp

# Set bundle template to use

set link action bundle B_l2tp

# Multilink adds some overhead, but gives full 1500 MTU.

set link enable multilink

set link yes acfcomp protocomp

set link no pap chap eap

set link enable chap

set link keep-alive 10 60

# We reducing link mtu to avoid ESP packet fragmentation.

set link mtu 1280

# Configure L2TP

# REPLACE with the IP address racoon will listen on (if behind NAT, this is the INSIDE IP)

# Unfortunately, you can not specify multiple IPs here, so just comment the next line if you need that

set l2tp self 你的公网IP

#set l2tp enable length

# Allow to accept calls

set link enable incoming

pptp_server:

# Define dynamic IP address pool.

set ippool add pool1 192.168.11.151 192.168.11.180

# Create clonable bundle template named B

create bundle template B

set iface enable proxy-arp

set iface idle 1800

set iface enable tcpmssfix

set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.

set ipcp ranges 192.168.1.1/32 ippool pool1

set ipcp dns 8.8.4.4

#set ipcp nbns 192.168.1.4

# The five lines below enable Microsoft Point-to-Point encryption

# (MPPE) using the ng_mppc(8) netgraph node type.

set bundle enable compression

set ccp yes mppc

set mppc yes e40

set mppc yes e128

set mppc yes stateless

# Create clonable link template named L

create link template L pptp

# Set bundle template to use

set link action bundle B

# Multilink adds some overhead, but gives full 1500 MTU.

set link enable multilink

set link yes acfcomp protocomp

set link no pap chap eap

set link enable chap

# We can use use RADIUS authentication/accounting by including

# another config section with label 'radius'.

#       load radius

set link keep-alive 10 60

# We reducing link mtu to avoid GRE packet fragmentation.

set link mtu 1460

# Configure PPTP

set pptp self 你的公网IP

# Allow to accept calls

set link enable incoming

用户和密码文件: /usr/local/etc/mpd5/mpd.secret

内容格式如下:

admin1  admin123

admin2  admin234

admin3  admin345

ipsec_tools配置

其配置目录为: /usr/local/etc/racoon

目录下有三个文件: psk.txt      racoon.conf    setkey.conf

psk.txt为预共享密匙,格式如下:

* yoursharepsk

racoon.conf 为主要配置文件,注意配置文件里,你的公网IP  填入自己的实际情况IP,内容为:

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen

{

# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP)

isakmp           你的公网IP [500];

isakmp_natt      你的公网IP [4500];

}

remote anonymous

{

exchange_mode    main, aggressive;

#       doi ipsec_doi;

situation identity_only;

passive          on;

#       initial_contact off;

proposal_check   obey;

#        support_proxy    on;

nat_traversal    on;

generate_policy  on;

verify_identifier off;

ike_frag         on;

dpd_delay        20;

send_cr off;

send_cert off;

proposal

{

encryption_algorithm  aes;

hash_algorithm        sha1;

authentication_method pre_shared_key;

dh_group              modp1024;

}

proposal

{

encryption_algorithm  3des;

hash_algorithm        sha1;

authentication_method pre_shared_key;

dh_group              modp1024;

}

proposal {

# WinXP pararmeters.

encryption_algorithm 3des;

hash_algorithm md5;

authentication_method pre_shared_key;

dh_group modp1024;

}

proposal {

# android pararmeters.

encryption_algorithm aes;

hash_algorithm sha256;

authentication_method pre_shared_key;

dh_group modp1024;

}

}

sainfo anonymous

{

lifetime time 24 hour;

#encryption_algorithm     aes,3des;

#authentication_algorithm hmac_sha1;

encryption_algorithm aes, 3des, cast128, blowfish 448, des, rijndael ;

authentication_algorithm hmac_sha1, hmac_md5, hmac_sha256 ;

compression_algorithm    deflate;

pfs_group                modp1024;

}

setkey.conf 文件内容为:

flush;

spdflush;

spdadd 0.0.0.0/0 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;

spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;

最后,PF的设置和开机启动,在 /etc/rc.conf 写入如下:

pf_enable="YES"

pf_flags=""

pf_rules="/etc/pf.conf"

mpd_enable="YES"

racoon_enable="YES"

racoon_flags="-l /var/log/racoon.log"

ipsec_enable="YES"

ipsec_program="/usr/local/sbin/setkey"

ipsec_file="/usr/local/etc/racoon/setkey.conf"

PF配置:

以下PF规则视个人实际情况设定,简单如下:

WAN="em0"  #该网卡口是你的外网网口

set limit {states 1000000, frags 50000 }

set block-policy drop

scrub in

set skip on lo0

nat on $WAN inet from any to any -> $WAN

block in on $ WAN all

pass out quick inet all

pass in quick on $WAN inet proto {tcp udp} from any to $WAN port {1701 1723 500 4500}

pass in quick on $WAN inet proto { icmp udp gre ipencap esp ah } from any to ($WAN)

pass quick on {ng0 ng1}


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

可视化未来

可视化未来

[美] 埃雷兹·艾登、[法] 让-巴蒂斯特·米歇尔 / 王彤彤、沈华伟、程学旗 / 浙江人民出版社 / 2015-9 / 54.90元

科学的传播速度有多快?今时今日我们很少谈论上帝了吗?人们什么时候开始用“having sex” 而不用“making love”? 史上的人是在哪岁成名的?语法的变化速度到底有多快?哪些作家被纳粹审查得最彻底? “donut” 什么时候开始取代“doughnut”? 我 们能否预测人类未来?比尔·克林顿和花椰菜哪个更出名? 《可视化未来》一书的两位作者通过与“谷歌图书”的合作,得以有机会研究......一起来看看 《可视化未来》 这本书的介绍吧!

CSS 压缩/解压工具
CSS 压缩/解压工具

在线压缩/解压 CSS 代码

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换