FreeBSD下的L2TP Server

在FreeBSD下建立L2TP服务器，没有OpenBSD下省心，一是得编译FreeBSD内核支持IPSec ，二是iOS和android下的L2TP加密协议不同，两者不能同时可用。本文针对了iOS下的L2TP Server设置，尚未能同时兼容Android。

1. 编译内核

由于各FreeBSD下对IPSec支持的参数各不相同，在 FreeBSD 10.3-RELEASE ， 增加如下

# IPSEC

options         IPSEC

options         IPSEC_NAT_T

options         IPSEC                   # IP (v4/v6) security

device          crypto                  # Required by IPSEC

最后执行编译内核命令, 漫长等待后，重启就好：

cd /usr/src

make buildkernel KERNCONF=GENERIC_IPSec

make installkernel KERNCONF=GENERIC_IPSec

重启后， uname -a 看看是否如 root@bsd:/usr/obj/usr/src/sys/GENERIC_IPsec  amd64

2.软件安装

需要用到的两个package为： mpd5 , ipsec-tools

其中ipsec-tools 需要修改源代码安装。

mpd5的安装比较简单,执行命令就可： pkg install mpd5

--- src/racoon/localconf.c      9 Sep 2006 16:22:09 -0000       1.4

+++ src/racoon/localconf.c      11 Jul 2008 20:58:55 -0000

@@ -211,7 +211,8 @@ getpsk(str, len)

if (*p == '\0')

continue;       /* no 2nd parameter */

p--;

-               if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {

+               if (strcmp(buf, "*") == 0

+                || (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {

p++;

keylen = 0;

for (q = p; *q != '\0' && *q != '\n'; q++)

修改源代码，可以直接找到文件 /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon/localconf.c

查找到如下这句：

if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {

把这句替换为：

if (strcmp(buf, "*") == 0

|| (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {

p++;

keylen = 0;

for (q = p; *q != '\0' && *q != '\n'; q++)

或者直接复制以下文件

/usr/ports/security/ipsec-tools/files/wildcard-psk.diff

到 /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/

复制完后，执行如下：

cd /usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.2/

mpd5配置，配置文件为： /usr/local/etc/mpd5/mpd.conf

用户和密码文件： /usr/local/etc/mpd5/mpd.secret

注意以下配置文件里，就是 你的公网IP 改成各自的 ， 还有网段别和自己的内网冲突。

内容如下：

startup:

# configure mpd users

set user super pSuper admin

# configure the console

set console self 127.0.0.1 5005

set console open

# configure the web server

set web self 0.0.0.0 5006

set web open

default:

load l2tp_server

load pptp_server

l2tp_server:

# Define dynamic IP address pool - these are the IP addresses which will be

# allocated to our remote clients when they join the LAN

# REPLACE w.x.y.from - w.x.y.to with the IP addresses mpd5 will allocate IP address range.

# e.g.  set ippool add pool_l2tp w.x.y.150 w.x.y.199

set ippool add pool_l2tp 192.168.10.20 192.168.10.150

# Create clonable bundle template named B_l2tp

create bundle template B_l2tp

set iface enable proxy-arp

set iface enable tcpmssfix

set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.

# This is the internal IP and netmask of the box

# REPLACE w.x.y.z with the IP address for your VPN server

set ipcp ranges 192.168.10.1/32 ippool pool_l2tp

# an accessible DNS server for clients to use

# REPLACE w.x.y.dns with the IP address for your DNS server

# e.g. set ipcp dns w.x.y.50

set ipcp dns 8.8.4.4

# The five lines below enable Microsoft Point-to-Point encryption

# (MPPE) using the ng_mppc(8) netgraph node type.

set bundle enable compression

set ccp yes mppc

set mppc yes e40

set mppc yes e128

set mppc yes stateless

# Create clonable link template named L_l2tp

create link template L_l2tp l2tp

# Set bundle template to use

set link action bundle B_l2tp

# Multilink adds some overhead, but gives full 1500 MTU.

set link enable multilink

set link yes acfcomp protocomp

set link no pap chap eap

set link enable chap

set link keep-alive 10 60

# We reducing link mtu to avoid ESP packet fragmentation.

set link mtu 1280

# Configure L2TP

# REPLACE with the IP address racoon will listen on (if behind NAT, this is the INSIDE IP)

# Unfortunately, you can not specify multiple IPs here, so just comment the next line if you need that

set l2tp self 你的公网IP

#set l2tp enable length

# Allow to accept calls

set link enable incoming

pptp_server:

# Define dynamic IP address pool.

set ippool add pool1 192.168.11.151 192.168.11.180

# Create clonable bundle template named B

create bundle template B

set iface enable proxy-arp

set iface idle 1800

set iface enable tcpmssfix

set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.

set ipcp ranges 192.168.1.1/32 ippool pool1

set ipcp dns 8.8.4.4

#set ipcp nbns 192.168.1.4

# The five lines below enable Microsoft Point-to-Point encryption

# (MPPE) using the ng_mppc(8) netgraph node type.

set bundle enable compression

set ccp yes mppc

set mppc yes e40

set mppc yes e128

set mppc yes stateless

# Create clonable link template named L

create link template L pptp

# Set bundle template to use

set link action bundle B

# Multilink adds some overhead, but gives full 1500 MTU.

set link enable multilink

set link yes acfcomp protocomp

set link no pap chap eap

set link enable chap

# We can use use RADIUS authentication/accounting by including

# another config section with label 'radius'.

#       load radius

set link keep-alive 10 60

# We reducing link mtu to avoid GRE packet fragmentation.

set link mtu 1460

# Configure PPTP

set pptp self 你的公网IP

# Allow to accept calls

set link enable incoming

用户和密码文件： /usr/local/etc/mpd5/mpd.secret

内容格式如下：

admin1  admin123

admin2  admin234

admin3  admin345

ipsec_tools配置

其配置目录为： /usr/local/etc/racoon

目录下有三个文件： psk.txt      racoon.conf    setkey.conf

psk.txt为预共享密匙，格式如下：

* yoursharepsk

racoon.conf 为主要配置文件，注意配置文件里，你的公网IP  填入自己的实际情况IP，内容为：

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen

{

# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP)

isakmp           你的公网IP [500];

isakmp_natt      你的公网IP [4500];

}

remote anonymous

{

exchange_mode    main, aggressive;

#       doi ipsec_doi;

situation identity_only;

passive          on;

#       initial_contact off;

proposal_check   obey;

#        support_proxy    on;

nat_traversal    on;

generate_policy  on;

verify_identifier off;

ike_frag         on;

dpd_delay        20;

send_cr off;

send_cert off;

proposal

{

encryption_algorithm  aes;

hash_algorithm        sha1;

authentication_method pre_shared_key;

dh_group              modp1024;

}

proposal

{

encryption_algorithm  3des;

hash_algorithm        sha1;

authentication_method pre_shared_key;

dh_group              modp1024;

}

proposal {

# WinXP pararmeters.

encryption_algorithm 3des;

hash_algorithm md5;

authentication_method pre_shared_key;

dh_group modp1024;

}

proposal {

# android pararmeters.

encryption_algorithm aes;

hash_algorithm sha256;

authentication_method pre_shared_key;

dh_group modp1024;

}

}

sainfo anonymous

{

lifetime time 24 hour;

#encryption_algorithm     aes,3des;

#authentication_algorithm hmac_sha1;

encryption_algorithm aes, 3des, cast128, blowfish 448, des, rijndael ;

authentication_algorithm hmac_sha1, hmac_md5, hmac_sha256 ;

compression_algorithm    deflate;

pfs_group                modp1024;

}

setkey.conf 文件内容为：

flush;

spdflush;

spdadd 0.0.0.0/0 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;

spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;

最后，PF的设置和开机启动，在 /etc/rc.conf 写入如下：

pf_enable="YES"

pf_flags=""

pf_rules="/etc/pf.conf"

mpd_enable="YES"

racoon_enable="YES"

racoon_flags="-l /var/log/racoon.log"

ipsec_enable="YES"

ipsec_program="/usr/local/sbin/setkey"

ipsec_file="/usr/local/etc/racoon/setkey.conf"