L2TP -updating

http://help.aliyun.com/knowledge_detail.htm?knowledgeId=5974459

https://sites.google.com/site/ticlapinou/formation-linux/l2tp-ipsec

http://www.jacco2.dds.nl/networking/linux-l2tp.html

l2tp+ipsec
Mise en place d'un tunnel (x)L2TP over IPSec

Qu'est-ce qu'IPSec ?

IPsec (Internet Protocol Security), défini par l'IETF comme un cadre de standards ouverts pour assurer des communications privées et protégées sur des réseaux IP, par l'utilisation des services de sécurité cryptographiques[1], est un ensemble de protocoles utilisant des algorithmes permettant le transport de données sécurisées sur un réseau IP. IPsec se différencie des standards de sécurité antérieurs en n'étant pas limité à une seule méthode d'authentification ou d'algorithme et c'est la raison pour laquelle il est considéré comme un cadre de standards ouverts[1]. De plus IPsec opère à la couche réseau (couche 3 du modèle OSI) contrairement aux standards antérieurs qui opéraient à la couche application (couche 7 du modèle OSI), ce qui le rend indépendant des applications, et veut dire que les utilisateurs n'ont pas besoin de configurer chaque application aux standards IPsec[1].

Source: wikipedia ( http://fr.wikipedia.org/wiki/IPsec )


Prerequis: xl2tpd, ppptpd, openswan (ipsec)

root@client # apt-get install -y xl2tpd pptpd openswan
root@server # apt-get install -y xl2tpd pptpd openswan


____________________________________________________________________________________________________________________________________________________________


Partie client


ipsec

user@client $ cat /etc/ipsec.conf

## config ipsec ---
## --- cote client

version 2.0

config setup
  dumpdir="/var/run/pluto/"
  nat_traversal=no
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
  oe=off
  protostack=netkey
  plutostderrlog=/var/log/pluto.log

conn L2TP-PSK-CLIENT
  authby=secret
  pfs=no
  rekey=no
  keyingtries=3
  type=transport

  # left = "local"
  left=195.XXX.186.XX
  leftprotoport=17/1701

  # right = "distant"
  right=195.xxx.186.xx
  rightprotoport=17/1701

  auto=add


user@client $ cat /etc/ipsec.secrets

# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys
# include /var/lib/openswan/ipsec.secrets.inc → fichier vide, osef.

#local        remote        type    key
195.XXX.186.XX    195.XXX.186.XX: PSK    "TehSuperKey"


xl2tpd

user@client $ cat /etc/xl2tpd/xl2tpd.conf

[global]
  port = 1701
  auth file = /etc/l2tpd/l2tp-secrets
  access control = yes
  rand source = dev


[lac L2TPClient]
  lns = 195.XXX.186.XX
  require authentication = yes
  require chap = yes
  refuse pap = yes

  name = username

  ppp debug = yes
  pppoptfile = /etc/ppp/options.l2tpd.client
  length bit = yes


user@client $ cat /etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
connect-delay 5000


user@client $ cat /etc/ppp/pap-secrets

"username"        195.xxx.186.xx  "TehSuperKey"

user@client $ cat /etc/xl2tpd/l2tp-secrets

"technofuturtic"        *       "technofuturtic"



user@client $ cat /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client    server    secret            IP addresses

technofuturtic    *    "test1234="    *


Redémarrer les services:

root@client # service ipsec restart; service pptpd restart; service xl2tpd restart

____________________________________________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________________________________________


Configuration du serveur


user@server $ cat /etc/ipsec.conf

## --- config ipsec
## cote serveur ---

version 2.0
config setup
  dumpdir=/var/run/pluto/
  nat_traversal=no
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
  oe=off
  protostack=netkey
  plutostderrlog=/var/log/pluto.log


conn L2TP-PSK
  authby=secret
  pfs=no
  rekey=no
  keyingtries=3
  ikelifetime=8h
  keylife=1h
  type=transport

  left=%defaultroute
  leftprotoport=17/1701

  right=%any
  rightprotoport=17/%any
  auto=add


user@server $ cat /etc/ipsec.secrets

# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys
#; include /var/lib/openswan/ipsec.secrets.inc → fichier vide
#local        remote    type    key
195.XXX.186.XX    %any:    PSK    "TehSuperKey"

user@server $ cat /etc/xl2tpd/xl2tpd.conf

[global]
  listen-addr = 195.xxx.186.xx
  port = 1701
  access control = no
  rand source = dev
  auth file = /etc/ppp/chap-secrets
  debug tunnel = yes
  debug avp = yes
  debug packet = yes
  debug network = yes
  debug state = yes


[lns default]
  exclusive = yes ; un tunnel autorise par hote
  ip range = 10.10.10.2-10.10.10.254
  local ip = 10.10.10.1
  refuse chap = yes
  refuse pap = yes
  require authentication = yes
  ppp debug = yes ; utile en cas d'erreurs :)
  pppoptfile = /etc/ppp/options.l2tpd ; fichier contenant les options
  length bit = yes

user@server $ cat /etc/ppp/options.l2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
; name same as server name in chap and ppp
name technofuturtic
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4


user@server $ cat /etc/ppp/pap-secrets

# id                    ip distante        utilisateur
"technofuturtic"        195.XXX.186.XX  "technofuturtic"



user@server $ cat /etc/xl2tpd/l2tp-secrets

"technofuturtic"        *       "technofuturtic"

user@server $ cat /etc/ppp/chap-secrets 
# Secrets for authentication using CHAP
# client        server  secret                  IP address

technofuturtic  *       test1234=       *


---
Redémarrer les services:

root@server # service ipsec restart; service xl2tpd restart; service pptpd restart


Lancer la connexion VPN
# ipsec
root@client # ipsec auto --up L2TP-PSK-CLIENT
#xl2tpd (c = connect)
root@client # echo "c L2TPClient" > /var/run/xl2tpd/l2tp-control


Couper la connexion VPN:

# ipsec
root@client # ipsec auto --down L2TP-PSK-CLIENT

# xl2tpd (d = disconnect)
root@client # echo "d L2TPClient" > /var/run/xl2tpd/l2tp-control

 

本文转自 zhangfang526 51CTO博客，原文链接:http://blog.51cto.com/zhangfang526/1709729