http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD
需要使用到mpd5(提供l2tp),ipsec-tools(提供ipsec)
首先需要编译内核,加入如下信息:
options IPSEC #IP security options IPSEC_FILTERTUNNEL options IPSEC_NAT_T device crypto device enc
给ipsec-tools打补丁。ipsec-tools做psk认证时只能根据ip做认证,所以要让他认识*,即对所有IP做认证。
补丁如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
--- src/racoon/localconf.c 2008-12-23 12:04:42.000000000 -0200
+++ src/racoon/localconf.c 2011-04-25 15:44:24.000000000 -0300
@@ -207,7 +207,8 @@ getpsk(str, len)
if (*p == '\0')
continue; /* no 2nd parameter */
p--;
- if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+ if (strcmp(buf, "*") == 0 ||
+ (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
p++;
keylen = 0;
for (q = p; *q != '\0' && *q != '\n'; q++)
|
第二个补丁处理unrecognized route message with rtm_type: RTM_GET的问题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
diff -rup srca/racoon/grabmyaddr.c srcb/racoon/grabmyaddr.c
--- src/racoon/grabmyaddr.c 2011-03-14 14:18:12.000000000 -0300
+++ src/racoon/grabmyaddr.c 2011-04-25 15:56:41.000000000 -0300
@@ -753,6 +753,7 @@ kernel_handle_message(msg)
case RTM_ADD:
case RTM_DELETE:
case RTM_CHANGE:
+ case RTM_GET:
case RTM_MISS:
case RTM_IFINFO:
#ifdef RTM_OIFINFO
@@ -768,7 +769,7 @@ kernel_handle_message(msg)
break;
default:
plog(LLV_WARNING, LOCATION, NULL,
- "unrecognized route message with rtm_type: %d",
+ "unrecognized route message with rtm_type: %d\n",
rtm->rtm_type);
break;
}
|
/usr/local/etc/racoon/racoonf.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
path pre_shared_key
"/usr/local/etc/racoon/psk.txt"
;
listen
{
isakmp 211.153.x.x [500];
isakmp_natt 211.153.x.x [4500];
strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
|
/usr/local/etc/racoon/setkey.conf
1
2
3
4
|
flush;
spdflush;
spdadd 0.0.0.0
/0
[0] 0.0.0.0
/0
[1701] udp -P
in
ipsec esp
/transport//require
;
spdadd 0.0.0.0
/0
[1701] 0.0.0.0
/0
[0] udp -P out ipsec esp
/transport//require
;
|
/usr/local/etc/racoon/psk.txt
1
|
* password
|
psk.txt的属性为600
/usr/local/etc/mpd/mpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
startup:
default:
load l2tp_server
l2tp_server:
set
ippool add pool_l2tp 211.153.y.1 211.153.y.4
create bundle template B_l2tp
set
iface
enable
proxy-arp
set
iface
enable
tcpmssfix
set
ipcp
yes
vjcomp
set
ipcp ranges 211.153.x.x
/32
ippool pool_l2tp
set
ipcp dns 8.8.8.8
create link template L_l2tp l2tp
set
link action bundle B_l2tp
set
link
enable
multilink
set
link no pap chap eap
set
link
enable
chap
set
link keep-alive 0 0
set
link mtu 1280
set
l2tp self 211.153.x.x
set
l2tp
enable
length
set
link
enable
incoming
|
/usr/local/etc/mpd/mpd.secret
1
|
username password
|
/etc/sysctl.conf
1
2
|
net.inet.ip.forwarding=1
net.link.ether.inet.proxyall=1
|
/etc/rc.conf中加入
1
2
3
4
5
6
|
ipsec_enable=
"YES"
ipsec_program=
"/usr/local/sbin/setkey"
ipsec_file=
"/usr/local/etc/racoon/setkey.conf"
racoon_enable=
"YES"
racoon_flags=
"-l /var/log/racoon.log"
mpd_enable=
"YES"
|