l2tp on ipsec (with xl2tpd, racoon)

open ipsec vpn server

http://www.openswan.org http://www.strongswan.org http://www.freeswan.org

설치

rpm -ivH http://repo.nikoforge.org/redhat/el6/nikoforge-release-latest yum -y install http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm yum -y install ipsec-tools yum -y install xl2tpd

vim /etc/racoon/init.sh

#!/bin/sh # set security policies echo -e "flush;\n\         spdflush;\n\         spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;\n\         spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;\n"\         | setkey -c

chmod 750 /etc/racoon/init.sh

vim /etc/rc.d/rc.local 라인 추가

/etc/racoon/init.sh

vim /etc/racoon/racoon.conf

path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; path script "/etc/racoon/scripts"; remote anonymous {         exchange_mode    aggressive,main;         passive          on;         proposal_check   obey;         support_proxy    on;         nat_traversal    on;         ike_frag         on;         dpd_delay        20;         proposal         {                 encryption_algorithm  aes;                 hash_algorithm        sha1;                 authentication_method pre_shared_key;                 dh_group              modp1024;         }         proposal         {                 encryption_algorithm  3des;                 hash_algorithm        sha1;                 authentication_method pre_shared_key;                 dh_group              modp1024;         } } sainfo anonymous {         encryption_algorithm     aes,3des;         authentication_algorithm hmac_sha1;         compression_algorithm    deflate;         pfs_group                modp1024; }

xl2tp (ipsec psk) 와 ipsec xauth 한방에 되는 설정파일

path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; path script "/etc/racoon/scripts"; log warning; remote anonymous {         exchange_mode    aggressive,main;         xauth_login "smileman";         passive          on;         proposal_check   obey;         support_proxy    on;         nat_traversal    on;         ike_frag         on;         dpd_delay        20;         initial_contact on;         verify_identifier on;         mode_cfg on;         generate_policy unique;         proposal         {                 encryption_algorithm aes 256; #3des;                 hash_algorithm sha1; #md5;                 authentication_method xauth_psk_server;                 dh_group 2; #modp1024;         }         proposal         {                 encryption_algorithm  aes;                 hash_algorithm        sha1;                 authentication_method pre_shared_key;                 dh_group              modp1024;         }         proposal         {                 encryption_algorithm  3des;                 hash_algorithm        sha1;                 authentication_method pre_shared_key;                 dh_group              modp1024;         } } sainfo anonymous { #       lifetime time 10 min;         encryption_algorithm     aes, aes 256, 3des, blowfish;         authentication_algorithm hmac_sha1, hmac_md5;         compression_algorithm    deflate, lzs;         pfs_group                modp1024; } padding {     randomize_length on;     strict_check off;     exclusive_tail on; } mode_cfg {     auth_source system;     conf_source local;     default_domain "local";     pool_size 10;     network4 10.0.0.1;     netmask4 255.255.255.0;     dns4 8.8.8.8;     banner "/etc/racoon/motd";     auth_throttle 3;

chmod 600 /etc/racoon/racoon.conf

사전 공유키 설정

vim /etc/racoon/psk.txt

# file for pre-shared keys used for IKE authentication # format is:  'identifier' 'key' # For example: # #  10.1.1.1             flibbertigibbet #  www.example.com      12345 #  foo@www.example.com  micropachycephalosaurus #default pskey * 1234 # client IP + PSK 192.168.1.1 1234 # iden + PSK smileman 1234

chmod 600 /etc/racoon/psk.txt

첫번재 필드는 IPSec Identifier (ipsec 식별자)

IOS와 윈도우에 내장된 VPN 클라이언트 프로그램은 첫번째 필드 (식별자) 설정이 없다  그래서 * 로 설정하면 디폴트 PSKEY로 인식한다  해당 VPN 클라이언트 아이피 와 PSKEY 조합으로 지정하게 되면 보안상 더 나아지지만 아이피가 바뀔 가능성이 있는 스마트장비는 접속이 불편할수 있다. ex) 192.168.0.1 1234 192.168.0.1 이라는 PC의 PSKEY는 1234로 인식하며 다른 아이피들은 PSKEY값이 할당되지 않았기 때문에 연결할수 없다

두번째 필드는 IPSec preshared key (ipsec 사전공유키)

안드로이드는 IPsec 식별자라고 해서 입력란이 있다. 여기서는 식별자를 smileman으로 설정하였다.

vim /etc/xl2tpd/xl2tpd.conf

; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24.  A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] ; listen-addr = 192.168.1.98 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ;  when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes ;[lns default] ;ip range = 192.168.1.128-192.168.1.254 ;local ip = 192.168.1.99 ;require chap = yes ;refuse pap = yes ;require authentication = yes ;name = LinuxVPNserver ;ppp debug = yes ;pppoptfile = /etc/ppp/options.xl2tpd ;length bit = yes [global] ipsec saref = yes force userspace = yes [lns default] local ip = VPN 서버아이피 ip range = 10.0.0.1-10.0.0.255 refuse pap = yes require authentication = yes ppp debug = yes length bit = yes pppoptfile = /etc/ppp/options.xl2tpd

vim /etc/ppp/options.xl2tpd

ms-dns 168.126.63.1 ms-dns 8.8.8.8 require-mschap-v2 asyncmap 0 crtscts hide-password modem name l2tpd proxyarp lcp-echo-interval 10 lcp-echo-failure 100

서비스시작

service racoon start service xl2tpd start

chmod 600 /etc/ppp/chap-secrets

PPTP 와 동일한 /etc/ppp/chap-secrets 계정파일 사용 (pptp 와 l2tp 를 같이 셋팅해서 2가지 모두 서버에 셋팅해서 운용 가능함)

방화벽 설정을 위한 사용포트

UDP 500   : L2TP IKE UDP 4500 : L2TP NAT UDP 1701 : L2TP 패킷

ntsyv

l2tp client

안드로이드 계열

아이폰

참고사이트

http://wiki.nikoforge.org/L2TP/IPSec_VPN_Setup_on_Centos_6_(64-bit)_for_use_with_Android_ICS_and_iOS_5_Clients#VPN_Connect_2