티스토리 뷰

VPN

l2tp on ipsec (with xl2tpd, racoon)

초보의 CHOMAN 2015.06.12 14:48

open ipsec vpn server

http://www.openswan.org

http://www.strongswan.org

http://www.freeswan.org 


설치

rpm -ivH http://repo.nikoforge.org/redhat/el6/nikoforge-release-latest

yum -y install http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

yum -y install ipsec-tools

yum -y install xl2tpd 


vim /etc/racoon/init.sh

#!/bin/sh

# set security policies

echo -e "flush;\n\

        spdflush;\n\

        spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;\n\

        spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;\n"\

        | setkey -c


chmod 750 /etc/racoon/init.sh


vim /etc/rc.d/rc.local 라인 추가

/etc/racoon/init.sh


vim /etc/racoon/racoon.conf

path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

path script "/etc/racoon/scripts";

remote anonymous

{

        exchange_mode    aggressive,main;

        passive          on;

        proposal_check   obey;

        support_proxy    on;

        nat_traversal    on;

        ike_frag         on;

        dpd_delay        20;

        proposal

        {

                encryption_algorithm  aes;

                hash_algorithm        sha1;

                authentication_method pre_shared_key;

                dh_group              modp1024;

        }

        proposal

        {

                encryption_algorithm  3des;

                hash_algorithm        sha1;

                authentication_method pre_shared_key;

                dh_group              modp1024;

        }

}

sainfo anonymous

{

        encryption_algorithm     aes,3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm    deflate;

        pfs_group                modp1024;


xl2tp (ipsec psk) 와 ipsec xauth 한방에 되는 설정파일

path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

path script "/etc/racoon/scripts";

log warning;

remote anonymous

{

        exchange_mode    aggressive,main;

        xauth_login "smileman";

        passive          on;

        proposal_check   obey;

        support_proxy    on;

        nat_traversal    on;

        ike_frag         on;

        dpd_delay        20;

        initial_contact on;

        verify_identifier on;

        mode_cfg on;

        generate_policy unique;


        proposal

        {

                encryption_algorithm aes 256; #3des;

                hash_algorithm sha1; #md5;

                authentication_method xauth_psk_server;

                dh_group 2; #modp1024;

        }

        proposal

        {

                encryption_algorithm  aes;

                hash_algorithm        sha1;

                authentication_method pre_shared_key;

                dh_group              modp1024;

        }

        proposal

        {

                encryption_algorithm  3des;

                hash_algorithm        sha1;

                authentication_method pre_shared_key;

                dh_group              modp1024;

        }

}

sainfo anonymous

{

#       lifetime time 10 min;

        encryption_algorithm     aes, aes 256, 3des, blowfish;

        authentication_algorithm hmac_sha1, hmac_md5;

        compression_algorithm    deflate, lzs;

        pfs_group                modp1024;

}

padding {

    randomize_length on;

    strict_check off;

    exclusive_tail on;

}

mode_cfg {

    auth_source system;

    conf_source local;

    default_domain "local";

    pool_size 10;

    network4 10.0.0.1;

    netmask4 255.255.255.0;

    dns4 8.8.8.8;

    banner "/etc/racoon/motd";

    auth_throttle 3;




chmod 600 /etc/racoon/racoon.conf


사전 공유키 설정

vim /etc/racoon/psk.txt

# file for pre-shared keys used for IKE authentication

# format is:  'identifier' 'key'

# For example:

#

#  10.1.1.1             flibbertigibbet

#  www.example.com      12345

#  foo@www.example.com  micropachycephalosaurus


#default pskey

* 1234


# client IP + PSK

192.168.1.1 1234


# iden + PSK

smileman 1234


chmod 600 /etc/racoon/psk.txt


첫번재 필드는 IPSec Identifier (ipsec 식별자)


IOS와 윈도우에 내장된 VPN 클라이언트 프로그램은 첫번째 필드 (식별자) 설정이 없다 

그래서 * 로 설정하면 디폴트 PSKEY로 인식한다 


해당 VPN 클라이언트 아이피 와 PSKEY 조합으로 지정하게 되면 보안상 더 나아지지만 아이피가 바뀔 가능성이 있는 스마트장비는 접속이 불편할수 있다.

ex) 192.168.0.1 1234


192.168.0.1 이라는 PC의 PSKEY는 1234로 인식하며 다른 아이피들은 PSKEY값이 할당되지 않았기 때문에 연결할수 없다 


두번째 필드는 IPSec preshared key (ipsec 사전공유키)

안드로이드는 IPsec 식별자라고 해서 입력란이 있다. 여기서는 식별자를 smileman으로 설정하였다.


vim /etc/xl2tpd/xl2tpd.conf

;

; This is a minimal sample xl2tpd configuration file for use

; with L2TP over IPsec.

;

; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec

; clients connect. In this example, the internal (protected) network

; is 192.168.1.0/24.  A special IP range within this network is reserved

; for the remote clients: 192.168.1.128/25

; (i.e. 192.168.1.128 ... 192.168.1.254)

;

; The listen-addr parameter can be used if you want to bind the L2TP daemon

; to a specific IP address instead of to all interfaces. For instance,

; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98

; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)

; will be used by xl2tpd as its address on pppX interfaces.


[global]

; listen-addr = 192.168.1.98

;

; requires openswan-2.5.18 or higher - Also does not yet work in combination

; with kernel mode l2tp as present in linux 2.6.23+

; ipsec saref = yes

; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or

;  when using any of the SAref kernel patches for kernels up to 2.6.35.

; saref refinfo = 30

;

; force userspace = yes

;

; debug tunnel = yes


;[lns default]

;ip range = 192.168.1.128-192.168.1.254

;local ip = 192.168.1.99

;require chap = yes

;refuse pap = yes

;require authentication = yes

;name = LinuxVPNserver

;ppp debug = yes

;pppoptfile = /etc/ppp/options.xl2tpd

;length bit = yes


[global]

ipsec saref = yes

force userspace = yes

[lns default]

local ip = VPN 서버아이피

ip range = 10.0.0.1-10.0.0.255

refuse pap = yes

require authentication = yes

ppp debug = yes

length bit = yes

pppoptfile = /etc/ppp/options.xl2tpd 


vim /etc/ppp/options.xl2tpd

ms-dns 168.126.63.1

ms-dns 8.8.8.8

require-mschap-v2

asyncmap 0

crtscts

hide-password

modem

name l2tpd

proxyarp

lcp-echo-interval 10

lcp-echo-failure 100


서비스시작

service racoon start

service xl2tpd start


chmod 600 /etc/ppp/chap-secrets


PPTP 와 동일한 /etc/ppp/chap-secrets 계정파일 사용 (pptp 와 l2tp 를 같이 셋팅해서 2가지 모두 서버에 셋팅해서 운용 가능함)


방화벽 설정을 위한 사용포트


UDP 500   : L2TP IKE

UDP 4500 : L2TP NAT

UDP 1701 : L2TP 패킷


ntsyv






l2tp client


안드로이드 계열




아이폰




참고사이트

http://wiki.nikoforge.org/L2TP/IPSec_VPN_Setup_on_Centos_6_(64-bit)_for_use_with_Android_ICS_and_iOS_5_Clients#VPN_Connect_2

댓글
댓글쓰기 폼