RouterOS Openswan l2tp ipsec

Centos
配置文件目录
vi /etc/ipsec.conf
vi  /etc/ipsec.secrets
vi /etc/xl2tpd/xl2tpd.conf
vi /etc/ppp/options.xl2tpd
vi /etc/ppp/chap-secrets

安装 
1. yum 更新
yum upgrade
1.2安装 bind-utiles 开发包
yum install wget bind-utils
1.2添加EPEL源
wget http://mirror.nl.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -ivh ./epel-release-6-8.noarch.rpm

2.安装penswan xl2tpd ppp lsof
注意:如果要iphone ipad支持,安装前需要坚持 openswan版本。默认源如果版本过低,请不要安装,直接到官网下载安装高版本
yum install openswan xl2tpd ppp lsof

2.1 检查openswan 版本号
yum list |grep openswan
版本号2.6.37以上版本才可以支持ISO 拨L2TP +IPSEC(iphone ipad)
如果版本号过底可以通过官方安装包,安装高版本的openswan
yum install https://download.openswan.org/openswan/binaries/rhel/6/openswan-2.6.38dr2-9.el6.x86_64.rpm


配置
3.网络与防火墙配置 Firewall and sysctl
iptables --table nat --append POSTROUTING --jump MASQUERADE
service iptables save
echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
 sysctl -p
也可以vi打开进行编辑
使用下面命令生效配置
service iptables restart
注意:
默认iptables防火墙,会拒绝所有input,和forward
[root@ ~]# service iptables status表格:filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
表格:nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
需要删除table filter下面的Chain INPUT第5条记录和Chain FORWARD 1
iptables -t filter -D INPUT 5
iptables -t filter -D FORWARD 1

4、配置 Openswan (IPSEC)
vi /etc/ipsec.conf

version 2 # conforms to second version of ipsec.conf specification

 

config setup


    nat_traversal=yes    #NAT转换 ROS不支持

    virtual_private=%v4:172.16.0.0/12 #虚拟子网,可以更多%v4:10.0.0.0/8;分号分割

    protostack=netkey

    #决定要使用的协议栈。

    force_keepalive=yes 

    keep_alive=60

    #发送心跳包间隔时间

conn L2TP-PSK-noNAT #链接时间

    authby=secret

    #与共享密钥.使用rsasig为证书.

    pfs=no #Disable pfs. Perfect Forward Secrecy

    auto=add 

    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

    keyingtries=#Only negotiate a conn. 3 times.

    ikelifetime=8h

    keylife=1h

    phase2alg=aes256-sha1,3des-sha1 #esp属性过期,新的名字叫phase2alg

    ike=aes256-sha1;modp1024,3des-sha1;modp1024

    keyexchange=ike

    

    type=transport #客户端方式,也可为tunnel模式

    left=11.11.11.11  #服务器IP地址,一般为公网IP地址

    leftprotoport=17/1701 

    right=%any

    rightprotoport=17/%any

    dpddelay=40

    # Dead Peer Dectection (RFC 3706) keepalives delay

    dpdtimeout=130

    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.

    dpdaction=clear

    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

5、配置共享密钥
vi  /etc/ipsec.secrets
%SERVERIP%  %any:   PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"
6、开启ipsec 服务并验证
service ipsec start
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.i686 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Testing against enforced SElinux mode                           [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
如果出现fault之类的提示,请检测配置。或者Google
7、配置 xl2tpd
vi /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
force userspace = yes

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
8、配置PPP
vi /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
name l2tpd: pptpd server 的名称。
refuse-pap : 拒绝 pap 身份验证模式。
refuse-chap : 拒绝 chap 身份验证模式。
refuse-mschap : 拒绝 mschap 身份验证模式。
require-mschap-v2 : 在端点进行连接握手时需要使用微软的 mschap-v2 进行自身验证。
require-mppe-128 : MPPE 模块使用 128 位加密。
ms-dns 8.8.8.8
ms-dns 8.8.4.4 : ppp 为 Windows 客户端提供 DNS 服务器 IP 地址,第一个 ms-dns 为 DNS Master,第二个为 DNS Slave。
proxyarp : 建立 ARP 代理键值。
debug : 开启调试模式,相关信息同样记录在 /var/logs/message 中。
lock : 锁定客户端 PTY 设备文件。
nobsdcomp : 禁用 BSD 压缩模式。
novj
novjccomp : 禁用 Van Jacobson 压缩模式。
9、添加用户
vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# username       server  password                  IP addresses
alice          l2tpd   0F92E5FC2414101EA            *
bob            l2tpd   DF98F09F74C06A2F             *

10、启动服务
/etc/init.d/ipsec restart;  
/etc/init.d/xl2tpd restart

routers
配置
1. PPP Client配置
/interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 \
connect-to=11.11.11.11 dial-on-demand=no disabled=no max-mru=1460 \
max-mtu=1460 mrru=disabled name=l2tp-hk user=alice password=0F92E5FC2414102EA profile=default 
2、IPSec 配置

/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer add address=11.11.11.11/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 lifetime=1d \
nat-traversal=no proposal-check=obey secret=69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44 send-initial-contact=yes

调试
tail -f /var/log/secure
tail -f /var/log/auth.log //可以在用此命令察看IPSec的协商过程 
tail -f /var/log/syslog //可以用此命令察看L2TP及PPP的协商过程

出现下面日志表示加密方式不匹配,加密不成功
Jun 14 09:52:53 ubuntu pluto[2062]: packet from 27.154.56.18:500: initial Main Mode message received on 58.23.17.102:500 but no connection has been authorized with policy=PSK


参考










		

		
posted @ 
2015-06-25 16:41 
妹夫 
阅读(3259) 
评论(0编辑 
收藏 
举报