RouterOS Openswan l2tp ipsec

Centos

配置文件目錄

vi /etc/ipsec.conf

vi  /etc/ipsec.secrets

vi /etc/xl2tpd/xl2tpd.conf

vi /etc/ppp/options.xl2tpd

vi /etc/ppp/chap-secrets

安裝 

1. yum 更新

yum upgrade

1.2安裝 bind-utiles 開發包

yum install wget bind-utils

1.2添加EPEL源

wget http://mirror.nl.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -ivh ./epel-release-6-8.noarch.rpm

2.安裝penswan xl2tpd ppp lsof

注意：如果要iphone ipad支持，安裝前需要堅持 openswan版本。默認源如果版本過低，請不要安裝，直接到官網下載安裝高版本

yum install openswan xl2tpd ppp lsof

2.1 檢查openswan 版本號

yum list |grep openswan 

版本號 2.6.37以上版本才可以支持ISO 撥L2TP +IPSEC（iphone ipad）

如果版本號過底可以通過官方安裝包，安裝高版本的openswan
yum install https://download.openswan.org/openswan/binaries/rhel/6/openswan-2.6.38dr2-9.el6.x86_64.rpm




配置

3. 網絡與防火牆配置  Firewall and sysctl

iptables --table nat --append POSTROUTING --jump MASQUERADE
service iptables save

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
 sysctl -p

也可以vi打開進行編輯

使用下面命令生效配置

service iptables restart

注意：

默認iptables防火牆，會拒絕所有input，和forward

[root@ ~]# service iptables status表格：filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
表格：nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

需要刪除table filter下面的Chain INPUT第5條記錄和Chain FORWARD 1
iptables -t filter -D INPUT 5

iptables -t filter -D FORWARD 1

4、配置 Openswan (IPSEC)

vi /etc/ipsec.conf

version 2 # conforms to second version of ipsec.conf specification

 

config setup

    nat_traversal=yes    #NAT轉換 ROS不支持

    virtual_private=%v4:172.16.0.0/12 #虛擬子網，可以更多%v4:10.0.0.0/8;分號分割

    protostack=netkey

    #決定要使用的協議棧。

    force_keepalive=yes 

    keep_alive=60

    #發送心跳包間隔時間

conn L2TP-PSK-noNAT #鏈接時間

    authby=secret

    #與共享密鑰.使用rsasig為證書.

    pfs=no #Disable pfs. Perfect Forward Secrecy

    auto=add 

    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

    keyingtries=3 #Only negotiate a conn. 3 times.

    ikelifetime=8h

    keylife=1h

    phase2alg=aes256-sha1,3des-sha1 #esp屬性過期，新的名字叫phase2alg

    ike=aes256-sha1;modp1024,3des-sha1;modp1024

    keyexchange=ike

    

    type=transport #客戶端方式，也可為tunnel模式

    left=11.11.11.11  #服務器IP地址，一般為公網IP地址

    leftprotoport=17/1701 

    right=%any

    rightprotoport=17/%any

    dpddelay=40

    # Dead Peer Dectection (RFC 3706) keepalives delay

    dpdtimeout=130

    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.

    dpdaction=clear

    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

5、配置共享密鑰

vi  /etc/ipsec.secrets

%SERVERIP%  %any:   PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"

6、開啟ipsec 服務並驗證

service ipsec start
ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.i686 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Testing against enforced SElinux mode                           [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

如果出現fault之類的提示，請檢測配置。或者Google

7、配置 xl2tpd

vi /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
force userspace = yes

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

8、配置PPP

vi /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

name l2tpd: pptpd server 的名稱。
refuse-pap : 拒絕 pap 身份驗證模式。
refuse-chap : 拒絕 chap 身份驗證模式。
refuse-mschap : 拒絕 mschap 身份驗證模式。
require-mschap-v2 : 在端點進行連接握手時需要使用微軟的 mschap-v2 進行自身驗證。
require-mppe-128 : MPPE 模塊使用 128 位加密。
ms-dns 8.8.8.8
ms-dns 8.8.4.4 : ppp 為 Windows 客戶端提供 DNS 服務器 IP 地址，第一個 ms-dns 為 DNS Master，第二個為 DNS Slave。
proxyarp : 建立 ARP 代理鍵值。
debug : 開啟調試模式，相關信息同樣記錄在 /var/logs/message 中。
lock : 鎖定客戶端 PTY 設備文件。
nobsdcomp : 禁用 BSD 壓縮模式。
novj
novjccomp : 禁用 Van Jacobson 壓縮模式。

9、添加用戶

vi /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# username       server  password                  IP addresses
alice          l2tpd   0F92E5FC2414101EA            *
bob            l2tpd   DF98F09F74C06A2F             *

10、啟動服務

/etc/init.d/ipsec restart;  
/etc/init.d/xl2tpd restart

routers

配置

1. PPP Client配置

/interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 \
connect-to=11.11.11.11 dial-on-demand=no disabled=no max-mru=1460 \
max-mtu=1460 mrru=disabled name=l2tp-hk user=alice password=0F92E5FC2414102EA profile=default 

2、IPSec 配置

/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer add address=11.11.11.11/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 lifetime=1d \
nat-traversal=no proposal-check=obey secret=69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44 send-initial-contact=yes

調試

tail -f /var/log/secure
tail -f /var/log/auth.log //可以在用此命令察看IPSec的協商過程 
tail -f /var/log/syslog //可以用此命令察看L2TP及PPP的協商過程

出現下面日志表示加密方式不匹配，加密不成功

Jun 14 09:52:53 ubuntu pluto[2062]: packet from 27.154.56.18:500: initial Main Mode message received on 58.23.17.102:500 but no connection has been authorized with policy=PSK

參考

https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS_-_Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.html

https://alhafoudh.wordpress.com/2009/12/23/ipsec-between-linux-openswan-and-mikrotik-routeros/

http://wiki.mikrotik.com/wiki/L2TP_%2B_IPSEC_between_2_Mikrotik_routers

http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php

http://superuser.com/questions/740545/l2tp-ipsec-stopped-working-after-openssl-upgrade

來自為知筆記(Wiz)