http://help.aliyun.com/knowledge_detail.htm?knowledgeId=5974459
https://sites.google.com/site/ticlapinou/formation-linux/l2tp-ipsec
http://www.jacco2.dds.nl/networking/linux-l2tp.html
l2tp+ipsec
Mise en place d'un tunnel (x)L2TP over IPSec
Qu'est-ce qu'IPSec ?
IPsec (Internet Protocol Security), défini par l'IETF comme un cadre de standards ouverts pour assurer des communications privées et protégées sur des réseaux IP, par l'utilisation des services de sécurité cryptographiques[1], est un ensemble de protocoles utilisant des algorithmes permettant le transport de données sécurisées sur un réseau IP. IPsec se différencie des standards de sécurité antérieurs en n'étant pas limité à une seule méthode d'authentification ou d'algorithme et c'est la raison pour laquelle il est considéré comme un cadre de standards ouverts[1]. De plus IPsec opère à la couche réseau (couche 3 du modèle OSI) contrairement aux standards antérieurs qui opéraient à la couche application (couche 7 du modèle OSI), ce qui le rend indépendant des applications, et veut dire que les utilisateurs n'ont pas besoin de configurer chaque application aux standards IPsec[1].
Source: wikipedia ( http://fr.wikipedia.org/wiki/IPsec )
Prerequis: xl2tpd, ppptpd, openswan (ipsec)
root@client # apt-get install -y xl2tpd pptpd openswan
root@server # apt-get install -y xl2tpd pptpd openswan
____________________________________________________________________________________________________________________________________________________________
Partie client
ipsec
user@client $ cat /etc/ipsec.conf
## config ipsec ---
## --- cote client
version 2.0
config setup
dumpdir="/var/run/pluto/"
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
conn L2TP-PSK-CLIENT
authby=secret
pfs=no
rekey=no
keyingtries=3
type=transport
# left = "local"
left=195.XXX.186.XX
leftprotoport=17/1701
# right = "distant"
right=195.xxx.186.xx
rightprotoport=17/1701
auto=add
user@client $ cat /etc/ipsec.secrets
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically created RSA keys
# include /var/lib/openswan/ipsec.secrets.inc → fichier vide, osef.
#local remote type key
195.XXX.186.XX 195.XXX.186.XX: PSK "TehSuperKey"
xl2tpd
user@client $ cat /etc/xl2tpd/xl2tpd.conf
[global]
port = 1701
auth file = /etc/l2tpd/l2tp-secrets
access control = yes
rand source = dev
[lac L2TPClient]
lns = 195.XXX.186.XX
require authentication = yes
require chap = yes
refuse pap = yes
name = username
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
user@client $ cat /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
connect-delay 5000
user@client $ cat /etc/ppp/pap-secrets
"username" 195.xxx.186.xx "TehSuperKey"
user@client $ cat /etc/xl2tpd/l2tp-secrets
"technofuturtic" * "technofuturtic"
user@client $ cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
technofuturtic * "test1234=" *
Redémarrer les services:
root@client # service ipsec restart; service pptpd restart; service xl2tpd restart
____________________________________________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________________________________________
Configuration du serveur
user@server $ cat /etc/ipsec.conf
## --- config ipsec
## cote serveur ---
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
auto=add
user@server $ cat /etc/ipsec.secrets
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically created RSA keys
#; include /var/lib/openswan/ipsec.secrets.inc → fichier vide
#local remote type key
195.XXX.186.XX %any: PSK "TehSuperKey"
user@server $ cat /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 195.xxx.186.xx
port = 1701
access control = no
rand source = dev
auth file = /etc/ppp/chap-secrets
debug tunnel = yes
debug avp = yes
debug packet = yes
debug network = yes
debug state = yes
[lns default]
exclusive = yes ; un tunnel autorise par hote
ip range = 10.10.10.2-10.10.10.254
local ip = 10.10.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes ; utile en cas d'erreurs :)
pppoptfile = /etc/ppp/options.l2tpd ; fichier contenant les options
length bit = yes
user@server $ cat /etc/ppp/options.l2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
; name same as server name in chap and ppp
name technofuturtic
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
user@server $ cat /etc/ppp/pap-secrets
# id ip distante utilisateur
"technofuturtic" 195.XXX.186.XX "technofuturtic"
user@server $ cat /etc/xl2tpd/l2tp-secrets
"technofuturtic" * "technofuturtic"
user@server $ cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP address
technofuturtic * test1234= *
---
Redémarrer les services:
root@server # service ipsec restart; service xl2tpd restart; service pptpd restart
Lancer la connexion ×××
# ipsec
root@client # ipsec auto --up L2TP-PSK-CLIENT
#xl2tpd (c = connect)
root@client # echo "c L2TPClient" > /var/run/xl2tpd/l2tp-control
Couper la connexion ×××:
# ipsec
root@client # ipsec auto --down L2TP-PSK-CLIENT
# xl2tpd (d = disconnect)
root@client # echo "d L2TPClient" > /var/run/xl2tpd/l2tp-control