IPSec/L2TP

找了好久才找到的技術資料

資料來源:http://bbs.chinaunix.net/archiver/tid-556457-page-2.html

25 Linux作为一个L2TP/IPsec客户端

25 Linux作为一个L2TP/IPsec客户端
可能有这种情况，你希望使用Linux作为一个客户端连接到一个L2TP/IPsec VPN服务器（比如Windows 2000/2003）。首先请确认你确实需要使用L2TP/IPsec，你是否可以使用单纯的IPsec替代它？在Linux下使用单纯的IPsec更加简单，Linux从内部支持它。Linux客户端使用L2TP只会使事情更加复杂。不过，这样的情况你也许无法绕过它，比如：出于某种策略上的原因，L2TP/IPsec VPN服务器管理员会简单地拒绝支持单纯的IPsec。
假如你使用Linux作为L2TP/IPsec VPN客户端需要截然不同的两个阶段，首先连接到IPsec服务器，然后再通过IPsec隧道连接到L2TP服务器。在Linux下把Openswan配置成客户端与前边提到的配置成服务端稍微有些不同。
# Configuration for connecting to an L2TP/IPsec server,
# for example Windows 2003 Server.
#
# Authenticates through certificates. The Linux client can be
# behind NAT or not.

conn L2TP-CERT-CLIENT
#
# Configuration for clients that are not behind NAT.
# ----------------------------------------------------------
# Use certificates. Disable Perfect Forward Secrecy.
# Respond to rekeying requests but do not initiate rekeying.
# Connection type _must_ be Transport Mode.
#
authby=rsasig
pfs=no
rekey=no
keyingtries=3
type=transport
#
# ----------------------------------------------------------
# The local Linux machine that connects as a client.
#
# The external network interface is used to connect to the server.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=your.ip.addr.ess
left=%defaultroute
#
# The certificate of this client.
#
leftcert=/etc/ipsec.d/certs/YourClientCertHere.pem
leftrsasigkey=%cert
leftprotoport=17/1701
#
# ----------------------------------------------------------
# The remote server.
#
# Connect to the server with this IP address.
right=123.123.123.123
#
# The server should the present the following certificate.
rightcert=/etc/ipsec.d/certs/YourServerCertHere.pem
rightrsasigkey=%cert
rightca=%same
rightprotoport=17/1701
# ----------------------------------------------------------
#
# Change 'ignore' to 'add' to enable this configuration.
#
auto=ignore
在上边的例子中，想让服务器通过证书来进行验证，需要与包含在证书（YourServerCertHere.pem）中的ID完全相同的ID。还有另一种方法来验证服务器的证书，比如使用rightid=“CN=vpnserver.example.com”或 rightid=“@vpnserver.example.com”来代替rightcert=这一行。另外，一旦你启用了这个配置文件，就可以使用下列命令启动IPsec连接：
ipsec auto --up L2TP-CERT-CLIENT
如果一切正常，你将可以从日志中看到类似下面的一些行：
"L2TP-CERT-CLIENT" #1: initiating Main Mode
"L2TP-CERT-CLIENT" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
"L2TP-CERT-CLIENT" #1: ignoring Vendor ID payload [FRAGMENTATION]
"L2TP-CERT-CLIENT" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"L2TP-CERT-CLIENT" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
"L2TP-CERT-CLIENT" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"L2TP-CERT-CLIENT" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"L2TP-CERT-CLIENT" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"L2TP-CERT-CLIENT" #1: I am sending my cert
"L2TP-CERT-CLIENT" #1: I am sending a certificate request
"L2TP-CERT-CLIENT" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"L2TP-CERT-CLIENT" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"L2TP-CERT-CLIENT" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=NL, ST=ST, L=L,O=TESTORG, CN=duron'
"L2TP-CERT-CLIENT" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"L2TP-CERT-CLIENT" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
"L2TP-CERT-CLIENT" #2: initiating Quick Mode RSASIG+ENCRYPT+DONTREKEY+UP {using isakmp#1}
"L2TP-CERT-CLIENT" #2: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
"L2TP-CERT-CLIENT" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
"L2TP-CERT-CLIENT" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"L2TP-CERT-CLIENT" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x6f7e432c <0x43ccbfd7 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
"L2TP-CERT-CLIENT" #2: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
"L2TP-CERT-CLIENT" #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
"L2TP-CERT-CLIENT" #2: sending encrypted notification INVALID_PAYLOAD_TYPE to 192.168.0.200:4500
这里有一些错误，即使你已经拥有了一个可以工作的IPsec连接。下一步是使L2TP连接工作起来。首先，你需要在l2tpd.conf中增加“client”节。
; Connect as a client to a server at 123.123.123.123

[lac L2TPserver]
lns = 123.123.123.123
require chap = yes
refuse pap = yes
require authentication = yes
; Name should be the same as the username in the PPP authentication
name = jacco
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
看来，“name”是必须的，并且要与PPP认证中的用户名相同，即使这里没有L2TP认证。注：我分别为服务器配置和客户端配置创建了不同的pppd选项文件。如下是/etc/ppp/options.l2tpd.client的大致内容：
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
“refuse-eap”和“noauth”这几行只能用到客户端配置文件“options.l2tpd”中，不能用到Linux服务器配置文件 “options.l2tpd”中。默认情况下，Windows 2000/2003 Server会首先尝试使用EAP进行PPP认证，如果你不能（或不想）使用EAP（例如：你想使用CHAP或MS-CHAP代替它），你只有拒绝 EAP，否则将开始EAP认证并且将会失败。“noauth”是必须的，因为Windows Server拒绝对它自己进行PPP认证。只有客肩必须认证。你可以随意增加参数“usepeerdns”，因此可以从远程PPP服务器得到两个DNS服务器的IP地址。
你运行下面的命令可以启动L2TP/PPP连接。
echo “c L2TPserver” > /var/run/l2tp-control
现在l2tpd作为一个客户端连接到远程L2TP服务器，L2TP数据包将通过IPsec隧道。通过网络嗅探器（比如：tcpdump，Ethereal等）验证客户端和服务器端之间的L2TP数据包被真正地加密。
当你想中断连接，使用下面的命令：
echo “d L2TPserver” > /var/run/l2tp-control
ipsec auto --down L2TP-CERT-CLIENT
参考l2tpd自带的README来了解更多更详细的L2TP连接。默认情况下，l2tpd监听所有接口。如果你想使用Linux作为 L2TP/IPsec客户端，那么同时把l2tpd作为服务端来运行看起来是多余的。你可以通过使用“listen-addr”参数只绑定到内部接口或者干脆绑定到本地（127.0.0.1）来减少L2TP服务在外界的曝露。
一些L2TP执行者比如l2tpns不能作为客户端使用。