Image Image Image Image Image Image Image Image Image Image

Ubuntu Server | November 24, 2017

Scroll to top

Top

No Comments

VPN L2TP/IPSEC Tra un Mikrotik ed un server Ubuntu

VPN L2TP/IPSEC Tra un Mikrotik ed un server Ubuntu

C’Era la necessità di configurare un tunnell VPN tra un router Mikrotik ed un server Ubuntu, in prima battuta si era pensato ad OpenVPN ma visto che l’attuale implementazione su Mikrotik è solo in TCP, la scelta è ricaduta su L2TP.
Dal momento che L2TP non prevede la crittografia dei dati ho scelto di accoppiarlo ad IPSEC,ho provato praticamente tutte le guide che ho trovato on-line ma nessuna ha funzionato…
Dopo aver provato da Windows ( 4 click ) e da Android ( 3 click), ho deciso che doveva andare anche da Linux… ed alla fine con un po di documentazione
ed un po di debug sono riuscito a farla funzionare 🙂

La configurazione funziona anche dietro NAT e quindi con ip privato ed ha come server la Mikrotik mentre come cliente Ubuntu.

Nodo      IndirizzoEsterno  IndirizzoInterno
Mikrotik  192.168.0.1         10.0.0.1/24
Ubuntu    192.168.1.100     172.16.0.100

Pacchetti necessari:
– racoon => demone IPSEC
– xl2tpd => demone L2TP

Installazione Pacchetti Ubuntu/Debian:

apt-get install ipsec-tools racoon xl2tpd

Configurazione Mikrotik:

/interface l2tp-server server
set authentication=pap default-profile=l2tp enabled=yes ipsec-secret=benedetta max-mru=1460 max-mtu=1460 use-ipsec=yes
 
/ppp profile
add local-address=192.168.70.1 name=l2tp remote-address=pool-l2tp
 
/ppp secret
add name=frank password=ubuntu profile=l2tp service=l2tp

Configurazione Ubuntu:

vim /etc/racoon/psk.txt

# file for pre-shared keys used for IKE authentication
# format is:  'identifier' 'key'
# For example:
#
#  10.1.1.1		flibbertigibbet
192.168.0.1 benedetta

vim /etc/racoon/racoon.conf

log notify;
path pre_shared_key "/etc/racoon/psk.txt";
 
remote 192.168.0.1 {
        exchange_mode main;
        lifetime time 24 hour;
        nat_traversal on;
        dpd_delay 120;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
        generate_policy on;
}
 
sainfo anonymous {
        pfs_group modp1024;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

vim /etc/ipsec-tools.conf

flush;
spdflush;
 
spdadd 192.168.1.100[1701] 192.168.0.1[1701] any -P out ipsec
    esp/transport//require;
 
spdadd 192.168.0.1[1701] 192.168.1.100[1701] any -P in ipsec
    esp/transport//require;

vim /etc/xl2tpd/xl2tpd.conf

[global]
access control = yes
port = 1701
rand source = dev
 
[lac MikroTik]
lns = 192.168.0.1
redial = yes
redial timeout = 3
require chap = yes
require authentication = no
name = frank
ppp debug = yes
pppoptfile = /etc/ppp/options.MikroTik
require pap = no
autodial = yes

vim /etc/ppp/options.MikroTik

unit 0
remotename l2tp
ipparam MikroTik
connect /bin/true
mru 1460
mtu 1460
nodeflate
nobsdcomp
persist
maxfail 0
nopcomp
noaccomp
noauth
nodefaultroute
name frank
password ubuntu
idle 1800
lock
nodefaultroute
connect-delay 5000
nologfd

vim /etc/ppp/chap-secrets

frank l2tp ubuntu

Riavviamo i servizi:

root@frank:~# service setkey restart
root@frank:~# service racoon restart
root@frank:~# service xl2tpd restart

Se al posto di Racoon usavamo Openswan il riavvio andava fatto cosi:

service ipsec restart
service xl2tpd restart
ipsec auto -up NOME-CONNESSIONE-IPSEC
sleep 2;
echo "c NOME-CONNESSIONE-L2TP" > /var/run/xl2tpd/l2tp-control

Se abbiamo fatto tutto correttamente, il risultato sarà il seguente:

[root@frank init.d]# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.70.100  P-t-P:192.168.70.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1460  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:2096 (2.0 KiB)  TX bytes:46 (46.0 b)
 
[root@frank init.d]# 
 
[root@frank init.d]# racoonctl show-sa esp
192.168.1.100 192.168.0.1
        esp mode=transport spi=217192774(0x0cf21946) reqid=0(0x00000000)
        E: 3des-cbc  3680078a 6e1824c1 b717cfb5 efc5426c 077a4b81 0353ea81
        A: hmac-sha1  fbb3c99d 5668842f 6257d962 7880d983 9ae78758
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Apr 20 14:55:13 2016	current: Apr 20 15:37:39 2016
        diff: 2546(s)	hard: 28800(s)	soft: 23040(s)
        last: Apr 20 14:55:14 2016	hard: 0(s)	soft: 0(s)
        current: 4497(bytes)	hard: 0(bytes)	soft: 0(bytes)
        allocated: 177	hard: 0	soft: 0
        sadb_seq=1 pid=996 refcnt=0
192.168.0.1 192.168.1.100
        esp mode=transport spi=122713538(0x075075c2) reqid=0(0x00000000)
        E: 3des-cbc  3b8f090f fea20097 f325fefa 6cad27dc f6e523b3 3e36643c
        A: hmac-sha1  63d04036 7d502d59 0182338d 29c31558 0b87801a
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Apr 20 14:55:13 2016	current: Apr 20 15:37:39 2016
        diff: 2546(s)	hard: 28800(s)	soft: 23040(s)
        last: Apr 20 14:55:14 2016	hard: 0(s)	soft: 0(s)
        current: 8180(bytes)	hard: 0(bytes)	soft: 0(bytes)
        allocated: 217	hard: 0	soft: 0
        sadb_seq=0 pid=996 refcnt=0
[root@frank init.d]#

 

 

 

Submit a Comment

*

adidas yeezy 650 boost adidas yeezy boost 650 adidas yeezy 650 boost colorways adidas yeezy 650 350 2 0 boost yeezy boost 650 adidas yeezy boost 650 supreme x nike air uptempo release info adidas yeezy boost 650 v1 sample detailed look adidas yeezy boost 650 v1 sample adidas yeezy boost 650 v1 sample adidas yeezy boost 650 v1 adidas yeezy 650 boost adidas yeezy boost 650 adidas yeezy 650 boost colorways adidas yeezy 650 350 2 0 boost yeezy boost 650 adidas yeezy boost 650 supreme x nike air uptempo release info adidas yeezy boost 650 v1 sample detailed look adidas yeezy boost 650 v1 sample