VPN L2TP/IPSEC Tra un Mikrotik ed un server Ubuntu
C’Era la necessità di configurare un tunnell VPN tra un router Mikrotik ed un server Ubuntu, in prima battuta si era pensato ad OpenVPN ma visto che l’attuale implementazione su Mikrotik è solo in TCP, la scelta è ricaduta su L2TP.
Dal momento che L2TP non prevede la crittografia dei dati ho scelto di accoppiarlo ad IPSEC,ho provato praticamente tutte le guide che ho trovato on-line ma nessuna ha funzionato…
Dopo aver provato da Windows ( 4 click ) e da Android ( 3 click), ho deciso che doveva andare anche da Linux… ed alla fine con un po di documentazione
ed un po di debug sono riuscito a farla funzionare 🙂
La configurazione funziona anche dietro NAT e quindi con ip privato ed ha come server la Mikrotik mentre come cliente Ubuntu.
Nodo IndirizzoEsterno IndirizzoInterno
Mikrotik 192.168.0.1 10.0.0.1/24
Ubuntu 192.168.1.100 172.16.0.100
Pacchetti necessari:
– racoon => demone IPSEC
– xl2tpd => demone L2TP
Installazione Pacchetti Ubuntu/Debian:
apt-get install ipsec-tools racoon xl2tpd
Configurazione Mikrotik:
/interface l2tp-server server
set authentication=pap default-profile=l2tp enabled=yes ipsec-secret=benedetta max-mru=1460 max-mtu=1460 use-ipsec=yes
/ppp profile
add local-address=192.168.70.1 name=l2tp remote-address=pool-l2tp
/ppp secret
add name=frank password=ubuntu profile=l2tp service=l2tpConfigurazione Ubuntu:
vim /etc/racoon/psk.txt
# file for pre-shared keys used for IKE authentication
# format is: 'identifier' 'key'
# For example:
#
# 10.1.1.1 flibbertigibbet
192.168.0.1 benedettavim /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
remote 192.168.0.1 {
exchange_mode main;
lifetime time 24 hour;
nat_traversal on;
dpd_delay 120;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy on;
}
sainfo anonymous {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}vim /etc/ipsec-tools.conf
flush;
spdflush;
spdadd 192.168.1.100[1701] 192.168.0.1[1701] any -P out ipsec
esp/transport//require;
spdadd 192.168.0.1[1701] 192.168.1.100[1701] any -P in ipsec
esp/transport//require;vim /etc/xl2tpd/xl2tpd.conf
[global]
access control = yes
port = 1701
rand source = dev
[lac MikroTik]
lns = 192.168.0.1
redial = yes
redial timeout = 3
require chap = yes
require authentication = no
name = frank
ppp debug = yes
pppoptfile = /etc/ppp/options.MikroTik
require pap = no
autodial = yesvim /etc/ppp/options.MikroTik
unit 0
remotename l2tp
ipparam MikroTik
connect /bin/true
mru 1460
mtu 1460
nodeflate
nobsdcomp
persist
maxfail 0
nopcomp
noaccomp
noauth
nodefaultroute
name frank
password ubuntu
idle 1800
lock
nodefaultroute
connect-delay 5000
nologfdvim /etc/ppp/chap-secrets
frank l2tp ubuntuRiavviamo i servizi:
root@frank:~# service setkey restart
root@frank:~# service racoon restart
root@frank:~# service xl2tpd restartSe al posto di Racoon usavamo Openswan il riavvio andava fatto cosi:
service ipsec restart
service xl2tpd restart
ipsec auto -up NOME-CONNESSIONE-IPSEC
sleep 2;
echo "c NOME-CONNESSIONE-L2TP" > /var/run/xl2tpd/l2tp-controlSe abbiamo fatto tutto correttamente, il risultato sarà il seguente:
[root@frank init.d]# ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.70.100 P-t-P:192.168.70.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1460 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2096 (2.0 KiB) TX bytes:46 (46.0 b)
[root@frank init.d]#
[root@frank init.d]# racoonctl show-sa esp
192.168.1.100 192.168.0.1
esp mode=transport spi=217192774(0x0cf21946) reqid=0(0x00000000)
E: 3des-cbc 3680078a 6e1824c1 b717cfb5 efc5426c 077a4b81 0353ea81
A: hmac-sha1 fbb3c99d 5668842f 6257d962 7880d983 9ae78758
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Apr 20 14:55:13 2016 current: Apr 20 15:37:39 2016
diff: 2546(s) hard: 28800(s) soft: 23040(s)
last: Apr 20 14:55:14 2016 hard: 0(s) soft: 0(s)
current: 4497(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 177 hard: 0 soft: 0
sadb_seq=1 pid=996 refcnt=0
192.168.0.1 192.168.1.100
esp mode=transport spi=122713538(0x075075c2) reqid=0(0x00000000)
E: 3des-cbc 3b8f090f fea20097 f325fefa 6cad27dc f6e523b3 3e36643c
A: hmac-sha1 63d04036 7d502d59 0182338d 29c31558 0b87801a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Apr 20 14:55:13 2016 current: Apr 20 15:37:39 2016
diff: 2546(s) hard: 28800(s) soft: 23040(s)
last: Apr 20 14:55:14 2016 hard: 0(s) soft: 0(s)
current: 8180(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 217 hard: 0 soft: 0
sadb_seq=0 pid=996 refcnt=0
[root@frank init.d]#
Submit a Comment