Настроил на FreeBSD 9.0 VPN сервер, используя мануал http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD. Могу подключаться из mac os x, но есть 2 проблемы:
1. Интернет не работает (что-то не так с nat)
2. Получается подключаться с разных ip, но не получается подключить нескольких пользователей с одного ip (за натом)ю
sysctl.conf
Код: Выделить всё
dkorzhevin# cat /etc/sysctl.conf
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about
processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.ip.fw.one_pass=1
net.key.prefered_oldsa=0
net.key.blockacq_count=0
dkorzhevin#
Код: Выделить всё
dkorzhevin# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 allow ip from any to any
dkorzhevin#
Код: Выделить всё
options IPSEC
options IPSEC_NAT_T
device crypto
options IPSEC_FILTERTUNNEL
device enc
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options LIBALIAS
options IPDIVERT
Код: Выделить всё
dkorzhevin# cat /usr/local/etc/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
listen
{
# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT
translated, this is the INSIDE IP)
isakmp MYIP [500];
isakmp_natt MYIP [4500];
# NOTE, you can specify multiple IPs to listen on
# isakmp p.q.r.s [500];
# isakmp_natt p.q.r.s [4500];
# strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
dkorzhevin#
Код: Выделить всё
dkorzhevin# cat setkey.conf
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
dkorzhevin#
Код: Выделить всё
dkorzhevin# cat psk.txt
* PSK
MYIP MYPASS
dkorzhevin#
Код: Выделить всё
dkorzhevin# ls -la
total 20
drwxr-xr-x 2 root wheel 512 Aug 10 15:02 .
drwxr-xr-x 8 root wheel 512 Aug 10 09:16 ..
-rw------- 1 root wheel 30 Aug 10 11:34 psk.txt
-rw-r--r-- 1 root wheel 1308 Aug 10 14:42 racoon.conf
-rw-r--r-- 1 root wheel 171 Aug 10 14:18 setkey.conf
dkorzhevin#
Код: Выделить всё
dkorzhevin# cat /usr/local/etc/mpd5/mpd.conf
startup:
# configure mpd users
set user super pwSuper admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load l2tp_server
l2tp_server:
# Define dynamic IP address pool.
set ippool add pool_l2tp 192.168.0.150 192.168.0.199
# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.0.1/24 ippool pool_l2tp
set ipcp dns 192.168.0.1
# Create clonable link template named L_l2tp
create link template L_l2tp l2tp
# Set bundle template to use
set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link no pap chap eap
set link enable chap
set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
set link mtu 1280
# Configure L2TP
set l2tp self MYIP
set l2tp enable length
# Allow to accept calls
set link enable incoming
dkorzhevin#
Код: Выделить всё
dkorzhevin# cat /etc/rc.conf
hostname="dkorzhevin.mirohost.net"
ifconfig_nfe0=" inet MYIP netmask 255.255.254.0"
defaultrouter="GATEWAYIP"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_type="/etc/firewall"
gateway_enable="YES"
natd_enable="YES"
natd_interface="nfe0"
natd_flags=""
dkorzhevin#