Linux下架设L2TP IPSec VPN服务器(X509)

OpenSWan 主要配置文件：
/etc/ipsec.secrets      用来保存private RSA keys 和 preshared secrets (PSKs)
/etc/ipsec.conf           配置文件(settings, options, defaults, connections)

OpenSWan 主要配置目录 ：
/etc/ipsec.d/cacerts       存放X.509 认证证书（根证书－"root certificates"）
/etc/ipsec.d/certs           存放X.509 客户端证书（X.509 client Certificates）
/etc/ipsec.d/private       存放X.509 认证私钥（X.509 Certificate private keys）
/etc/ipsec.d/crls              存放X.509 证书撤消列表（X.509 Certificate Revocation Lists）
/etc/ipsec.d/ocspcerts   存放X.500 OCSP 证书（Online Certificate Status Protocol certificates）
/etc/ipsec.d/passwd       XAUTH 密码文件（XAUTH password file）
/etc/ipsec.d/policies      存放Opportunistic Encryption 策略组（The Opportunistic Encryption policy groups）

[root@mm ~]# cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP #

client    server  secret    IP addresses

test1       *      test1          *

l2tptest1   *      l2tptest1   10.1.1.1

l2tptest2   *      l2tptest2      *

[root@mm ~]# cat /etc/ipsec.secrets

RSA /etc/ipsec.d/private/vpngateway.key "123456"

#192.168.1.251 %any : PSK "123456"

[root@mm ~]# cat /etc/ipsec.conf

#version 2.0

config setup

 interfaces=%defaultroute

 nat_traversal=yes

 virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.1.0/24,%v4:!192.168.1.0/24

conn %default

 compress=yes

 authby=rsasig

 leftrsasigkey=%cert

 rightrsasigkey=%cert

#conn roadwarrior

 #left=172.16.1.100

 #leftcert=vpngateway.cert

 #leftsubnet=172.16.1.0/24

 #right=%any

 #auto=add

conn l2tpx509

 pfs=no auto=add

 left=192.168.1.251

 leftcert=vpngateway.cert

 leftprotoport=17/1701

 right=%any

 rightca=%same

 rightprotoport=17/%any ############################################################################# #configure preshared secret authentication

#conn l2tp

 # authby=secret

 # pfs=no

 # auto=add

 # type=transport

 # left=192.168.1.251

 # leftprotoport=17/1701

 # right=%any

 # rightprotoport=17/%any ############################################################################# #include /etc/ipsec.d/examples/no_oe.conf

[root@mm ~]# cat /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.10.1
ms-dns  192.168.10.3
ms-wins 192.168.10.2
ms-wins 192.168.10.4
#noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/l2tpd.log
proxyarp

[root@mm ~]# cat /etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = 192.168.1.251
port = 1701
auth file = /etc/ppp/chap-secrets

debug tunnel = yes

[lns default]
ip range = 172.16.1.10-172.16.1.254
local ip = 192.168.1.251
require chap = yes
refuse pap = yes
require authentication = yes
name = mm's L2TP VPN Server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

复制证书（在机器之间复制证书请确保安全性）：

#cp cacert.pem /etc/ipsec.d/cacerts

#cp vpngateway.cert /etc/ipsec.d/certs

#cp vpngateway.key /etc/ipsec.d/private

#cp crl.pem /etc/ipsec.d/crls/

CA工作目录： /root/CA
# openssl req \x509 \days 3650 \newkey rsa:1024 \keyout cakey.pem \out cacert.pem
# mkdir newcerts
# touch index.txt
# echo "01" > serial
# echo "01" > crlnumber
# mkdir private
# cp cakey.pem ./private/
# openssl ca \gencrl \out crl.pem
# openssl req \newkey rsa:1024 \keyout vpngateway.key \out vpngatewayreq.pem
# openssl ca \in ../vpngatewayreq.pem \days 365 \out ../vpngateway.cert \notext
# openssl pkcs12 \export \in cacert.pem \inkey cakey.pem \out demoCA.p12
下面产生windows的私钥及证书：
# openssl req \newkey rsa:1024 \keyout windows.key \out windowsreq.pem
# openssl ca \in ../windowsreq.pem \days 3650 \out ../windows.cert \notext
# openssl pkcs12 \export \in windows.cert \inkey windows.key \out windows.p12
注意，在导出P12文件时，输入读取CA密钥的密码，然后再指定导出p12文件中的证书需要
的密码，并进行二次确认。