| 知乎专栏 | 多维度架构 |
PAP(PasswordAuthenticationProtocol 密码认证协议)PAP 是 PPP 协议集中的一种链路控制协议,通过2次握手建立认证,对等结点持续重复发送 ID/ 密码(明文)给验证者,直至认证得到响应或连接终止,常见于PPPOE拨号环境中。
首先被认证方向认证方发送认证请求(包含用户名和密码),以明文形式进行传输,认证方接到认证请求,再根据被认证方发送来的用户名去到自己的数据库认证用户名密码是否正确,如果密码正确,PAP认证通过,如果用户名密码错误,PAP认证未通过 PAP 并不是一种强有效的认证方法,其密码以文本格式在电路上进行发送,对于窃听、重放或重复尝试和错误攻击没有任何保护。
CHAP (ChallengeHandshakeAuthenticationProtocol 质询握手认证协议) CHAP通过三次握手验证被认证方的身份(密文),在初始链路建立时完成,为了提高安全性,在链路建立之后周期性进行验证,目前在企业网的远程接入环境中用的比较常见。
CHAP:
https://github.com/hwdsl2/docker-ipsec-vpn-server
docker run \ --name ipsec-vpn-server \ --restart=always \ -e VPN_IPSEC_PSK=secret \ -e VPN_USER=neo \ -e VPN_PASSWORD=chen \ -p 500:500/udp \ -p 4500:4500/udp \ -v /lib/modules:/lib/modules:ro \ -d --privileged \ hwdsl2/ipsec-vpn-server
root@netkiller:~# docker logs -f ipsec-vpn-server Trying to auto discover IP of this server... Starting IPsec service... ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: 118.216.150.196 IPsec PSK: secret Username: neo Password: chen Write these down. You'll need them to connect! VPN client setup: https://vpnsetup.net/clients2 ================================================ xl2tpd[1]: Not looking for kernel SAref support. xl2tpd[1]: Using l2tp kernel support. xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 572c9e11099b PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
连接到L2TP会打印如下日志
xl2tpd[1]: Connection established to 221.229.164.130, 61844. Local: 32536, Remote: 32 (ref=0/0). LNS session is 'default' xl2tpd[1]: check_control: Received out of order control packet on tunnel 32 (got 2, expected 3) xl2tpd[1]: handle_control: bad control packet! xl2tpd[1]: Call established with 221.229.164.130, PID: 660, Local: 2572, Remote: 37820, Serial: 1
过程 33.13. install l2tpd
install
# apt-get install l2tpd
/etc/xl2tpd/xl2tpd.conf
# cp /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.original # vim /etc/xl2tpd/xl2tpd.conf [global] port = 1701 auth file = /etc/xl2tpd/l2tp-secrets [lns default] ip range = 192.168.3.200-192.168.3.250 local ip = 192.168.3.9 require chap = yes refuse pap = yes require authentication = yes name = vpn.example.com pppoptfile = /etc/ppp/options.l2tpd.lns
/etc/ppp/options.l2tpd.lns
vim /etc/ppp/options.l2tpd.lns ipcp-accept-local ipcp-accept-remote ms-dns 208.67.222.222 ms-dns 208.67.220.220 ms-wins 192.168.3.4 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
/etc/xl2tpd/l2tp-secrets
vim /etc/xl2tpd/l2tp-secrets neo * chen *
start
/etc/init.d/xl2tpd start
过程 33.14. L2TP 服务器端
安装 xl2tpd
[root@stage ~]# dnf search xl2tpd | grep xl2tpd Last metadata expiration check: 2:14:26 ago on Thu 16 Sep 2021 03:24:26 PM CST. ============================= Name Matched: l2tpd ============================== xl2tpd.x86_64 : Layer 2 Tunnelling Protocol Daemon (RFC 2661)
[root@stage ~]# dnf install -y xl2tpd libreswan
由于L2TP安装需要加载内核模块,所以需要重启系统,否则 modprobe 找不到 l2tp_ppp 模块
[root@stage ~]# reboot
配置 /etc/xl2tpd/xl2tpd.conf
[root@stage ~]# cp /etc/xl2tpd/xl2tpd.conf{,.original}
[root@stage ~]# cat /etc/xl2tpd/xl2tpd.conf | grep -v "^;"
[global]
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
配置 /etc/ppp/options.xl2tpd
[root@stage ~]# vim /etc/ppp/options.xl2tpd ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 1.1.1.1 # ms-dns 192.168.1.1 # ms-dns 192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 noccp auth #obsolete: crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug #obsolete: lock proxyarp connect-delay 5000 # To allow authentication against a Windows domain EXAMPLE, and require the # user to be in a group "VPN Users". Requires the samba-winbind package # require-mschap-v2 # plugin winbind.so # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"' # You need to join the domain on the server, for example using samba: # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
修改为
[root@stage ~]# cat /etc/ppp/options.xl2tpd | grep -v ^# ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 114.114.114.114 auth idle 1800 mtu 1410 mru 1410 nodefaultroute debug connect-delay 5000 require-mschap-v2 logfile /var/log/xl2tpd.log
配置 Ipsec
[root@stage ~]# cp /etc/ipsec.conf{,.original}
[root@stage ~]# cat /etc/ipsec.conf | grep -v "#"
config setup
logfile=/var/log/pluto.log
interfaces="%defaultroute"
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf
[root@stage ~]# cat > /etc/ipsec.d/default.secrets <<EOF # 0.0.0.0 %any: PSK "123456" # %any %any : PSK "VPN_IPSEC_PSK" : PSK "12345678" EOF [root@stage ~]# cat /etc/ipsec.d/default.secrets
创建登陆用户和密码
设置登陆密码 /etc/ppp/chap-secrets
[root@stage ~]# cp /etc/ppp/chap-secrets [root@stage ~]# cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses neo * chen * tom * 112233 * apple * chen * "username" l2tpd "password" *
[root@stage ~]# vim /etc/xl2tpd/l2tp-secrets [root@stage ~]# cat /etc/xl2tpd/l2tp-secrets # Secrets for authenticating l2tp tunnels # us them secret # * marko blah2 # zeus marko blah # * * interop neo * chen *
启动
cat << 'EOF' >> /etc/sysctl.conf # XL2TPD Add by neo net.ipv4.ip_forward=1 net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.default.accept_redirects=0 EOF
[root@stage ~]# modprobe l2tp_ppp [root@stage ~]# lsmod | grep l2tp l2tp_ppp 28672 0 l2tp_netlink 28672 1 l2tp_ppp l2tp_core 32768 2 l2tp_ppp,l2tp_netlink pppox 16384 1 l2tp_ppp ppp_generic 45056 2 pppox,l2tp_ppp ip6_udp_tunnel 16384 1 l2tp_core udp_tunnel 20480 1 l2tp_core
[root@stage ~]# sysctl -w net.ipv4.conf.default.send_redirects=0
[root@stage ~]# sysctl -w net.ipv4.conf.default.accept_redirects=0
[root@stage ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 4.3 (netkey) on 4.18.0-305.12.1.el8_4.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
[root@stage ~]# systemctl enable ipsec Created symlink /etc/systemd/system/multi-user.target.wants/ipsec.service → /usr/lib/systemd/system/ipsec.service. [root@stage ~]# systemctl start ipsec [root@stage ~]# systemctl enable xl2tpd [root@stage ~]# systemctl start xl2tpd
配置IP伪装
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -o ppp0 -j ACCEPT
firewall-cmd --permanent --add-service=ipsec # 放行ipsec服务,安装时会自定生成此服务 firewall-cmd --permanent --add-port=1701/udp # xl2tp 的端口,默认1701. firewall-cmd --permanent --add-port=4500/udp # ipsec 的端口 firewall-cmd --permanent --add-masquerade # 启用NAT转发功能。必须启用此功能 firewall-cmd --reload