{"id":457,"date":"2012-12-24T16:09:32","date_gmt":"2012-12-24T14:09:32","guid":{"rendered":"http:\/\/bos-info.com\/?p=457"},"modified":"2012-12-24T16:22:05","modified_gmt":"2012-12-24T14:22:05","slug":"vpn-%d1%87%d0%b0%d1%81%d1%82%d1%8c-1-ipsecl2tp-%d1%81%d0%b5%d1%80%d1%82%d0%b8%d1%84%d0%b8%d0%ba%d0%b0%d1%82%d1%8b-%d0%bc%d0%b5%d0%b6%d0%b4%d1%83-%d0%b4%d0%b2%d1%83%d0%bc%d1%8f-freebsd-9-0","status":"publish","type":"post","link":"https:\/\/bos-info.com\/?p=457","title":{"rendered":"VPN \u0447\u0430\u0441\u0442\u044c 1: IPSec\/L2TP + \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b \u043c\u0435\u0436\u0434\u0443 \u0434\u0432\u0443\u043c\u044f FreeBSD 9.0"},"content":{"rendered":"<p>\u0417\u0430\u0434\u0430\u0447\u0430: 2 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 FreeBSD 9.0 RELEASE, \u043c\u0435\u0436\u0434\u0443 \u043d\u0438\u043c\u0438 \u043d\u0443\u0436\u043d\u043e \u043f\u043e\u0434\u043d\u044f\u0442\u044c \u0442\u0443\u043d\u043d\u0435\u043b\u044c IPSec\/L2TP<br \/>\n\u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b: <code>\/usr\/ports\/security\/ipsec-tools (racoon)<br \/>\n\/usr\/ports\/net\/mpd5<\/code><br \/>\n<!--more--><br \/>\n\u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u043d\u0443\u0436\u043d\u043e \u0441\u043e\u0431\u0440\u0430\u0442\u044c \u044f\u0434\u0440\u043e \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 IPSEC. \u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0441\u0431\u043e\u0440\u043a\u0438 \u044f\u0434\u0440\u0430 \u0435\u0441\u0442\u044c \u0432 \u0434\u0440\u0443\u0433\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u043d\u0430 \u044d\u0442\u043e\u043c \u0441\u0430\u0439\u0442\u0435, \u043f\u0435\u0440\u0435\u0447\u0438\u0441\u043b\u044e \u0442\u043e\u043b\u044c\u043a\u043e, \u0447\u0442\u043e \u043d\u0443\u0436\u043d\u043e \u0434\u043e\u0431\u0430\u0432\u0438\u0442\u044c:<br \/>\n<code><br \/>\noptions IPSEC #IP security<br \/>\noptions IPSEC_NAT_T<br \/>\ndevice crypto<br \/>\ndevice enc<br \/>\noptions IPSEC_DEBUG #debug for IP security<br \/>\n<\/code><br \/>\n\u0423 \u043c\u0435\u043d\u044f \u0447\u0435\u0440\u0435\u0437 \u043d\u0430\u0442 \u043d\u0435 \u0437\u0430\u0432\u0435\u043b\u043e\u0441\u044c, \u0447\u0435\u043a\u0441\u0443\u043c\u043c\u044b \u0431\u0431\u044e\u0442\u0441\u044f, \u043c\u043e\u0436\u0435\u0442 \u043a\u043e\u0433\u0434\u0430 \u0435\u0449\u0435 \u0431\u0443\u0434\u0443 \u044d\u0442\u043e \u0434\u0435\u043b\u043e \u0438\u0437\u0443\u0447\u0430\u0442\u044c. \u0410 \u043c\u043e\u0436\u0435\u0442 \u0438 \u043d\u0435 \u0431\u0443\u0434\u0443 \ud83d\ude42 \u041d\u043e \u0432 \u044f\u0434\u0440\u043e \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u044e \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0443 \u0432\u043a\u043e\u043c\u043f\u0438\u043b\u0438\u0442\u044c, \u043d\u0430 \u0432\u0441\u044f\u043a\u0438\u0439 \u043f\u043e\u0436\u0430\u0440\u043d\u044b\u0439.<br \/>\n\u0414\u0430\u043b\u0435\u0435 \u043e\u0431\u0438\u0440\u0430\u0435\u043c \u0438\u0437 \u043f\u043e\u0440\u0442\u043e\u0432 \u0440\u0430\u043a\u0443\u043d\u0430 \u0438 \u043c\u043f\u0434.<br \/>\n\u0415\u0441\u043b\u0438 \u0445\u043e\u0447\u0435\u0442\u0441\u044f, \u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0435\u0448\u0430\u0440\u0435\u0434-\u043a\u0435\u0439 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u0441 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u0438\u043f\u043e\u043c, \u043d\u0430\u0445\u043e\u0434\u0438\u043c \u0432 \u0441\u043e\u0440\u0446\u0430\u0445 \u0440\u0430\u043a\u0443\u043d\u0430 \u0444\u0430\u0439\u043b .\/src\/racoon\/localconf.c, \u043e\u043a\u043e\u043b\u043e 210 \u0441\u0442\u0440\u043e\u043a\u0438 \u0438\u0449\u0435\u043c<br \/>\n<code> if (strncmp(buf, str, len) == 0 &amp;&amp; buf[len] == '') {<\/code>,<br \/>\n\u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0438\u0440\u0443\u0435\u043c \u0438 \u0437\u0430\u043c\u0435\u043d\u044f\u0435\u043c \u043d\u0430:<br \/>\n<code> if (strcmp(buf, \"*\") == 0 || (strncmp(buf, str, len) == 0 &amp;&amp; buf[len] == '')) {<\/code><br \/>\n\u041f\u043e\u0441\u043b\u0435 \u0432 \u0444\u0430\u0439\u043b\u0435 psk.txt \u043c\u043e\u0436\u043d\u043e \u0443\u043a\u0430\u0437\u0430\u0442\u044c \u0442\u0430\u043a:<br \/>\n<code>* my_secret_key<\/code><br \/>\n\u0414\u0430\u043b\u0435\u0435 \u0443\u0433\u043b\u0443\u0431\u043b\u044f\u0442\u044c\u0441\u044f \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 PSK \u043d\u0435 \u0431\u0443\u0434\u0435\u043c, \u0442.\u043a. \u043e\u0442 \u043b\u0443\u043a\u0430\u0432\u043e\u0433\u043e \u044d\u0442\u043e. \u041d\u0435\u0445\u043e\u0440\u043e\u0448\u043e \u0432\u0441\u0435\u0445 \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432 \u043e\u0434\u043d\u0438\u043c \u043a\u043b\u044e\u0447\u0435\u043c \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u0442\u044c, \u0430 \u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0435 \u0430\u0434\u0440\u0435\u0441\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432 \u0432 \u043c\u043e\u0438\u0445 \u043a\u0440\u0430\u044f\u0445 \u0440\u0435\u0434\u043a\u043e\u0441\u0442\u044c. (\u043f\u0440\u0438\u043c. \u0411\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u043e \u0441\u0442\u0430\u0442\u0435\u0439 \u0432 \u0433\u0443\u0433\u043b\u0435 \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u044b\u0432\u0430\u044e\u0442 \u0438\u043c\u0438\u043d\u043d\u043e \u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 \u0440\u0430\u043a\u0443\u043d\u0430 \u0441 PSK, \u0438\u0431\u043e \u044d\u0442\u043e \u043f\u0440\u043e\u0449\u0435)<br \/>\n\u0414\u0430\u043b\u0435\u0435 \u0432 \u043c\u043f\u0434 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0442\u0430\u043a\u043e\u0435:<br \/>\n<code>default:<br \/>\n\tload l2tp_server<br \/>\nl2tp_server:<br \/>\n\tset ippool add pool-l2tp 10.10.17.10 10.10.17.20<br \/>\n\tcreate bundle template L2TP-B<br \/>\n\tset iface idle 0<br \/>\n\tset iface enable tcpmssfix<br \/>\n\tset ipcp ranges 10.10.17.254\/24 ippool pool-l2tp<br \/>\n\tcreate link template L2TP-L l2tp<br \/>\n\tset link action bundle L2TP-B<br \/>\n\tset link enable multilink<br \/>\n\tset link yes acfcomp protocomp<br \/>\n\tset link no pap chap eap<br \/>\n\tset link enable chap<br \/>\n\tset link keep-alive 10 60<br \/>\n\tload radius<br \/>\n\tset link mtu 1460<br \/>\n\tset l2tp self 0.0.0.0<br \/>\n\tset link enable incoming<br \/>\n<\/code><br \/>\n\u0422\u0443\u0442 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f \u043f\u043e \u0440\u0430\u0434\u0438\u0443\u0441\u0443, \u0435\u0441\u043b\u0438 \u043d\u0435\u0442\u0443, \u0443\u0431\u0438\u0440\u0430\u0435\u043c \u0441\u0442\u0440\u043e\u0447\u043a\u0443.<br \/>\n\u041a\u043b\u0438\u0435\u043d\u0442\u0430 \u043f\u0440\u043e\u0441\u0438\u043c \u043b\u043e\u043c\u0438\u0442\u044c\u0441\u044f \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440, \u043d\u0430 \u043f\u043e\u0440\u0442 1701 (L2TP):<br \/>\n<code>default:<br \/>\n\tload pptp_server<br \/>\n\tload l2tp_client<br \/>\nl2tp_client:<br \/>\n\tcreate bundle static L2TPB<br \/>\n\tcreate link static L2TPL l2tp<br \/>\n\tset link action bundle L2TPB<br \/>\n\tset auth authname user<br \/>\n\tset auth password password<br \/>\n\tset link max-redial 0<br \/>\n\tset link mtu 1460<br \/>\n\tset link keep-alive 20 75<br \/>\n\tset l2tp peer 192.168.55.1 \/\/\u0430\u0434\u0440\u0435\u0441 \u0441\u0435\u0440\u0432\u0435\u0440\u0430<br \/>\n\topen<br \/>\n<\/code><br \/>\n\u041c\u043e\u0436\u043d\u043e \u043d\u0430 \u044d\u0442\u043e\u043c \u044d\u0442\u0430\u043f\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c, \u0447\u0442\u043e\u0431\u044b MPD \u0434\u0440\u0443\u0433 \u043d\u0430 \u0434\u0440\u0443\u0433\u0430 \u043a\u043e\u043d\u043d\u0435\u043a\u0442\u0438\u043b\u0438\u0441\u044c, \u043f\u043e\u0442\u043e\u043c \u043c\u0435\u043d\u044c\u0448\u0435 \u0431\u0443\u0434\u0435\u0442 \u043d\u0435\u043f\u043e\u043d\u044f\u0442\u043e\u043a.<br \/>\n\u041a\u043e\u0433\u0434\u0430 \u044d\u0442\u043e \u0441\u0434\u0435\u043b\u0430\u043d\u043e, \u043d\u0430\u0447\u0438\u043d\u0430\u0435\u043c \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0442\u044c IPSEC.<br \/>\n\/etc\/rc.conf (\u043d\u0430 \u043e\u0431\u043e\u0438\u0445 \u043c\u0430\u0448\u0438\u043d\u0430\u0445):<br \/>\n<code>mpd_enable=\"YES\"<br \/>\nmpd_flags=\"-b\"<\/p>\n<p>ipsec_enable=\"YES\" # \u0434\u0430, \u044d\u0442\u043e \u043d\u0430\u0434\u043e, \u0445\u043e\u0442\u044f \u0432 rc.d \u043d\u0435\u0442 \u0442\u0430\u043a\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430<br \/>\nipsec_program=\"\/usr\/local\/sbin\/setkey\"<br \/>\nipsec_file=\"\/usr\/local\/etc\/racoon\/setkey.conf\" # \u043a\u043e\u043d\u0444\u0438\u0433 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u0435\u0442, \u043a\u0430\u043a\u043e\u0439 \u0442\u0440\u0430\u0444\u0438\u043a \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u0442\u044c<br \/>\nracoon_enable=\"yes\" #\u0432\u043a\u043b\u044e\u0447\u0430\u0435\u043c \u0442\u0430\u043a\u0436\u0435 \u0435\u043d\u043e\u0442\u0430<br \/>\n<\/code><br \/>\n\u0414\u0430\u043b\u0435\u0435 \u043a\u043e\u043d\u0444\u0438\u0433\u0438 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0432 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0435 \u0435\u043d\u043e\u0442\u0430 \/usr\/local\/etc\/racoon (\u0441\u043e\u0437\u0434\u0430\u0435\u043c)<br \/>\n\u0414\u0435\u043b\u0430\u0435\u043c \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0438<br \/>\n\/usr\/local\/etc\/racoon\/cert<br \/>\n\/usr\/local\/etc\/racoon\/cert\/ca<br \/>\n\/usr\/local\/etc\/racoon\/cert\/client &lt;- \u0442\u0443\u0442 \u043a\u043b\u044e\u0447\u0438 \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432<br \/>\n\/usr\/local\/etc\/racoon\/cert\/server &lt;- \u0442\u0443\u0442 \u043a\u043b\u044e\u0447\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430<\/p>\n<p>\u0444\u0430\u0439\u043b \/usr\/local\/etc\/racoon\/setkey.conf:<br \/>\n<code>flush;<br \/>\nspdflush;<br \/>\n# L2TP in<br \/>\nspdadd 192.168.55.1\/0[1701] 0.0.0.0\/0 any -P out ipsec esp\/transport\/\/use;<br \/>\nspdadd 0.0.0.0\/0 192.168.55.1\/0[1701] any -P in ipsec esp\/transport\/\/use;<br \/>\n<\/code><br \/>\n\u041d\u0435\u043c\u043d\u043e\u0433\u043e \u043f\u043e\u044f\u0441\u043d\u0435\u043d\u0438\u0439:<br \/>\n1) \u043e\u0447\u0438\u0449\u0430\u0435\u043c \u0432\u0441\u0435, \u0434\u0430\u043b\u0435\u0435 \u0447\u0442\u043e \u0448\u0438\u0444\u0440\u0443\u0435\u043c:<br \/>\n2) \u0441 \u043d\u0430\u0448\u0435\u0433\u043e \u0430\u0434\u0440\u0435\u0441\u0430, \u043f\u043e\u0440\u0442\u0430 1701, \u043d\u0430 \u043b\u044e\u0431\u043e\u0439 \u0430\u0434\u0440\u0435\u0441, \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0435\u0435 (out), \u0440\u0435\u0436\u0438\u043c \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442\u0430<br \/>\n2) \u0441 \u043b\u044e\u0431\u043e\u0433\u043e \u0430\u0434\u0440\u0435\u0441\u0430 \u043d\u0430 \u043d\u0430\u0448 \u0430\u0434\u0440\u0435\u0441, \u043f\u043e\u0440\u0442 1701, \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0432\u0445\u043e\u0434\u044f\u0449\u0435\u0435 (in), \u0440\u0435\u0436\u0438\u043c \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442\u0430<br \/>\n\u041f\u0440\u0438\u043c\u0435\u043d\u044f\u0435\u0442\u0441\u044f \u0444\u0430\u0439\u043b \u043f\u0440\u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0435 \u043b\u0438\u0431\u043e, \u0447\u0442\u043e \u0443\u0434\u043e\u0431\u043d\u0435\u0435, \u043a\u043e\u043c\u0430\u043d\u0434\u043e\u0439:<br \/>\n<code>setkey -f \/usr\/local\/etc\/racoon\/setkey.conf<\/code><br \/>\n\u041d\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u0435 \u0434\u0435\u043b\u0430\u0435\u043c \u043d\u0430\u043e\u0431\u043e\u0440\u043e\u0442 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u0435 \u0438 \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0438\u0435:<br \/>\n<code><br \/>\nflush;<br \/>\nspdflush;<br \/>\nspdadd 0.0.0.0\/0[0] 192.168.55.1\/32[1701] udp -P out  ipsec esp\/transport\/\/require;<br \/>\nspdadd 192.168.55.1\/32[1701] 0.0.0.0\/0[0] udp -P in ipsec esp\/transport\/\/require;<br \/>\n<\/code><br \/>\nL2TP\/IPSec \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0447\u0435\u0440\u0435\u0437 \u0440\u0435\u0436\u0438\u043c \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442\u0430, \u0435\u0441\u043b\u0438 \u0447\u0442\u043e.<br \/>\n\u0412\u0442\u043e\u0440\u043e\u0439 \u0444\u0430\u0439\u043b \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 racoon.conf:<br \/>\n<code><br \/>\n# \"path\" affects \"include\" directives.  \"path\" must be specified before any<br \/>\n# \"include\" directive with relative file path.<br \/>\n# you can overwrite \"path\" directive afterwards, however, doing so may add<br \/>\n# more confusion.<br \/>\npath include \"\/usr\/local\/etc\/racoon\";<\/p>\n<p># the file should contain key ID\/key pairs, for pre-shared key authentication.<br \/>\npath pre_shared_key \"\/usr\/local\/etc\/racoon\/psk.txt\";<\/p>\n<p># racoon will look for certificate file in the directory,<br \/>\n# if the certificate\/certificate request payload is received.<br \/>\n# !!!! \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c, \u043e\u0442\u043a\u0443\u0434\u0430 \u0431\u0440\u0430\u0442\u044c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b<br \/>\npath certificate \"\/usr\/local\/etc\/racoon\/cert\";<\/p>\n<p># \"log\" specifies logging level.  It is followed by either \"notify\", \"debug\"<br \/>\n# or \"debug2\".<br \/>\n# \u0434\u043b\u044f \u043e\u0442\u043b\u0430\u0434\u043a\u0438, \u043f\u043e\u0442\u043e\u043c \u0436\u0435\u043b\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0443\u0431\u0440\u0430\u0442\u044c<br \/>\nlog debug2;<\/p>\n<p># \"padding\" defines some padding parameters.  You should not touch these.<br \/>\npadding<br \/>\n{<br \/>\n\tmaximum_length 20;\t# maximum padding length.<br \/>\n\trandomize off;\t\t# enable randomize length.<br \/>\n\tstrict_check off;\t# enable strict check.<br \/>\n\texclusive_tail off;\t# extract last one octet.<br \/>\n}<\/p>\n<p># if no listen directive is specified, racoon will listen on all<br \/>\n# available interface addresses.<br \/>\nlisten<br \/>\n{<br \/>\n\t#isakmp ::1 [7000];<br \/>\n        # \u0430\u0434\u0440\u0435\u0441, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0441\u043b\u0443\u0448\u0430\u0435\u0442 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b ISAKMP (\u0441\u043e\u0433\u043b\u0430\u0441\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f)<br \/>\n\tisakmp 192.168.55.1 [500];<br \/>\n        # \u044d\u0442\u043e \u043f\u043e\u043d\u0430\u0434\u043e\u0431\u0438\u0442\u0441\u044f \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b NAT-T<br \/>\n\tisakmp_natt 192.168.55.1 [4500];<br \/>\n}<\/p>\n<p># Specify various default timers.<br \/>\ntimer<br \/>\n{<br \/>\n\t# These value can be changed per remote node.<br \/>\n\tcounter 5;\t\t# maximum trying count to send.<br \/>\n\tinterval 20 sec;\t# maximum interval to resend.<br \/>\n\tpersend 1;\t\t# the number of packets per send.<\/p>\n<p>\t# maximum time to wait for completing each phase.<br \/>\n\tphase1 30 sec;<br \/>\n\tphase2 15 sec;<br \/>\n}<\/p>\n<p># \u0441\u0435\u043a\u0446\u0438\u044f \u043f\u0440\u0438\u0435\u043c\u0430 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u0445 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0439 \u0441 \u043b\u044e\u0431\u043e\u0433\u043e \u0430\u0434\u0440\u0435\u0441\u0430<br \/>\nremote anonymous<br \/>\n{<br \/>\n\texchange_mode main,aggressive;<br \/>\n\tlifetime time 24 hour;<br \/>\n\tdoi ipsec_doi;<br \/>\n\tsituation identity_only;<br \/>\n        generate_policy on;<br \/>\n        # \u043f\u043e\u0441\u044b\u043b\u0430\u0435\u043c \u043a\u0438\u043f\u044d\u043b\u0430\u0439\u0432\u044b<br \/>\n\tdpd_delay 10;<br \/>\n\tdpd_retry 5;<br \/>\n\tdpd_maxfail 5;<\/p>\n<p>        # !!! \u044d\u0442\u043e \u0432\u0430\u0436\u043d\u043e \u0434\u043b\u044f \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432, \u0441 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u043c \"\u0430\u0434\u0440\u0435\u0441\" \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u043d\u0435 \u0431\u0443\u0434\u0435\u0442<br \/>\n\tmy_identifier asn1dn ;<br \/>\n        peers_identifier asn1dn ;<\/p>\n<p>        # \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c \u043d\u0430\u0448\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b<br \/>\n\tcertificate_type x509 \"server\/server.crt\" \"server\/server.key\";<br \/>\n\tca_type x509 \"ca\/ca.crt\";<\/p>\n<p>\tnonce_size 16;<br \/>\n\tinitial_contact on;<br \/>\n\tproposal_check strict;\t# obey, strict, or claim<\/p>\n<p>        # \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b \u0444\u0430\u0437\u044b 1 (ISAKMP SA)<br \/>\n\tproposal {<br \/>\n\t\tencryption_algorithm aes;<br \/>\n\t\thash_algorithm sha1;<br \/>\n\t\tauthentication_method rsasig;<br \/>\n\t\tdh_group 2;<br \/>\n\t}<br \/>\n}<\/p>\n<p># \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b \u0444\u0430\u0437\u044b 2 (IPSec SA)<br \/>\nsainfo anonymous<br \/>\n{<br \/>\n\tpfs_group 2;<br \/>\n\tencryption_algorithm aes 256, aes, 3des;<br \/>\n\tauthentication_algorithm hmac_sha1;<br \/>\n\tcompression_algorithm deflate;<br \/>\n\tlifetime time 24 hour;<br \/>\n}<\/p>\n<p><\/code><br \/>\n\u041d\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u0435 \u043e\u0442\u0432\u0435\u0442\u043d\u0430\u044f \u0447\u0430\u0441\u0442\u044c \u0442\u0430\u043a\u0430\u044f:<br \/>\n<code>path certificate \"\/usr\/local\/etc\/racoon\/cert\";<br \/>\npath pre_shared_key \"\/usr\/local\/etc\/racoon\/psk.txt\"; <\/p>\n<p>log     debug;<\/p>\n<p>padding {<br \/>\n\tmaximum_length 20;<br \/>\n        randomize off;<br \/>\n        strict_check off;<br \/>\n        exclusive_tail off;<br \/>\n        }<\/p>\n<p>listen {<br \/>\n        adminsock \"\/var\/db\/racoon\/racoon.sock\";<br \/>\n\t}<\/p>\n<p>timer {<br \/>\n        counter 5;<br \/>\n        interval 20 sec;<br \/>\n        persend 1;<br \/>\n        phase1 30 sec;<br \/>\n        phase2 15 sec;<br \/>\n        }<\/p>\n<p>remote 192.168.55.1 {<br \/>\n        exchange_mode main,aggressive;<br \/>\n        lifetime time 24 hour;<br \/>\n        # \u043d\u0435 \u0437\u0430\u0431\u044b\u0432\u0430\u0435\u043c<br \/>\n\tmy_identifier asn1dn ;<br \/>\n\tpeers_identifier asn1dn ;<br \/>\n        passive off;<br \/>\n        generate_policy off;<br \/>\n        # \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440 \u043d\u0430 \u0432\u0448\u0438\u0432\u043e\u0441\u0442\u044c \u043d\u0435 \u0431\u0443\u0434\u0435\u043c<br \/>\n        verify_cert off;<br \/>\n        send_cert on;<br \/>\n        send_cr on;<br \/>\n        # \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b \u043a\u043b\u0438\u0435\u043d\u0442\u0430, \u043f\u043e\u0434\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0435 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435<br \/>\n        certificate_type x509 \"user.crt\" \"user.key\";<br \/>\n        proposal {<br \/>\n                encryption_algorithm aes;<br \/>\n                hash_algorithm sha1;<br \/>\n                authentication_method rsasig;<br \/>\n                dh_group 2;<br \/>\n                }<br \/>\n        }<\/p>\n<p>sainfo anonymous {<br \/>\n\tpfs_group 2;<br \/>\n        encryption_algorithm aes 256, aes, 3des;<br \/>\n        authentication_algorithm hmac_sha1, hmac_md5;<br \/>\n        lifetime time 1 hour ;<br \/>\n        compression_algorithm deflate;<br \/>\n        }<br \/>\n<\/code><br \/>\n\u0422\u0435\u043f\u0435\u0440\u044c \u043f\u043e\u0440\u0430 \u043f\u0435\u0440\u0435\u0439\u0442\u0438 \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043a \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430\u043c. \u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0441\u044f \u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435\u0439:<br \/>\nhttp:\/\/www.lissyara.su\/articles\/freebsd\/security\/ipsec2\/<br \/>\n\u0412 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0435 \/usr\/local\/etc\/racoon\/cert \u0441\u043e\u0437\u0434\u0430\u0435\u043c \u0444\u0430\u0439\u043b<br \/>\nopenssl.cnf<br \/>\n<code><br \/>\n# Establish working directory.<br \/>\ndir                            = .                      <\/p>\n<p>HOME                    = .<br \/>\nRANDFILE                = $ENV::HOME\/.rnd<\/p>\n<p>[ ca ]<br \/>\ndefault_ca                              = CA_default<\/p>\n<p>[ CA_default ]<br \/>\nserial                                  = $dir\/ca\/serial<br \/>\ndatabase                                = $dir\/ca\/index.txt<br \/>\n# for crl<br \/>\n# the current crl number<br \/>\ncrlnumber                               = $dir\/ca\/crlnumber<br \/>\ncrl                                     = $dir\/ca\/crl.pem    # The current CRL<br \/>\ndefault_md                              = sha1             # which md to use.<br \/>\ndefault_crl_days                        = 1095    # how long before next CRL.<br \/>\nprivate_key                             = $dir\/ca\/ca.key # The private key<br \/>\ncertificate                             = $dir\/ca\/ca.crt<\/p>\n<p>[ req ]<br \/>\ndistinguished_name                      = req_distinguished_name<\/p>\n<p>[ req_distinguished_name ]<br \/>\ncountryName                     = Country Name (2 letter code)<br \/>\ncountryName_default             = UA<br \/>\ncountryName_min                 = 2<br \/>\ncountryName_max                 = 2<\/p>\n<p>stateOrProvinceName             = State or Province Name (full name)<br \/>\nstateOrProvinceName_default     = Oblast<\/p>\n<p>localityName                    = Locality Name (eg, city)<br \/>\nlocalityName_default            = Gorod<\/p>\n<p>0.organizationName              = Organization Name (eg, company)<br \/>\n0.organizationName_default      = Firma<\/p>\n<p># we can do this but it is not needed normally :-)<br \/>\n#1.organizationName             = Second Organization Name (eg, company)<br \/>\n#1.organizationName_default     = World Wide Web Pty Ltd<\/p>\n<p>organizationalUnitName          = Organizational Unit Name (eg, section)<br \/>\norganizationalUnitName_default  = IT<\/p>\n<p>commonName                      = Common Name (eg, YOUR name)<br \/>\ncommonName_max                  = 64<br \/>\ncommonName_default              = Admin<\/p>\n<p>emailAddress                    = Email Address<br \/>\nemailAddress_max                = 64<br \/>\nemailAddress_default            = e@mail.ru<\/p>\n<p># include a prompt for alternative names\u0432\u00a6<br \/>\nsubjectAltName = Alternative DNS names (comma seperated list)<br \/>\nsubjectAltName_default = DNS:domain.com<br \/>\n<\/code><br \/>\n\u0417\u0430\u043f\u043e\u043b\u043d\u044f\u0435\u043c \u0432 \u044d\u0442\u043e\u043c \u0444\u0430\u0439\u043b\u0435 _default, \u0447\u0442\u043e\u0431\u044b \u043d\u0435 \u0432\u0432\u043e\u0434\u0438\u0442\u044c \u043a\u0430\u0436\u0434\u044b\u0439 \u0440\u0430\u0437.<br \/>\n\u0414\u0430\u043b\u044c\u0448\u0435 \u0434\u0435\u043b\u0430\u0435\u043c 2 \u0441\u043a\u0440\u0438\u043f\u0442\u0430. \u041f\u0435\u0440\u0432\u044b\u0439<br \/>\ngenerate-server.sh<br \/>\n<code><br \/>\n#!\/bin\/sh<br \/>\nopenssl genrsa -aes256 -out ca\/ca.key 2048 -config openssl.cnf<br \/>\nopenssl req -new -x509 -days 1095 -key ca\/ca.key -out ca\/ca.crt -config openssl.cnf<br \/>\nopenssl genrsa -out server\/server.key 2048 -config openssl.cnf<br \/>\nopenssl req -new -key server\/server.key -out server\/server.csr -config openssl.cnf<br \/>\nopenssl x509 -req -days 365 -in server\/server.csr -CA ca\/ca.crt -CAkey ca\/ca.key -CAcreateserial -out server\/server.crt<br \/>\n<\/code><br \/>\n\u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u043c \u0431\u0435\u0437 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432, \u043e\u0442\u0432\u0435\u0447\u0430\u0435\u043c \u043d\u0430 \u0432\u043e\u043f\u0440\u043e\u0441\u044b, \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u043a\u043b\u044e\u0447\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u041f\u043e\u0441\u043b\u0435 \u044d\u0442\u043e\u0433\u043e, \u0435\u0441\u043b\u0438 \u0431\u044b\u043b\u0438 \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u0438\u0435 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b, \u0438\u0445 \u043f\u0440\u0438\u0434\u0435\u0442\u0441\u044f \u043f\u0435\u0440\u0435\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u0442\u044c!!!<br \/>\n\u0412\u0442\u043e\u0440\u043e\u0439 \u0441\u043a\u0440\u0438\u043f\u0442:<br \/>\ngenerate-client.sh<br \/>\n<code><br \/>\n#!\/bin\/sh<br \/>\nopenssl genrsa -out client\/$1.key 2048 -config .\/openssl.cnf<br \/>\nopenssl req -new -key client\/$1.key -out client\/$1.csr -config .\/openssl.cnf<br \/>\nopenssl x509 -req -days 365 -in client\/$1.csr -CA ca\/ca.crt -CAkey ca\/ca.key -CAcreateserial -out client\/$1.crt<br \/>\n<\/code><br \/>\n\u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u043c<br \/>\n<code>generate-client.sh user<\/code><br \/>\n\u043e\u0442\u0432\u0435\u0447\u0430\u0435\u043c \u043d\u0430 \u0432\u043e\u043f\u0440\u043e\u0441\u044b, \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u043a\u043b\u044e\u0447\u0438 \u044e\u0437\u0435\u0440\u0430.<br \/>\n\u0422\u0435\u043f\u0435\u0440\u044c \u043a\u043e\u043f\u0438\u0440\u0443\u0435\u043c user.crt \u0438 user.key \u0438\u0437 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0430 client \u043d\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u0443\u044e \u043c\u0430\u0448\u0438\u043d\u0443, \u0432 \u043a\u0430\u0442\u0430\u043b\u043e\u0433 \/usr\/local\/etc\/racoon\/cert<br \/>\n\u0422\u0430\u043a\u043e\u0435 \u043f\u0440\u043e\u0434\u0435\u043b\u044b\u0432\u0430\u0435\u043c \u0434\u043b\u044f \u043a\u0430\u0436\u0434\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043f\u043e\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u044f \u0432\u043c\u0435\u0441\u0442\u043e user \u0438\u043c\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f.<br \/>\n\u041d\u0430\u043f\u043e\u0441\u043b\u0435\u0434\u043e\u043a:<br \/>\n\/etc\/syslog.conf<br \/>\n<code>...<br \/>\n!mpd<br \/>\n*.*\t\t\t\t\t\t\/var\/log\/mpd.log<br \/>\n!racoon<br \/>\n*.*\t\t\t\t\t\t\/var\/log\/racoon.log<br \/>\n...<br \/>\n<\/code><br \/>\n\/etc\/newsyslog.conf<br \/>\n<code><br \/>\n...<br \/>\n\/var\/log\/mpd.log\t\t\t600  10\t   100\t*     JC<br \/>\n\/var\/log\/racoon.log\t\t\t600  10\t   100\t*     JC<br \/>\n...<br \/>\n<\/code><br \/>\n\u041f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c \u0441\u0438\u0441\u043b\u043e\u0433, \u043d\u044c\u044e\u0441\u0438\u0441\u043b\u043e\u0433, \u0435\u043d\u043e\u0442\u0430 \u043d\u0430 \u043e\u0431\u043e\u0438\u0445 \u043c\u0430\u0448\u0438\u043d\u0430\u0445, \u043f\u0440\u0438 \u0445\u043e\u0440\u043e\u0448\u043e \u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u043d\u044b\u0445 \u0437\u0432\u0435\u0437\u0434\u0430\u0445 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0440\u0430\u0431\u043e\u0447\u0438\u0439 IPSec\/L2TP \u0442\u0443\u043d\u043d\u0435\u043b\u044c.<br \/>\n\u0415\u0441\u043b\u0438 \u0437\u0432\u0435\u0437\u0434\u044b \u043e\u0442\u0432\u0435\u0440\u043d\u0443\u043b\u0438\u0441\u044c, \u043b\u043e\u0432\u0438\u043c \u043a\u043e\u0441\u044f\u043a\u0438 \u0441\u043d\u0430\u0447\u0430\u043b\u0430 \u0432 \/var\/log\/racoon.log, \u0430 \u043a\u043e\u0433\u0434\u0430 \u0442\u0430\u043c \u0434\u043e\u0431\u0438\u0432\u0430\u0435\u043c\u0441\u044f \u0441\u0442\u0440\u043e\u0447\u0435\u043a:<br \/>\n<code><br \/>\nDec 24 14:49:26 hostname racoon: INFO: ISAKMP-SA established 192.168.55.1[500]-10.10.0.40[500] spi:xxxxx<br \/>\n\u0438 \u0434\u0430\u043b\u0435\u0435<br \/>\nDec 24 14:49:27 hostname racoon: INFO: IPsec-SA established: ESP\/Transport 192.168.55.1[500]-&gt;10.10.0.40[500] spi=xxxxxx<br \/>\n<\/code><br \/>\n\u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c \u043d\u0430\u043b\u0438\u0447\u0438\u0435 SA \u043a\u043e\u043c\u0430\u043d\u0434\u043e\u0439<br \/>\n<code>setkey -D<\/code><br \/>\n\u0438 \u043d\u0430\u0447\u0438\u043d\u0430\u0435\u043c \u0434\u0435\u0431\u0430\u0436\u0438\u0442\u044c MPD<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u0417\u0430\u0434\u0430\u0447\u0430: 2 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 FreeBSD 9.0 RELEASE, \u043c\u0435\u0436\u0434\u0443 \u043d\u0438\u043c\u0438 \u043d\u0443\u0436\u043d\u043e \u043f\u043e\u0434\u043d\u044f\u0442\u044c \u0442\u0443\u043d\u043d\u0435\u043b\u044c IPSec\/L2TP \u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b: \/usr\/ports\/security\/ipsec-tools (racoon) \/usr\/ports\/net\/mpd5<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[],"_links":{"self":[{"href":"https:\/\/bos-info.com\/index.php?rest_route=\/wp\/v2\/posts\/457"}],"collection":[{"href":"https:\/\/bos-info.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bos-info.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bos-info.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bos-info.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=457"}],"version-history":[{"count":1,"href":"https:\/\/bos-info.com\/index.php?rest_route=\/wp\/v2\/posts\/457\/revisions"}],"predecessor-version":[{"id":458,"href":"https:\/\/bos-info.com\/index.php?rest_route=\/wp\/v2\/posts\/457\/revisions\/458"}],"wp:attachment":[{"href":"https:\/\/bos-info.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bos-info.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bos-info.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}