viernes, 15 de abril de 2011

Configurar L2TP para conectar tu Android

Instalar L2tp Server en Debian.
1.- Instalar los siguiente paquetes y sus dependencias:

aptitude install xl2tpd openswan
========================================================
2º.- configurar openswan  en /etc/ipsec.conf:
config setup
  protostack=netkey
  nat_traversal=yes

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv
  also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=172.16.31.1   <-- replace this IP address with the IPv4 address of this machine
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/1701

conn passthrough-for-non-l2tp
  type=passthrough
  left=172.16.31.1  <-- replace this IPv4 address with the IPv4 address of this machine
  leftnexthop=0.0.0.0
  right=0.0.0.0
  rightsubnet=0.0.0.0/0
  auto=route
=================================================================
3º.- En el fichero /etc/ipsec.secrets, cambiar:
172.16.31.1 %any: "mysecretpresharedkeypassword"   <-- replace the address with the IPv4 address of this machine
=================================================================
4º.- Configurando xl2tpd y pppd:
[global]                ; Global parameters:
port = 1701             ; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets  ; * Where our challenge secrets are
access control = no         ; * Refuse connections without IP match
rand source = dev                     ; Source for entropy for random

[lns default]             ; Our fallthrough LNS definition
exclusive = no            ; * Only permit one tunnel per host
ip range = 81.187.223.214 - 81.187.223.216  <-- enter the IP range you wish to give out to your clients here
local ip = 81.187.223.193      <-- address of the L2TP end of the tunnel (i.e. this machine)
refuse authentication = yes     ; * Refuse authentication altogether
refuse pap = yes            ; * Refuse PAP authentication
refuse chap = yes
ppp debug = no            ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
==================================================================
5º.- Incluir los siguiente en el fichero /etc/ppp/options.l2tpd:
# Do not support BSD compression.
nobsdcomp
passive
lock

# Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2

# Set the DNS servers the PPP clients will use.
ms-dns 81.187.223.193  <-- change this to the IPv4 address of your DNS server
ms-dns 81.187.223.198  <-- add extra entries if necessary

mtu 1400
mru 1400
==================================================================
6º.- Resetear los servicios openswan y xl2tp:
/etc/init.d/ipsec restart
etc/init.d/xl2tpd restart 









Publicado por
Urba


en
9:18


0
comentarios











































Instalar freeradius











Breve howto para instalar freeradius con  bbdd postgresql en Debian.
 Se supone que los paquetes "freeradius-postgresql" y el servidor de bbdd postgres está instalado con sus dependencias.
Create PostgreSQL Database


1º- Crear el usuario y bbdd que se va a utiliazar en postgres para que freeradius se conecte. 
su - postgres
createuser radius --no-superuser --no-createdb --no-createrole -P
createdb radius --owner=radius
exit
===========================================



2.º - Ir al directorio /etc/freeradius/sql/postgresql  y comprobar que tenemos estos ficheros.





-rw-r--r-- 1 root root     1001 sep  8  2008 admin.sql
-rw-r----- 1 root freerad 17994 sep  8  2008 cisco_h323_db_schema.sql
-rw-r----- 1 root freerad  4536 sep  8  2008 counter.conf
-rw-r----- 1 root freerad 14025 sep  8  2008 dialup.conf
          -rw-r----- 1 root freerad  4415 sep  8  2008 ippool.conf
-rw-r----- 1 root freerad   749 sep  8  2008 ippool.sql
-rw-r----- 1 root freerad   367 sep  8  2008 nas.sql
-rw-r----- 1 root freerad  5357 sep  8  2008 schema.sql
          -rw-r----- 1 root freerad  1076 sep  8  2008 update_radacct_group_trigger.sql
-rw-r----- 1 root freerad  4709 sep  8  2008 voip-postpaid.conf






=======================================

3º.- lanzar en este orden los siguientes scripts




Ej.: psql -U radius radius < schema.sql
schema.sql
ippool.sql
nas.sql


=======================================



4º.- configurar con user y passwd de acceso a la bbdd postgress en:



/etc/freeradius/sql.conf



=======================================

5º.- descomentar "sql" en:



/etc/freeradius/sites-enable/default    



de las secciones:



"authorize {}"  "accounting {}" "session{}" y "post-auth{}"



=======================================



6º.- en /etc/freeradius/radiusd.conf descomentar la línea para incluir la configuración de acceso a bbdd.



$INCLUDE sql.conf



=======================================



7º.- incluir bibliotecas específicas



Incluir en /etc/freeradius/dictionary la línea.




# Include the specific dictionary
$INCLUDE        /usr/share/freeradius/dictionary.cisco 
 
Ahora solo queda configurar un Nas y dercirle a Radius quién tiene acceso (rangos de red, user...).









Publicado por
Urba


en
9:17


0
comentarios





































        

      









Suscribirse a:
Comentarios (Atom)