OpenVPN vs IPSec
Eugene Grosbein
eugen at grosbein.net
Sun Nov 19 18:42:53 UTC 2017
19.11.2017 22:15, Eugene Grosbein пишет:
> 19.11.2017 21:57, Victor Sudakov wrote:
>
>>> I was able to successfully connect Windows 8.1 client to FreeBSD 11.1 server
>>> in the L2TP/IPSEC mode using ipsec-tools (racoon) plus mpd5.
>>
>> Could you please share the setup here or in LiveJournal? I'm most
>> interested in the L2TP/mpd5 part.
>
> There is nothing special to share. Just take a look to its mpd.conf.sample.
> You can use pptp_server part replacing pptp-specific commands (set pptp)
> with l2tp-specific and, of course, change link type "pptp" with "l2tp".
>
> You can even debug mpd5/l2tp part without engaging IPSec at all
> by using unencrypted "L2TP without IPSEC" clients to begin with.
Actually, there are some points that worth to mention:
- by default, Windows 8.1 does not send its FQDN attribute within IKE,
so you need to use "my_identifier address" and "verify_identifier off"
inside remote {} section in the racoon.conf in case of Windows roaming user
(or find a way to reconfigure Windows to include FQDN attribute, if possible);
- Windows 8.1 needs proposal with encryption_algorithm aes, hash_algorithm sha1
and dh_group modp2048 (not to mention 3des + dh_group modp1024);
- Windows 8.1 does not like "l2tp hidden" mode that additionally
encrypts l2tp control packets, so do not use "set l2tp enable hidden/set l2tp secret"
commands in the mpd.conf and you will be fine.
More information about the freebsd-net
mailing list