b4tman · December 6, 2024 13:01
diff --git a/ipsec.secrets b/ipsec.secrets
 %any %any : RSA vpnHostKey.pem
diff --git a/ipsecc.conf b/ipsecc.conf
 conn rw-base
    fragmentation=yes
    dpdaction=clear
    dpdtimeout=90s
    dpddelay=30s

 conn l2tp-vpn
    also=rw-base
    authby=rsasig
    ike=aes256-sha512-modp3072
    esp=aes256-sha512-modp3072
    leftsubnet=%dynamic[/1701]
    rightsubnet=%dynamic
    #leftauth=psk
    left=%any
    right=%any
    #leftauth=pubkey
    leftcert=vpnHostCert.der
    #leftrsasigkey=vpnHostKey.der
    #rightauth=pubkey
    rightrsasigkey=%cert
    type=transport
    auto=add
diff --git a/l2tp-make-client-cert.sh b/l2tp-make-client-cert.sh
 #!/bin/sh

 export DIR=$(pwd)
 export NAME=$1
 export PKI_BASE=/etc/ipsec.d
 export KEY_DER_FILE=$PKI_BASE/private/$NAME-key.der
 export KEY_PEM_FILE=$PKI_BASE/private/$NAME-key.pem
 export CERT_DER_FILE=$PKI_BASE/certs/$NAME-cert.der
 export CERT_PEM_FILE=$PKI_BASE/certs/$NAME-cert.pem

 if [ "$#" -ne 1 ]; then
    echo "Illegal number of parameters, name required"
    exit 1
 fi

 echo "build client $NAME"
 cd /etc/ipsec.d

 ipsec pki --gen --type rsa --size 4096 --outform der > $KEY_DER_FILE
 chmod 600 $KEY_DER_FILE

 ipsec pki --pub --in $KEY_DER_FILE --type rsa | ipsec pki --issue --lifetime 6650 --cacert $PKI_BASE/cacerts/strongswanCert.der --cakey $PKI_BASE/private/strongswanKey.der --dn "C=RU, O=Example Company, CN=$NAME@example.org" --san "$NAME@example.org" --outform der > $CERT_DER_FILE

 openssl rsa -inform DER -in $KEY_DER_FILE -out $KEY_PEM_FILE -outform PEM
 openssl x509 -inform DER -in $CERT_DER_FILE -out $CERT_PEM_FILE -outform PEM
 openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM

 openssl pkcs12 -export -inkey $KEY_PEM_FILE -in $CERT_PEM_FILE -name "$NAME VPN Certificate" -certfile $PKI_BASE/cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out $DIR/$NAME.p12

 cd $DIR
diff --git a/options.xl2tpd b/options.xl2tpd
 asyncmap 0
 auth
 crtscts
 lock
 hide-password
 modem
 mtu 1460
 lcp-echo-interval 30
 lcp-echo-failure 4
 noipx
 refuse-pap
 refuse-chap
 refuse-mschap
 require-mschap-v2
 multilink
 mppe-stateful
diff --git a/xl2tp.conf b/xl2tp.conf
 [global]
 port = 1701
 auth file = /etc/ppp/chap-secrets
 access control = no
 ipsec saref = yes
 force userspace = yes

 [lns default]
 exclusive = no
 ip range = 10.2.2.100-10.2.2.199
 hidden bit = no
 local ip = 10.2.2.1
 length bit = yes
 require authentication = yes
 name = l2tp-vpn
 pppoptfile = /etc/ppp/options.xl2tpd
 flow bit = yes
 ; challenge = yes
	conn rw-base
	fragmentation=yes
	dpdaction=clear
	dpdtimeout=90s
	dpddelay=30s

	conn l2tp-vpn
	also=rw-base
	authby=rsasig
	ike=aes256-sha512-modp3072
	esp=aes256-sha512-modp3072
	leftsubnet=%dynamic[/1701]
	rightsubnet=%dynamic
	#leftauth=psk
	left=%any
	right=%any
	#leftauth=pubkey
	leftcert=vpnHostCert.der
	#leftrsasigkey=vpnHostKey.der
	#rightauth=pubkey
	rightrsasigkey=%cert
	type=transport
	auto=add
	#!/bin/sh

	export DIR=$(pwd)
	export NAME=$1
	export PKI_BASE=/etc/ipsec.d
	export KEY_DER_FILE=$PKI_BASE/private/$NAME-key.der
	export KEY_PEM_FILE=$PKI_BASE/private/$NAME-key.pem
	export CERT_DER_FILE=$PKI_BASE/certs/$NAME-cert.der
	export CERT_PEM_FILE=$PKI_BASE/certs/$NAME-cert.pem

	if [ "$#" -ne 1 ]; then
	echo "Illegal number of parameters, name required"
	exit 1
	fi

	echo "build client $NAME"
	cd /etc/ipsec.d

	ipsec pki --gen --type rsa --size 4096 --outform der > $KEY_DER_FILE
	chmod 600 $KEY_DER_FILE

	ipsec pki --pub --in $KEY_DER_FILE --type rsa \| ipsec pki --issue --lifetime 6650 --cacert $PKI_BASE/cacerts/strongswanCert.der --cakey $PKI_BASE/private/strongswanKey.der --dn "C=RU, O=Example Company, CN=$NAME@example.org" --san "$NAME@example.org" --outform der > $CERT_DER_FILE

	openssl rsa -inform DER -in $KEY_DER_FILE -out $KEY_PEM_FILE -outform PEM
	openssl x509 -inform DER -in $CERT_DER_FILE -out $CERT_PEM_FILE -outform PEM
	openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM

	openssl pkcs12 -export -inkey $KEY_PEM_FILE -in $CERT_PEM_FILE -name "$NAME VPN Certificate" -certfile $PKI_BASE/cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out $DIR/$NAME.p12

	cd $DIR
	asyncmap 0
	auth
	crtscts
	lock
	hide-password
	modem
	mtu 1460
	lcp-echo-interval 30
	lcp-echo-failure 4
	noipx
	refuse-pap
	refuse-chap
	refuse-mschap
	require-mschap-v2
	multilink
	mppe-stateful
	[global]
	port = 1701
	auth file = /etc/ppp/chap-secrets
	access control = no
	ipsec saref = yes
	force userspace = yes

	[lns default]
	exclusive = no
	ip range = 10.2.2.100-10.2.2.199
	hidden bit = no
	local ip = 10.2.2.1
	length bit = yes
	require authentication = yes
	name = l2tp-vpn
	pppoptfile = /etc/ppp/options.xl2tpd
	flow bit = yes
	; challenge = yes