YvEs2005

topology

    10.1.1.1(LAN)---------211.1.1.118(wan) ---------------------------(client)211.1.1.105 (win7)

1. install l2tp package mpd

   cd /usr/port/net/mpd5 ,  make install clean 

2. vi  /usr/local/etc/mpd5/mpd.conf  

default:
load l2tp

l2tp:
set ippool add pool1 192.168.1.50 192.168.1.99

# create link template L1 pppoe
create link template M l2tp
# set pppoe iface fxp0
# We must ask authentication to get peer login
set link no pap chap eap
set link enable pap chap
# load radius

set link action bundle B
set link enable incoming

create link template L2 l2tp

create bundle template B

set ipcp ranges 192.168.1.1/32 ippool pool1

3.  install ipsec tools ,  

 cd /usr/ports/security/ipsec-tools/  , make install clean

4. mkdir /usr/local/etc/racoon

 cd /usr/local/share/examples/ipsec-tools/

 cp *.*  /usr/local/etc/racoon/

5. Build a Kernel with IPsec support

options         IPSEC
#options         IPSEC_NAT_T
device          crypto

cd /usr/src
make buildkernel 
make installkernel

reboot -r now 

6. cd /usr/local/etc/racoon/

 vi psk.txt  . then input ==> 211.1.1.105 cisco

 save , and chmod 400 psk.txt

7. vi ipsec.conf

flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 udp -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 udp -P in ipsec esp/transport//require;

8. vi racoon.conf

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

remote anonymous
{
#exchange_mode main,aggressive,base;
exchange_mode main,base;

#my_identifier fqdn "server.kame.net";
#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;

lifetime time 24 hour ; # sec,min,hour

#initial_contact off ;
#passive on ;

# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}

# the configuration could makes racoon (as a responder)
# to obey the initiator's lifetime and PFS group proposal,
# by setting proposal_check to obey.
# this would makes testing "so much easier", but is really
# *not* secure !!!
proposal_check strict;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
# pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;

9. vi  /etc/rc.conf

#vpn server

mpd_enable="YES"

#ipsec
racoon_enable="yes"
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/ipsec.conf"

10. enable mpd and ipsec

/usr/local/etc/rc.d/mpd start

/etc/rc.d/ipsec start ==>  check  use ,isakmp check use setkey -DP  , sa check use setkey -D

/etc/local/etc/rc.d/racoon start ==> enable isakmp ipsec 

or  /user/local/etc/racoon/racoon -F -f racoon.conf  -l  racoon.log  ==> enable debug mode

11. from win7  use  l2tp_vpn to access server success , 

check  setkey

root@abc[/usr/local/etc/racoon]> setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] udp
in ipsec
esp/transport//require
spid=21 seq=1 pid=3961
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] udp
out ipsec
esp/transport//require
spid=20 seq=0 pid=3961
refcnt=1

refere:http://forums.freebsd.org/viewtopic.php?t=26755