我在一台BSD网关上配置了mpd vpn server,我想在另一台BSD网关上连接到这台mpd上,实现lan to lan。
请问一下用什么软件连接到那台mpd server上?
successc 回复于:2006-12-14 17:46:22
MPD是可以互连的,只不过网上的这种资料非常少而已。
http://www.haodf.net/internet/network/saft/200609/159853.html
本文将通过一个实例,来讲解如何利用开放源代码(GNU)的mpd软件来搭建一个基于PPTP(Point-to-Point Tunnel Protocol)协议的VPN通道。
--[ 网络环境与拓扑结构 ]----
两端的防火墙网关均采用FreeBSD 4.5-Stable + IP Filter 3.4.27
[[The No.1 Picture.]]
--[ 安装 ]------------------
注:GW-A和GW-B的mpd软件包安装过程完全相同。
GW-A # cd /usr/ports/net/mpd
GW-A # make
GW-A # make install
这是FreeBSD ports的安装标准三步,最简单不过了。
如果是手工下载mpd软件包,步骤也差不多,只不过需要自己手工修改Makefile中的一
些参数而已。
--[ 配置 ]----
1、 确保系统支持netgraph和ng_*。可以修改内核编译配置文件将其编译到内核中,但缺省情况下它们通常都会被编译成内核模块,可以由内核自动加载。因此,只需确保/modules目录下包含以下内核模块:
netgraph.ko
ng_bpf.ko
ng_iface.ko
ng_ksocket.ko
ng_mppc.ko
ng_ppp.ko
ng_pptpgre.ko
ng_socket.ko
ng_vjc.ko
2、 确保系统的securelevel不大于零,否则无法加载内核模块。(如果将内核模块直接编译到内核中,则无此限制。)
GW-A # sysctl kern.securelevel
kern.securelevel: -1
3、 创建GW-A的/usr/local/etc/mpd.*配置文件。
GW-A # cd /usr/local/etc/mpd
GW-A # cat > mpd.conf << __EOF__
default:
load nsfocusvpn
nsfocusvpn:
new -i ng0 vpn vpn
set iface disable on-demand
set iface addrs 192.168.1.254 192.168.2.254
set iface idle 0
set iface route 192.168.2.0/24
set bundle disable multilink
set bundle authname "NSFLogin"
set bundle password "NSFPassword"
set link yes acfcomp protocomp
set link no pap
set link yes chap
# If remote machine is NT you need this..
# set link enable no-orig-auth
set link keep-alive 10 75
set ipcp yes vjcomp
set ipcp ranges 192.168.1.254/32 192.168.2.254/32
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set bundle enable crypt-reqd
set ccp yes mpp-stateless
__EOF__
GW-A # cat > mpd.links << __EOF__
#
# For our PPTP VPN connection to 192.168.2.0/24
#
nsfocusvpn:
set link type pptp
set pptp self 211.xxx.xxx.31
set pptp peer 202.yyy.yyy.25
set pptp enable originate incoming outcall
__EOF__
4、 创建GW-B的/usr/local/etc/mpd.*配置文件。
GW-B # cd /usr/local/etc/mpd
GW-B # cat > mpd.conf << __EOF__
default:
load nsfocusvpn
nsfocusvpn:
new -i ng0 vpn vpn
set iface disable on-demand
set iface addrs 192.168.2.254 192.168.1.254
set iface idle 0
set iface route 192.168.1.0/24
set bundle disable multilink
set bundle authname "NSFLogin"
set bundle password "NSFPassword"
set link yes acfcomp protocomp
set link no pap
set link yes chap
# If remote machine is NT you need this..
# set link enable no-orig-auth
set link keep-alive 10 75
set ipcp yes vjcomp
set ipcp ranges 192.168.2.254/32 192.168.1.254/32
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set bundle enable crypt-reqd
set ccp yes mpp-stateless
__EOF__
GW-A # cat > mpd.links << __EOF__
#
# For our PPTP VPN connection to 192.168.1.0/24
#
nsfocusvpn:
set link type pptp
set pptp self 202.yyy.yyy.25
set pptp peer 211.xxx.xxx.31
set pptp enable originate incoming outcall
__EOF__
5、配置防火墙规则,以允许VPN协商及通讯通过。
(注:以下为手工添加规则,待测试成功后需将这些规则写入启动配置文件中。)
GW-A # ipf -f -
@1 pass in quick on ng0 all
@2 pass in quick on xl0 proto tcp from 202.yyy.yyy.25 to 211.xxx.xxx.31 port = 1723 keep state
@3 pass in quick on xl0 proto gre all
@4 pass in quick on xl1 proto tcp/udp from 192.168.1.0/24 to 192.168.2.0/24 keep state
@5 pass in quick on xl1 proto icmp from 192.168.1.0/24 to 192.168.2.0/24 keep state
...
...
@1 pass out quick on ng0 all
@2 pass out quick on xl0 proto tcp from 211.xxx.xxx.31 to 202.yyy.yyy.25 port = 1723 keep state
@3 pass out quick on xl0 proto gre all
@4 pass out quick on xl1 proto tcp/udp from 192.168.2.0/24 to 192.168.1.0/24 keep state
@5 pass out quick on xl1 proto icmp from 192.168.2.0/24 to 192.168.1.0/24 keep state
...
...
GW-B # ipf -f -
@1 pass in quick on ng0 all
@2 pass in quick on xl0 proto tcp from 211.xxx.xxx.31 to 202.yyy.yyy.25 port = 1723 keep state
@3 pass in quick on xl0 proto gre all
@4 pass in quick on xl1 proto tcp/udp from 192.168.2.0/24 to 192.168.1.0/24 keep state
@5 pass in quick on xl1 proto icmp from 192.168.2.0/24 to 192.168.1.0/24 keep state
...
...
@1 pass out quick on ng0 all
@2 pass out quick on xl0 proto tcp from 202.yyy.yyy.25 to 211.xxx.xxx.31 port = 1723 keep state
@3 pass out quick on xl0 proto gre all
@4 pass out quick on xl1 proto tcp/udp from 192.168.1.0/24 to 192.168.2.0/24 keep state
@5 pass out quick on xl1 proto icmp from 192.168.1.0/24 to 192.168.2.0/24 keep state
...
...
--[ 启动和测试 ]--------
1、 启动mpd守护进程
/usr/local/sbin/mpd -b
(不带-b参数运行则mpd进程将在前台运行,会输出显示一些信息。)
2、 测试
首先检查PPTP通道是否已成功建立。
GW-A # ifconfig ng0
ng0: flags=88d1 mtu 1496
inet 192.168.1.254 --> 192.168.2.254 netmask 0xffffffff
GW-B # ifconfig ng0
ng0: flags=88d1 mtu 1496
inet 192.168.2.254 --> 192.168.1.254 netmask 0xffffffff
然后在192.168.1.0/24和192.168.2.0/24之间进行网络访问测试。
boxyyl 回复于:2006-12-18 16:12:06
那着样配置IPF可以不
@1 pass in quick on ng0 all
@2 pass in quick on xl0 proto tcp from VPN服务器的IP port = 1723 keep state
@3 pass in quick on xl0 proto gre all
@4 pass in quick on xl1 proto tcp/udp from 获得的网段 keep state
@5 pass in quick on xl1 proto icmp from 获得的网段 keep state
@1 pass out quick on ng0 all
@2 pass out quick on xl0 proto tcp from VPN服务器的IP port = 1723 keep state
@3 pass out quick on xl0 proto gre all
@4 pass out quick on xl1 proto tcp/udp from 获得的网段 keep state
@5 pass out quick on xl1 proto icmp from 获得的网段 keep state
|
