Date: Mon, 20 Nov 2017 01:42:32 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: freebsd-net@freebsd.org Subject: Re: OpenVPN vs IPSec Message-ID: <5A11D098.5050102@grosbein.net> In-Reply-To: <5A11A019.9090302@grosbein.net> References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <b96b449e-3dc1-6e75-e803-e6d6abefe88e@spam-fetish.org> <20171119120832.GA82727@admin.sibptus.transneft.ru> <d92dff62-3baf-a22d-bfac-5a668b276259@spam-fetish.org> <5A11882D.1050700@quip.cz> <ae7baceb-0aa9-3c76-d3d0-8cad09b6dc42@denninger.net> <5A119648.4080707@grosbein.net> <20171119145710.GF82727@admin.sibptus.transneft.ru> <5A11A019.9090302@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
19.11.2017 22:15, Eugene Grosbein пишет:
> 19.11.2017 21:57, Victor Sudakov wrote:
>
>>> I was able to successfully connect Windows 8.1 client to FreeBSD 11.1 server
>>> in the L2TP/IPSEC mode using ipsec-tools (racoon) plus mpd5.
>>
>> Could you please share the setup here or in LiveJournal? I'm most
>> interested in the L2TP/mpd5 part.
>
> There is nothing special to share. Just take a look to its mpd.conf.sample.
> You can use pptp_server part replacing pptp-specific commands (set pptp)
> with l2tp-specific and, of course, change link type "pptp" with "l2tp".
>
> You can even debug mpd5/l2tp part without engaging IPSec at all
> by using unencrypted "L2TP without IPSEC" clients to begin with.
Actually, there are some points that worth to mention:
- by default, Windows 8.1 does not send its FQDN attribute within IKE,
so you need to use "my_identifier address" and "verify_identifier off"
inside remote {} section in the racoon.conf in case of Windows roaming user
(or find a way to reconfigure Windows to include FQDN attribute, if possible);
- Windows 8.1 needs proposal with encryption_algorithm aes, hash_algorithm sha1
and dh_group modp2048 (not to mention 3des + dh_group modp1024);
- Windows 8.1 does not like "l2tp hidden" mode that additionally
encrypts l2tp control packets, so do not use "set l2tp enable hidden/set l2tp secret"
commands in the mpd.conf and you will be fine.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A11D098.5050102>