Shulou(Shulou.com)06/02 Report--

Differences, advantages and disadvantages of PPTP, L2TP and IPsec

1. PPTP protocol is a point-to-point tunneling protocol:

It separates the control packet from the data packet, and the control packet is controlled by TCP for strict status query and signaling information; the data packet is first encapsulated in the PPP protocol, and then encapsulated in the GRE V2 protocol.

2. L2TP is an international standard tunnel protocol:

It combines the advantages of PPTP protocol and layer 2 forwarding L2F protocol, and can tunnel PPP packets through various network protocols, including ATM, SONET and frame Relay. However, L2TP does not have any encryption measures, and is more often used in conjunction with the IPSec protocol to provide tunnel authentication.

3. The connection and difference between the two:

Contact: both PPTP and L2TP encapsulate the data using the PPP protocol, and then add additional headers for data transmission over the Internet. Although the two protocols are very similar, there are still differences in the following aspects

Difference:

1) PPTP requires the Internet to be an IP network. L2TP only requires tunnel media to provide packet-oriented point-to-point connections. L2TP can be used on IP (using UDP), frame relay permanent virtual circuit (PVCs), X.25 virtual circuit (VCs) or ATM VCs network.

2) PPTP can only establish a single tunnel between the two endpoints. L2TP supports the use of multiple tunnels between two endpoints. With L2TP, users can create different tunnels for different quality of service.

3) L2TP can provide header compression. When the header is compressed, the system overhead (overhead) takes up 4 bytes, while under the PPTP protocol, it takes up 6 bytes.

4) L2TP can provide tunnel authentication, but PPTP does not support tunnel authentication. However, when L2TP or PPTP is used with IPSEC, tunnel authentication can be provided by IPSEC without the need to authenticate the tunnel on the layer 2 protocol.

Advantages of IPSec

If IPSec is implemented on a router or firewall, it will provide strong security for surrounding communications. Communications within a company or working group will not involve security-related costs. Some of the advantages of IPSec are described below:

IPSec is below the transport layer and is transparent to applications. When you install IPSec on a router or firewall, you do not need to change the software settings on the user or server system. Even if IPSec is executed in the terminal system, upper-level software such as applications will not be affected.

IPSec is transparent to end users, so there is no need to train users in security mechanisms.

If necessary, IPSec can provide security for individual users, which can protect sensitive information within the enterprise.

IPSec is moving closer to Internet. Some institutions have implemented IPSec in part or in full. Christian Huitema, the former president of IAB, believes that the discussion about how to keep Internet safe is one of the most heated discussions he has ever seen. One of the topics discussed is whether security is used at the appropriate protocol layer. To provide IP-level security, IPSec must be part of the network code configured on all relevant platforms, including Windows NT,Unix and Macintosh systems.

In fact, security features are already included in many Internet applications that are released today. For example, Netscape Navigator and Microsoft Internet Explorer support secure Suite layer Protocol (SSL), which protects Internet communications, and some products support secure Electronic transaction Protocol (SET), which protects credit card transactions on Internet. However, what is needed is network-level functionality, which is exactly what IPSec provides.

This article deploys l2tp based on ipsec

1. Basic environment

[root@bogon tmp] # cat / etc/redhat-release CentOS Linux release 7.3.1611 (Core) [root@bogon tmp] # ifconfig eth0: flags=4163 mtu 1500 inet 192.168.56.11 netmask 255.255.255.0 broadcast 192.168.56.255 inet6 fe80::20c:29ff:fe19:7f25 prefixlen 64 scopeid 0x20 ether 00:0c:29:19:7f:25 txqueuelen 1000 (Ethernet) RX packets 655392 bytes 86779661 (82.7 MiB ) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 853465 bytes 156410883 (149.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth2: flags=4163 mtu 1500 inet 10.0.0.1 netmask 255.0.0.0 broadcast 10.255.255.255 inet6 fe80::20c:29ff:fe19:7f2f prefixlen 64 scopeid 0x20 ether 00:0c:29:19:7f:2f txqueuelen 1000 (Ethernet) RX packets 222 Bytes 22794 (KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 215 bytes 26245 (25.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6:: 1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Local Loopback) RX packets 0 bytes 0 (0.0B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@bogon tmp] #

two。 Install softwar

After the centos7 version, the ipsec service pack is provided by libreswan instead of openswan

Yum install xl2tpdyum install libreswan

3. Modify the configuration file of ipsec (add this line to the configuration file to allow nat to establish a l2tp connection)

[root@bogon tmp] # vim / etc/ipsec.conf # the rest of the unchanged nat_traversal=yes # newly added virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,% v6etc/ipsec.conf FD00GRO 8% v6JF80

4. Establish the profile associated with the ipsec and l2tp service

Cd / etc/ipsec.d/ [root@bogon ipsec.d] # cat l2tp_psk.conf # this file does not exist that requires manual creation of conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8h keylife=1h type=transport left=192.168.56.11 leftprotoport=17/1701 right=%any rightprotoport=17/%any [root@bogon ipsec.d] #

5. When establishing a l2tp connection, you need to enter a pre-shared key. The following is the configuration file for the pre-shared key.

[root@bogon ipsec.d] # cat / etc/ipsec.secrets include / etc/ipsec.d/*.secrets [root@bogon ipsec.d] # cd / etc/ipsec.d/ [root@bogon ipsec.d] # lltotal 40 root root 9216 Apr 11 01:50 cert9.db-rw- 1 root root 11264 Apr 11 01:50 key4.db-rw-r--r-- 1 root root 362 Apr 11 01:47 l2tp11 Psk.conf-rw-r--r-- 1 root root 33 Apr 11 01:49 linuxcc_l2tp.secrets-rw- 1 root root 419 Apr 11 01:50 pkcs11.txtdrwx- 2 root root 90 Apr 11 01:44 policies-rw-r--r-- 1 root root 1338 Nov 12 09:58 v6neighbor-hole.conf [root@bogon ipsec.d] # cat linuxcc_l2tp.secrets # create 192.168.56 if you don't have it. 11% any: PSK "123456" [root@bogon ipsec.d] #

6. To modify kernel support, you can modify it against the following configuration, or copy it directly. After modification, run sysctl-p to make the configuration take effect.

Add vim / etc/sysctl.conf to sysctl-p to take effect vm.swappiness = 0net.ipv4.neigh.default.gc_stale_time=120net.ipv4.conf.all.rp_filter=0net.ipv4.conf.default.rp_filter=0net.ipv4.conf.default.arp_announce = 2net.ipv4.conf.all.arp_announce=2net.ipv4.tcp_max_tw_buckets = 5000net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 1024net.ipv4.tcp_synack_retries = 2net. Ipv4.conf.lo.arp_announce=2net.ipv4.ip_forward = 1net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.default.accept_source_route = 0

7. Verify the ipsec service configuration:

Ipsec setup start

Ipsec verify error here and the solution

[root@bogon ipsec.d] # ipsec verifyVerifying installed system and configuration filesVersion check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-514.10.2.el7.x86_64Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found Checking IP forwarding [OK] Checking rp_filter [ENABLED] / proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabledChecking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking' iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] ipsec verify: encountered 3 errors-see 'man ipsec_verify' for help [root@bogon ipsec.d] # echo 0 > / proc/sys/net/ipv4/conf/eth0/rp_filter # solution [root@bogon ipsec.d] # ipsec verifyVerifying installed system and configuration filesVersion check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-514.10.2.el7.x86_64Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found Checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking' prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] [root@bogon ipsec.d] #

8. Start the service

Systemctl start ipsecsystemctl enable ipsec

9. Install and configure the xl2tpd service

Yum install xl2tpdvi / etc/xl2tpd/xl2tpd.conf # modify the configuration file of l2tp [root@bogon xl2tpd] # cat xl2tpd.conf;; This is a minimal sample xl2tpd configuration file for use; with L2TP over IPsec.;; The idea is to provide an L2TP daemon to which remote Windows L2TP _ ipsect; clients connect. In this example, the internal (protected) network; is 192.168.1.0 Universe 24. A special IP range within this network is reserved; for the remote clients: 192.168.1.128Universe 25; (i.e. 192.168.1.128... 192.168.1.254); The listen-addr parameter can be used if you want to bind the L2TP daemon; to a specific IP address instead of to all interfaces. For instance,; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99); will be used by xl2tpd as its address on pppX interfaces.[ global] ipsec saref = yes # add here listen-addr = 192.168.56.11 # external network;; requires openswan-2.5.18 or higher-Also does not yet work in combination; with kernel mode l2tp as present in linux 2.6.23; ipsec saref = yes; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or When using any of the SAref kernel patches for kernels up to 2.6.35; saref refinfo = 30; force userspace = yes;; debug tunnel = yes [lns default] ip range = 10.0.0.100-10.0.0.200 # IP address local ip = 192.168.56.11require chap = yesrefuse pap = yesrequire authentication = yesname = Linux × × serverppp debug = yespppoptfile = / etc/ppp/options.xl2tpdlength bit = yes to be assigned to the client all the time with your own intranet

10. Modify xl2tpd property profile

Vi / etc/ppp/options.xl2tpd

[root@bogon xl2tpd] # cat / etc/ppp/options.xl2tpdipcp-accept-localipcp-accept-remotems-dns 8.8.8.8 # only modify DNS suggested to change to gateway IP# ms-dns 192.168.1." ms-dns 192.168.1." ms-wins 192.168.1." ms-wins 192.168.1.4noccpauthcrtsctsidle 1800mtu 1410mru 1410nodefaultroutedebuglockproxyarpconnect-delay 500 To allow authentication against a Windows domain EXAMPLE, and require the# user to be in a group "× × Users". Requires the samba-winbind packagerequire-mschap-v2# plugin winbind.so# ntlm_auth-helper'/ usr/bin/ntlm_auth-- helper-protocol=ntlm-server-1-- require-membership-of= "EXAMPLE\\ × × Users"'# You need to join the domain on the server, for example using samba:# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html[root@bogon xl2tpd] #

11. Add username and password

[root@bogon xl2tpd] # cat / etc/ppp/chap-secrets# Secrets for authentication using CHAP# client server secret IP addresses***12345 * 123456 * [root@bogon xl2tpd] #

twelve。 Start the l2tp service

Systemctl start xl2tpd systemctl enable xl2tpd systemctl status xl2tpd

13. Client connection windows

Windows+R

Enter regedit to find this path

HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ Rasman\

Then restart the computer.

14. Open the connection and remember to follow the order

This is over.

Error: the phone cannot be connected and the computer can be connected.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.