1.安装openswan
sudo apt-get install openswan
如果出现报错 Package ‘openswan‘ has no installation candidate 请执行以下命令,如果顺利安装请直接看第二步
sudo vi /etc/apt/sources.list.d/lzu.list
#创建一个源
粘贴如下代码到lzu.list文件
deb http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
更新一下源
sudo apt-get update
安装openswan
sudo apt-get install openswan
#安装出现提示框,选择NO回车
2.安装 xl2tpd 并配置 IPSec 服务
sudo apt-get install xl2tpd
修改/etc/ipsec.conf配置文件
sudo vi /etc/ipsec.conf
粘贴如下内容到ipsec.conf文件
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
# 替换 IP 地址为你的公网IP
left=x.x.x.x
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes
conn passthrough-for-non-l2tp
type=passthrough
left=$IP
leftnexthop=$GATEWAY
#下面改成你主机以太网卡的IP
right=x.x.x.x
#下面改成该IP所在网段的网关地址如199.12.25.1/24
rightsubnet=x.x.x.1/23
auto=route
注意修改#号提示里面的IP和网关
修改文件/etc/ipsec.secrets
sudo vi /etc/ipsec.secrets
填写配置
*这里x.x.x.x 替换为你服务器的公网IP地址,替换“”里的密码为你自己设置的密码,客户端连接的时候要用到
x.x.x.x %any: PSK "mima1234567890"
保存后执行以下代码修改网络策略,让 IPSEC 正常运行
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
启动 IPSEC 服务并检测 IPSEC 是否正常工作
sudo /etc/init.d/ipsec start
#使用如下命令确认 ipsec 是否工作正常
sudo ipsec verify
#注意:只要没有Faild就可以了
如果出现错误请参考以下命令
#错误1.Checking /bin/sh is not /bin/dash [WARNING] 输入以下代码
sudo dpkg-reconfigure dash
#按英文提示,选择no
#错误2.pluto is running [FAILED]
sudo /etc/init.d/ipsec start
#错误3:NETKEY: Testing XFRM related proc values [FAILED]
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
#错误4:Pluto listening for IKE on udp 500 [FAILED]
apt-get install lsof
#错误5:Hardware RNG detected, testing if used properly [FAILED]
sudo apt-get install rng-tools
修改 /etc/xl2tpd/xl2tpd.conf 配置
sudo vi /etc/xl2tpd/xl2tpd.conf
粘贴如下内容
[global]
ipsec saref = yes
[lns default]
ip range = 10.10.20.100-10.10.20.254
local ip = 10.10.20.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
修改PPP配置
sudo vi /etc/ppp/options.xl2tpd
写入以下内容
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1404
mru 1404
添加用户
sudo vi /etc/ppp/chap-secrets
填写客户端使用的用户名和密码
yonghuming * mima1234567890 *
3.设置转发
sudo vi /etc/sysctl.conf
#找到并去掉以下代码的#号
net.ipv4.ip_forward=1
配置生效
sysctl -p
允许gre协议以及1723端口、47端口
sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT
开启NAT转发
sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
#注意填写ens3,不同机器是不一样的,可以在终端输入ifconfig来查看网卡联网以及网卡的名称
4.启动VPN
sudo /etc/init.d/xl2tpd restart