Department Prerequisites
- 1个具有至少1个公共IP地址和root访问权限的CentOS 6服务器
- 1个(或更多)运行支持IPsec / L2tp vpn的操作系统(Ubuntu,Mac OS,Windows,Android)的客户端。
- 防火墙中打开了端口1701 TCP,4500 UDP和500 UDP。
To deploy the installation L2TP related software
yum install -y epel-release
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
yum install openswan
yum -y install wget bind-utils
yum -y install epel-release
yum install openswan xl2tpd ppp lsof
#openswan用于ipsec,xl2tpd用于l2tp,ppp用于身份验证,其他软件是前置软件。
Configuration Openswan
Edit ** / etc / ipsec.conf ** Note replaced $ VPS_IP into your machine's public IP (user's L2TP Access IP).
# which IPsec stack to use. auto will try netkey, then klips then mast
# protostack=auto
protostack=netkey
# 在文件底部添加上如下内容,注意缩进
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=$VPS_IP # 替换IP
leftid=$VPS_IP # 替换IP
leftprotoport=17/1701
right=%any
rightid=%any
rightprotoport=17/%any
Edit ** / etc / ipsec.secrets **, add the following content, still need to replace $ VPS_IP your machine's IP, you want to replace $ PASS specified key.
#用户连接时需要提供此密钥
$VPS_IP %any: PSK "$PASS"
iptables configuration
- iptables help users in a NAT (optional), if the flow can guide other Gateway is not required NAT.
- iptables open port 1701 TCP, 4500 UDP and 500 UDP.
System Configuration
Edit ** / etc / sysctl.conf ** files, append the following to the end of the file.
# added for xl2tpd
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
After editing, execute sysctl -p command for the changes to take effect.
Verify basic configuration of IPSEC
/etc/init.d/ipsec restart
ipsec verify
#返回如下结果就算成功。
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
#出现问题:SAref kernel support [N/A]
#解决办法:修改 /etc/xl2tpd/xl2tpd.conf 文件:
; ipsec saref = yes
ipsec saref = no
#更改完成后,不会影响verify的返回结果,但是已可以无视此问题。
#出现问题:Two or more interfaces found, checking IP forwarding [FAILED]
#解决办法:只要cat /proc/sys/net/ipv4/ip_forward返回结果是1,就忽略这个问题。
Configuration xL2TPD
Edit ** / etc / xl2tpd / xl2tpd.conf ** files.
;#如下的IP range为用户VPN使用的地址的IP Range,请根据需求更改。
ip range = 192.168.100.128-192.168.100.254
local ip = 192.168.100.1
Edit ** / etc / ppp / options.xl2tpd ** file, make sure the entire document reads as follows, except for comment.
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.4.4
ms-dns 8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
Edit ** / etc / ppp / chap-secrets ** file row for each user.
#添加L2TP账号和密码
# Secrets for authentication using CHAP
# client server secret IP addresses
name1 * pass1 *
name2 * pass2 *
Start Service
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart