基于Debian/Ubuntu L2TP/IPSec VPN安装笔记

id0 2011-08-18

一、定义
第二层隧道协议(L2TP,Layer Two Tunneling Protocol)是一种数据链路层隧道协议,通常用于虚拟专用网。L2TP协议自身不对传输的数据进行加密,但是可以和加密协议搭配使用,从而实现数据的加密传输。经常与L2TP协议搭配的加密协议是IPsec,当这两个协议搭配使用时,通常合称L2TP/IPsec。

二、安装过程
1.安装配置openswan


apt-get install openswan //一直按回车即可

apt-get install libgmp3-dev gawk flex bison

 wget http://www.openswan.org/download/openswan-2.6.24.tar.gz

tar xf openswan-2.6.24.tar.gz

cd openswan-2.6.24

make programs

make install
cat >/etc/ipsec.conf<<EOF
version 2.0
config setup
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
  oe=off
  protostack=netkey

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv
  also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=1.1.1.1  //替换成你的VPSIP
  leftid=1.1.1.1   //替换成你的VPSIP
  leftprotoport=17/1701
  right=%any
  rightid=%any
  rightprotoport=17/%any
EOF
cat >/etc/ipsec.secrets<<EOF

1.1.1.1 %any: PSK "jiaozhudotorg"EOF
修改sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl -p  //立即生效
重启ipsec,验证是否配置成功!
/etc/init.d/ipsec restartipsec verify
2.安装l2tpd
apt-get install xl2tpd
cat >/etc/xl2tpd/xl2tpd.conf<<EOF
[global]
port = 1701
listen-addr =1.1.1.1;     //替换
ipsec saref = yes

[lns default]
ip range = 10.168.2.5-10.168.2.254
local ip = 10.168.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
 

cat >/etc/ppp/options.xl2tpd<<EOF
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
mtu 1410
mru 1410
nodefaultroute
lcp-echo-interval 30
lcp-echo-failure 6
#idle 1800
connect-delay 10000
EOF

3.添加VPN的访问用户!
cat >>/etc/ppp/chap-secrets<<EOF

user * 123456 * EOF
重启l2tpd
/etc/init.d/xl2tpd restart

补充:由于防火墙设置不当,启动xl2tpd之后造成nginx打开出现502的现象,添加下面一条记录后解决问题,照样将1.1.1.1替换成你vps的IP


iptables -t nat -A POSTROUTING -s 10.168.2.0/24 -j SNAT --to-source "1.1.1.1"

相关推荐