CentOS Linux 5.9 32bit搭建L2TP ipsec VPN服务器

L2TP ipsec vpn是PPTP VPN的升级版，似乎是企业专用的。本文的方法在Chicagovps的xen上通过，并能成功联网，而且速度还不错。
 
环境：CentOS 5.9 32bit，且支持ppp
 
1、安装基础包
 yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced
 
2、下载安装openswan
 wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
tar zxvf openswan-2.6.24.tar.gz
cd openswan-2.6.24
make programs install
 
 
 
3、安装xl2tpd
 centos 5.x安装：
rpm -ivh http://dl.Fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
centos 6.x安装：
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm

yum install xl2tpd
4、修改配置文件
 编辑 /etc/ipsec.conf，贴出配置文件，大家直接粘贴进去即可
 config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
 
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=你的IP地址
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
 
5、编辑 /etc/ipsec.secrets
很可能不存在这个文件，不用担心，如果没有就新建
 你的IP地址 %any: PSK "密钥"
6、修改/etc/sysctl.conf，添加转发补丁等功能
 注意这里的你参照你文件内容的改，没有的添加。
 net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
修改完成后，运行如下命令使之生效
 sysctl -p
7、验证ipsec运行
 ipsec setup restart
ipsec verify
 
输出以下内容就表示配置成功了
 Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey)
Checking for IPsec support in kernel                         [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [OK]
NETKEY detected, testing for disabled ICMP accept_redirects  [OK]
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                               [OK]
Pluto listening for IKE on udp 500                           [OK]
Pluto listening for NAT-T on udp 4500                       [OK]
Two or more interfaces found, checking IP forwarding         [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                             [DISABLED]
 
8、编辑 /etc/xl2tpd/xl2tpd.conf
 [global]
ipsec saref = yes
listen-addr = $vpsip
[lns default]
ip range = 10.1.88.2-10.1.88.254   
local ip = 10.1.88.1   
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
 
9、编辑 /etc/ppp/options.xl2tpd
 require-mschap-v2
ms-dns 208.67.222.222
ms-dns 208.67.220.220
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
 
10、设置用户名，密码
 编辑 /etc/ppp/chap-secrets
 # user server password ip
用户名 * 密码 *
 
11、设置防火墙及开机自启动
 iptables --table nat --append POSTROUTING --jump MASQUERADE
service iptables save
service iptables restart

service xl2tpd restart  #重启xl2tpd
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on
 
至此，搭建完成。可见，安装还是比较简单的，比openvpn简单很多。