Debian 7 下搭建 IPSec + L2TP VPN 服务器

86510391 2014-02-07

因为公司的网络限制,好多资料没办法查到, 遂决定搞个VPN翻墙, 但是国内的VPN实在是不敢恭维, 稳定性那叫一个差~ 正好有朋友推荐了国外的VPS主机, 去看了一下,在日本东京的节点速度很快,果断入手了一个。本着自己动手,丰衣足食的原则 , 我在建好VPS上的Debian 7系统后,就开始搭建我的VPN服务器, 不得不说, 本来这并不是个难事,但是现在度娘找出来的配置教程,实在是太差了, 写的不明白,乱七八糟的,排版还乱, 所以,今天把我自己配置的过程记录下来,希望能给有同样需求的朋友一些帮助。OK, 进入正题, Let's Go~! 

1、安装OpenSWAN
 
sudo apt-get install openswan
 
安装过程中如问到: Use an X.509 certificate for this host, 回答NO.
 
1.1 配置sysctl参数
 
sudo mv /etc/sysctl.conf /etc/sysctl.conf.bak
sudo vim /etc/sysctl.conf
-----------输入如下内容-------------
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

1.2 加载sysctl参数
 
sysctl -p
sudo bash -c 'for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
'

 

1.3 生成iptables配置
 
sudo mv /etc/rc.local /etc/rc.local.bak
sudo vim /etc/rc.local
-----------输入如下内容-------------
#!/bin/sh -e
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0
-j MASQUERADE
exit 0
 
#添加执行权限,运行配置
sudo chmod +x /etc/rc.local
sudo /etc/rc.local

1.4 配置ipsec.secrets
 
sudo mv /etc/ipsec.secrets /etc/ipsec.secrets.bak
sudo vim /etc/ipsec.secrets
-----------输入如下内容-------------
# 将IP和密码换成服务器IP和设定的密码
111.222.333.444 %any: PSK "0123456" #此处密码为服务器的共享密钥,连接时时提供

1.5 配置ipsec.conf
 
sudo mv /etc/ipsec.conf /etc/ipsec.conf.bak
sudo vim /etc/ipsec.conf
-----------输入如下内容-------------
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=111.222.333.444 #换成服务器ip
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
 
1.6 激活ipsec服务
 
sudo update-rc.d ipsec defaults

2、安装xl2tpd
 
sudo apt-get install xl2tpd
 
2.1 配置xl2tpd.conf
 
sudo mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.bak
sudo vim /etc/xl2tpd/xl2tpd.conf
-----------输入如下内容-------------
[global]
ipsec saref = yes

[lns default]
ip range = 10.1.1.2-10.1.1.255
local ip = 10.1.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
2.2 配置options.xl2tpd
 
sudo mv /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.bak
sudo vim /etc/ppp/options.xl2tpd
-----------输入如下内容-------------
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
2.3 配置chap-secrets
 
sudo mv /etc/ppp/chap-secrets /etc/ppp/chap-secrets.bak
sudo vim /etc/ppp/chap-secrets
-----------输入如下内容-------------
#user server password ip
user1 l2tpd 123456 *
user2 l2tpd 123456 *

 

 
2.4 启动L2TP服务器
 
sudo invoke-rc.d xl2tpd restart
sudo invoke-rc.d ipsec restart
 
2.5 验证服务器状态
 
sudo ipsec verify
 
出现如下信息:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32.16-linode28 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED] 

这样,就证明VPN配置已经成功了,接下来,就可以在用上面建立好的两个用户, ueer1和user2进行登录了, 登录时方式要选择L2TP哦~~嘿嘿~~至此,配置完毕,很简单吧~~! 

本帖为原创,转帖请说明出处,谢谢合作。

本帖地址:http://blog.csdn.net/sonsie007/article/details/16932017

 

相关推荐