CentOS搭建L2TP VPN

一、安装软件

yum install -y openswan ppp xl2tpd

二、配置ipsec

1.配置ipsec.conf

cat /etc/ipsec.conf

config setup

protostack=netkey

nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

oe=off

conn %default

Forceencaps=yes

conn L2TP-PSK-NAT              [定义一个VPN的连接，L2TP-PSK-noNAT是这个连接的名字]

rightsubnet=vhost:%priv

also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret

pfs=no

auto=add                   [ipsec启动后，VPN1连接处于等待状态]

keyingtries=3

rekey=no

ikelifetime=8h

keylife=1h

type=transport

left=133.3.5.16          [外网ip]

leftprotoport=17/1701      [vpn服务器端口]

right=%any

rightprotoport=17/%any

dpddelay=40

dpdtimeout=130

dpdaction=clear

2.配置IPSec预共享密钥

cat /etc/ipsec.secrets

121.46.20.249 %any: PSK "good321"

[外网ip]             [共享秘钥]

3.修改包转发设置

for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects ; done

4.重启IPSec并验证

service ipsec restart

ipsec verify  [输出以下内容则正常]

Verifying installed system and configuration files

Version check and ipsec on-path                   [OK]

Libreswan 3.15 (netkey) on 2.6.32-279.el6.x86_64

Checking for IPsec support in kernel              [OK]

NETKEY: Testing XFRM related proc values

ICMP default/send_redirects              [OK]

ICMP default/accept_redirects            [OK]

XFRM larval drop                         [OK]

Pluto ipsec.conf syntax                           [OK]

Hardware random device                            [N/A]

Two or more interfaces found, checking IP forwarding[OK]

Checking rp_filter                                [OK]

Checking that pluto is running                    [OK]

Pluto listening for IKE on udp 500               [OK]

Pluto listening for IKE/NAT-T on udp 4500        [OK]

Pluto ipsec.secret syntax                        [OK]

Checking ‘ip‘ command                             [OK]

Checking ‘iptables‘ command                       [OK]

Checking ‘prelink‘ command does not interfere with FIPSChecking for obsolete ipsec.conf options          [OK]

Opportunistic Encryption                          [DISABLED]

常见验证失败解决办法

1.Two or more interfacesfound, checking IP forwarding [Failed]

echo 1 > /proc/sys/net/ipv4/ip_forward   [不需要重启服务]

vi /etc/sysctl.conf   [修改成以下内容]

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

2. Checking that pluto isrunning [Failed]

cd /var/run/pluto

ipsec pluto      [生成pluto.ctl文件]

ipsec verify

三、配置ppp与l2tp

1.配ppp

vi /etc/ppp/options.xl2tpd

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

2.vpn用户名密码配置

vi/etc/ppp/chap-secrets

# client        server  secret                  IP addresses

tan  *       tan  *

3.配置xl2tpd

vi /etc/xl2tpd/xl2tpd.conf

[global]

[lns default]

ip range = 192.168.201.170-192.168.201.179

local ip = 192.168.201.12

require chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPNserver

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

4.启动xl2tpd

/etc/init.d/xl2tpd restart

xl2tpd -D  [以打印日志模式启动]

四、防火墙配置

配置转发

iptables -t nat -A POSTROUTING -s 192.168.201.0/24 -o eth0 -j MASQUERADE

参考链接：

http://my.oschina.net/xiaotian120/blog/286002

http://wenku.baidu.com/link?url=hkhDw8sAKQbdviIaPLwn1AsBmANAysG8npTIoy4CwNnT8OBXgRd_TWDRxJGOakCElYcu_Hdp2SVLesrqr57rwhxpf71P4L-UgW4ahXxK7yu