How to: Set up Openswan L2TP VPN Server on CentOS 6

Have you ever wanted to set up your own VPN server? By following the steps below, you can set up your own L2TP VPN server on CentOS 6. Note that an L2TP VPN, which we’re setting up here, is more secure than a PPTP VPN server. OpenVPN is another alternative to L2TP VPNs, but OpenVPN requires OpenVPN software on the client device. In contrast, L2TP VPNs are supported out of the box in most modern operating systems (Windows, Mac OS X, Ubuntu, RHEL, CentOS) as well as mobile devices (iOS [iPhones, iPads], Android, and Windows Phone).

Packages to install

yum install lsof man
yum install openswan
yum install ppp xl2tpd

Note: You need to have the epel repository installed to install xl2tpd. To install epel if you haven’t already, check this post.

Potential OpenSwan version issues with iOS devices behind NAT

OpenSwan version 2.6.32-18.el6_3 had a bug wherein iOS devices were unable to make a successful VPN connection if they were behind NAT, which includes attempting a VPN connection while connected to a cellular network. Downgrading to version 2.6.32-16.el6 allowed iOS devices to again connect.

It appears that this bug is fixed as of version 2.6.32-21.2.el6, but do note if you have trouble getting iOS devices to work behind NAT, it may be due to the version of OpenSwan you’ve installed.

For more information, see this page: http://bugs.centos.org/view.php?id=5832

IP Addresses in this example

 In the following configuration files, various IP addresses are listed. Change these IPs to match your environment

  • 10.0.100.0/24 – Internal LAN IP subnet: This is the IP subnet used on your local LAN that the VPN server resides upon.
  • 10.0.100.3 – Local IP used by VPN server for the L2TP tunnels: This is a completely made up number – you are assigning an IP address to the tunnel side of your VPN server. Make sure the IP you assign is not within your DHCP server’s DHCP scope.
  • 10.0.100.50-100 – Local IP range to be handed out to VPN-connected clients: You define your own range here – make sure it’s in the same subnet as your local LAN but not part of your DHCP scope.
  • 10.0.100.2 – IP address of VPN server: This is the primary IP address of the VPN server on your local LAN – this should be a static or statically assigned address.
  • 10.0.100.1 – DNS server: This is the DNS server that the L2TP VPN-connected clients will use.
  • 10.0.100.1 – Gateway/Router: This is the IP address of the border router on your internal network – it can be NAT’ed.

Configuration Files

/etc/sysctl.conf 

Edit the file to allow IP forwarding:

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Reload sysctl with this command:

sysctl -p

/etc/rc.local

Add the following block to the bottom of the configuration file:

# Correct ICMP Redirect issues with OpenSWAN

for each in /proc/sys/net/ipv4/conf/*; do
        echo 0 > $each/accept_redirects
        echo 0 > $each/send_redirects
        echo 0 > $each/rp_filter
done

/etc/ipsec.conf

In the ipsec.conf file, you define a “left” and “right” side of the IPsec connection. In this example, the “left” side is your internal LAN, while the “right” side is the remote, client side which originates on port 1701.Make sure to change the virtual_private line to match your internal LAN subnet.

nehelpers is set to 0 to work around an error message when network helpers are not available.

plutodebug may be set to “control” if you wish to see messages logged in /var/log/pluto.log. Note: I do not suggest leaving this turned on as the log file will quickly grow to a massive size.

Additional lines are added at the bottom of the defined L2TP-PSK connection to better handle compatibility with Mac OS X and iOS clients.

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version       2.0    # conforms to second version of ipsec.conf specification

# basic configuration

config setup
       interfaces=%defaultroute
       klipsdebug=none
       nat_traversal=yes
       nhelpers=0
       oe=off
       plutodebug=none
       plutostderrlog=/var/log/pluto.log
       protostack=netkey
       virtual_private=%v4:10.0.100.0/24

conn L2TP-PSK
       authby=secret
       pfs=no
       auto=add
       keyingtries=3
       rekey=no
       type=transport
       forceencaps=yes
       right=%any
       rightsubnet=vhost:%any,%priv
       #rightprotoport=17/0       rightprotoport=17/%any  多客户端不同账号同一IP连接VPN,尝试过有问题
       # Using the magic port of "0" means "any one single port". This is
       # a work around required for Apple OSX clients that use a randomly
       # high port, but propose "0" instead of their port.
       left=%defaultroute
       leftprotoport=17/1701
       # Apple iOS doesn‘t send delete notify so we need dead peer detection
       # to detect vanishing clients
       dpddelay=10
       dpdtimeout=90
       dpdaction=clear

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

/etc/ipsec.secrets 

First, create a new host key for the machine — this example is using a pre-shared key (PSK), but it’s still a good idea to generate the machine key:

    ipsec newhostkey --output /etc/ipsec.secrets --bits 2048 --verbose --configdir /etc/pki/nssdb/

Next, add a line with the internal LAN IP address of the server, the var %any:PSK to use the pre-shared key, and then define the pre-shared key in quotes.

    10.0.100.2      %any:     PSK     "yourPSKHere"

In the /etc/IPsec.secrets file, make sure you remove or uncomment the line “include /etc/ipsec.d/*.secrets,” or you’ll get an error and the VPN just won’t connect.

: RSA  {

# Your RSA generated machine key will be here after running the above IPsec newhostkey command

}

# do not change the indenting of that "}"
    10.0.100.2      %any:     PSK     "yourPSKHere"

Make sure you set the permissions on your secrets file to keep it private.

sudo chown root:root /etc/ipsec.secrets
sudo chmod 600 /etc/ipsec.secrets

/etc/xl2tpd/xl2tpd.conf

This is the xl2tpd configuration file. Make sure to change the listen-addr to that of your server, the ip range for your VPN clients, and the local IP of the VPN interface on the server.

[global]
listen-addr = 10.0.100.2
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; ipsec refinfo = 30
;
; works around bug: http://bugs.centos.org/view.php?id=5832

force userspace = yes

;
[lns default]
ip range = 10.0.100.50-10.0.100.100
local ip = 10.0.100.3
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
name = CentOSVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd

ms-dns should be set to the DNS server you wish the VPN clients to use. You can specify multiple DNS servers by adding multiple ms-dns entries on separate lines.

ipcp-accept-local
ipcp-accept-remote
ms-dns  10.0.100.1
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/ppp.log

/etc/ppp/chap-secrets

This is the file in which you define your user accounts for the VPN — they are in username and password pairs.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
user1           *       sgrongPassword1         *
user2           *       strongPassword2         *

Secure the /etc/ppp/chap-secrets file

sudo chown root:root /etc/ppp/chap-secrets
sudo chmod 600 /etc/ppp/chap-secrets

IPTables Configuration

If you are running IPTables as the firewall on your VPN server, run the following commands to allow functioning VPN access

#Allow ipsec traffic
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT

#Do not NAT VPN traffic
iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE

#Forwarding rules for VPN
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#Ports for Openswan / xl2tpd
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

#Save your configuration
iptables save

Note that if your current firewall configuration contains the following lines, your VPN connection will fail!

Remove these lines if they exist in your /etc/sysconfig/iptables file:

iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited iptables -A FORWARD -j REJECT –reject-with icmp-host-prohibited, the VPN connection will fail!

Enable and Start Services

chkconfig xl2tpd on
chkconfig ipsec on
service ipsec start
service xl2tpd start

Optional configuration

Ignore ICMP Redirects:

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done

Don’t send ICMP Redirects:

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done

Troubleshooting

To see if your IPsec configuration looks OK, run the following command:

ipsec verify

You can also enable logging in /etc/ipsec.conf by setting plutodebug to “control”. This will log messages to /var/log/pluto.log.

There is an additional log file in /var/log/ppp.log.

Helpful links

http://confoundedtech.blogspot.com/2011/08/android-nexus-one-ipsec-psk-vpn-with.html

http://coding.zencoffee.org/2012/10/ipsecl2tp-vpn-server-on-centos-6-psk.html

http://amadys.blogspot.com/2010/06/openswan-2626-ipsec-for-linux.html

http://comments.gmane.org/gmane.network.openswan.user/20373

http://www.drlongghost.com/wordpress/2011/04/22/trying-to-get-iphone-to-ubuntu-vpn-working-with-openswan/

http://www.pariahzero.net/Blog/files/e7d5abf84a96640d5cd70dd0dfb3d200-71.html

http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-with-ubuntu-1004-and-strongswan/

Categories: CentOS, Linux, VPN

时间: 2024-10-21 12:53:10

How to: Set up Openswan L2TP VPN Server on CentOS 6的相关文章

Install SoftEther VPN Server on CentOS 6.5

Based on CentOS 6.5 x86_64 yum -y install gcc 2. tar zxf softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz 3. cd vpnservermakecd ..mv vpnserver /usr/local/cd /usr/local/vpnserver/chmod 600 *chmod 700 vpnserver chmod 700 vpncmd 4.

Ubuntu下搭建L2TP VPN Server

这是本人第一篇博客,也算是自己的尝试,以前学习东西,一般都是以文档的方式记录.文档有时候容易丢失,所以开始尝试用博客记录学习历程.毕业在即,在此记录毕设的一部分内容. 内容:Ubuntu下搭建L2TP VNP服务器(校园网Intranet VPN)   1 查看服务器主机网络信息 :$ ifconfig eth0      Link encap:Ethernet  HWaddr fa:16:3e:a0:64:0c             inet addr:172.16.0.61  Bcast:

通过openswan基于Azure平台搭建VPN server

用过Azure的读者都知道,Vnet一直是Azure比较自豪的地方,尤其是VPN,Azure提供了两种VPN以及专线来保证客户数据的安全性,S2S vpn(站点到站点的,基于IPsec的),P2S vpn(点到站点的,基于sstp的),专线express route是和物理链路或者MPLS网络相连接,在这里笔者要提醒大家一句,Azure的vpn身后是两台机器做HA的vpn server,是提供LSA保证的,而无论是阿里还是AWS都没有这样的服务,而且Azure最高提供带宽200M的VPN链路,三

Ubuntu Or Debian L2TP VPN 一键安装脚本

#!/bin/bash if [ $(id -u) != "0" ]; then printf "Error: You must be root to run this tool!\n" exit 1 fi clear printf " #################################################### # # # This is a Shell-Based tool of l2tp installation # #

实验L2TP VPN over Cisco Router

说明:拓扑图如下.R1模拟公司边界路由器,R3模拟远端用户的家用路由器,并分别在这两台路由器上启用PAT:R2模拟ISP,并启用一个Loopback接口来充当公网上的服务器:R4模拟公司内网的主机,来充当WEB服务器. 要求:1.在R1上配置L2TP VPN,使远端的C1能够拨号到该路由器,让C1可以直接使用私有地址来访问公司总部10.1.1.0/24和4.4.4.4/32. 服务器端配置命令: R1: conf t int e0/1  ip add 10.1.1.1 255.255.255.0

CentOS 6、7下IPSEC/L2TP VPN一键安装脚本(openswan+xl2tpd)

CentOS 6.7下IPSEC/L2TP VPN一键安装脚本(openswan+xl2tpd) 概念性的东西这里不再赘述,网上有太多,一键安装脚本也有很多,但是很多不能用,能用的也仅仅只是在CentOS6下使用,CentOS7基本没看到这些安装脚本.于是花了一些时间来折腾测试,写这个脚本方便以后VPN的一键安装搭建.其中用的开源软件包是openswan和xl2tpd,,中间碰到过很多很多问题,如openswan和xl2tpd之间的兼容性问题. 请容许我这样做,脚本依赖<OneinStack>

CentOS6.8下搭建Ipsec+L2TP VPN服务

第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信.L2TP本身并没有任何加密,但是我们可以使用IPSec对L2TP包进行加密. l2tp就用xl2tpd,官网:http://www.xelerance.com/services/software/xl2tpd/ IPSec就是openswan,提供IPSec加密,官网是:http://www.openswan.org/code/ ,在cent

setting up a IPSEC/L2TP vpn on CentOS 6 or Red Hat Enterprise Linux 6 or Scientific Linux

This is a guide on setting up a IPSEC/L2TP vpn on CentOS 6 or Red Hat Enterprise Linux 6 or Scientific Linux 6 using Openswan as the IPsec server, xl2tpd as the l2tp provider and ppp for authentication. We choose the IPSEC/L2TP protocol stack because

linux centos 6.5 安装L2TP vpn 每账号绑定1IP地址

最近接到一客户需要 1.提供公网Ip地址, 2.提供client to site L2TP VPN服务, 3.每个登录VPN的账号对就一个公网IP. L2TP(Layer 2 Tunneling Protocol) 第二层隧道协议 是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信.L2TP本身并没有任何加密,但 是我们可以使用IPSec对L2TP包进行加密. 仅搭建L2tp即可实现大部分功能,但一般情况下L2tp都与IPSec配合使用,MacOS与iOS的设备貌似对L