当前位置:8090社团 >环境搭建 > 查看文章
阿里云优惠码
01·02

Linux L2TP VPN install

标签:, , , , , 环境搭建

一、简介
第二次隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议, 它使用UDP的1701端口进行通信。

L2TP本身并没有任何加密, 但是我们可以是用IPSec对L2TP包进行加密。 L2TP VPN比PPTP VPN搭建复杂一些。

二、安装IPsec, Openswan是Linux系统上IPsec的一个实现

1. 查看系统版本及内核, 关闭selinux

[root@L2TP ~]# uname -r && cat /etc/redhat-release
2.6.32-358.el6.x86_64
CentOS release 6.4 (Final)
[root@L2TP ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux
[root@L2TP ~]# reboot

2. 用yum安装L2TP所需软件包

[root@L2TP ~]# yum -y install gcc gmp-devel bison flex lsof openswan

3. 编辑ipsec配置文件

[root@L2TP ~]# vim /etc/ipsec.conf
添加到最后一行
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=服务器公网IPV4地址
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

4. 设置PSK预共享密钥

[root@L2TP ~]# vim /etc/ipsec.secrets
服务器公网IPV4地址 %any: PSK "8090st.com"

5. 修改包转发设置

[root@L2TP ~]# vim /etc/rc.local
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

[root@L2TP ~]# source !$
[root@L2TP ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1          #将0改为1
[root@L2TP ~]# sysctl -p

6. 重启IPSec测试

[root@L2TP ~]# /etc/init.d/ipsec start
[root@L2TP ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.32/K2.6.32-358.el6.i686 (netkey)
Checking for IPsec support in kernel                        	[OK]
 SAref kernel support                                       	[N/A]
 NETKEY:  Testing for disabled ICMP send_redirects          	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Testing against enforced SElinux mode                       	[OK]
Checking that pluto is running                              	[OK]
 Pluto listening for IKE on udp 500                         	[OK]
 Pluto listening for NAT-T on udp 4500                      	[OK]
Checking for 'ip' command                                   	[OK]
Checking /bin/sh is not /bin/dash                           	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

没有报[FAILED]就可以了。如果报[FAILED] 按照下面方法解决

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!

Run these two as root:

# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
# for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done

[root@L2TP ~]# tail -f /var/log/secure
192.168.15.20 #4: STATE_QUICK_R2: IPsec SA established transport mode

如果出现了类似记录即正常。

二、安装L2TP(xl2tpd和rp-l2tp)
1. 安装关联包

[root@L2TP ~]# yum -y install libpcap-devel ppp

2. 安装L2TP

[root@L2TP ~]# cd /usr/local/src/
[root@L2TP src]# wget http://downloads.8090st.com/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz
[root@L2TP src]# tar -zxvf rp-l2tp-0.4.gz
[root@L2TP src]# cd rp-l2tp-0.4
[root@L2TP rp-l2tp-0.4]# ./configure
[root@L2TP rp-l2tp-0.4]# echo $?
0
[root@L2TP rp-l2tp-0.4]# make
[root@L2TP rp-l2tp-0.4]# echo $?
0
[root@L2TP rp-l2tp-0.4]# cp handlers/l2tp-control /usr/local/sbin/
[root@L2TP rp-l2tp-0.4]# mkdir /var/run/xl2tpd
[root@L2TP rp-l2tp-0.4]# ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
[root@L2TP rp-l2tp-0.4]# cd ../
[root@L2TP src]# wget  http://downloads.8090st.com/xl2tpd/xl2tpd-1.2.4.tar.gz
[root@L2TP src]# tar -zxvf xl2tpd-1.2.4.tar.gz 
[root@L2TP src]# cd xl2tpd-1.2.4
[root@L2TP xl2tpd-1.2.4]# make install

3. 配置

[root@L2TP xl2tpd-1.2.4]# mkdir /etc/xl2tpd
[root@L2TP xl2tpd-1.2.4]# vim /etc/xl2tpd/xl2tpd.conf
注意, ip range不要和你的lan ip冲突。
=====在文件末尾行添加如下=====
[global]
ipsec saref = yes
[lns default]
ip range = 10.10.10.10-10.10.10.20
local ip = 10.10.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
=========结      束=========

4. 修改ppp配置

[root@L2TP xl2tpd-1.2.4]# vim /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

5. 添加用户名/密码

[root@L2TP xl2tpd-1.2.4]# vim /etc/ppp/chap-secrets

# client          server     secret                  IP addresses
  vpnuser       l2tpd     vpnpasswd                 *

6. 启用包转发

[root@L2TP xl2tpd-1.2.4]# iptables --table nat --append POSTROUTING --jump MASQUERADE
[root@L2TP xl2tpd-1.2.4]# /etc/init.d/iptables save

7.启动l2tp

[root@L2TP xl2tpd-1.2.4]# /usr/local/sbin/xl2tpd -D     #以debug方式启动l2tp

[root@L2TP xl2tpd-1.2.4]# /usr/local/sbin/xl2tpd -s start     #启动l2tp
[root@L2TP xl2tpd-1.2.4]# lsof -i udp:1701                    #检查l2tp端口
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
xl2tpd  3324 root    3u  IPv4  19295      0t0  UDP *:l2tp

 

8.扫尾工作
[root@L2TP xl2tpd-1.2.4]# vim /etc/rc.local
====在文件末尾行添加如下====


iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
/usr/local/sbin/xl2tpd

 

本文链接:https://www.8090st.com/linux-l2tp-vpn-install.html 转载请注明出处.
如果喜欢:点此订阅本站
迷城
如果一件事情值得去做,那它就值得做好。
查看Ta的专栏 | 腾讯微博
关于本文小编
相关文章
为您推荐
各种观点
暂时还木有人评论,坐等沙发!
发表评论

快捷键:Ctrl+Enter