一、简介
第二次隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议, 它使用UDP的1701端口进行通信。L2TP本身并没有任何加密, 但是我们可以是用IPSec对L2TP包进行加密。 L2TP VPN比PPTP VPN搭建复杂一些。
二、安装IPsec, Openswan是Linux系统上IPsec的一个实现
1. 查看系统版本及内核, 关闭selinux
[root@L2TP ~]# uname -r && cat /etc/redhat-release 2.6.32-358.el6.x86_64 CentOS release 6.4 (Final) [root@L2TP ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux [root@L2TP ~]# reboot
2. 用yum安装L2TP所需软件包
[root@L2TP ~]# yum -y install gcc gmp-devel bison flex lsof openswan
3. 编辑ipsec配置文件
[root@L2TP ~]# vim /etc/ipsec.conf 添加到最后一行 config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=服务器公网IPV4地址 leftprotoport=17/1701 right=%any rightprotoport=17/%any
4. 设置PSK预共享密钥
[root@L2TP ~]# vim /etc/ipsec.secrets 服务器公网IPV4地址 %any: PSK "8090st.com"
5. 修改包转发设置
[root@L2TP ~]# vim /etc/rc.local for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done
[root@L2TP ~]# source !$ [root@L2TP ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 #将0改为1 [root@L2TP ~]# sysctl -p
6. 重启IPSec测试
[root@L2TP ~]# /etc/init.d/ipsec start [root@L2TP ~]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-358.el6.i686 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Testing against enforced SElinux mode [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
没有报[FAILED]就可以了。如果报[FAILED] 按照下面方法解决
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
Run these two as root:
# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
# for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
[root@L2TP ~]# tail -f /var/log/secure 192.168.15.20 #4: STATE_QUICK_R2: IPsec SA established transport mode
如果出现了类似记录即正常。
二、安装L2TP(xl2tpd和rp-l2tp)
1. 安装关联包
[root@L2TP ~]# yum -y install libpcap-devel ppp
2. 安装L2TP
[root@L2TP ~]# cd /usr/local/src/ [root@L2TP src]# wget http://downloads.8090st.com/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz [root@L2TP src]# tar -zxvf rp-l2tp-0.4.gz [root@L2TP src]# cd rp-l2tp-0.4 [root@L2TP rp-l2tp-0.4]# ./configure [root@L2TP rp-l2tp-0.4]# echo $? 0 [root@L2TP rp-l2tp-0.4]# make [root@L2TP rp-l2tp-0.4]# echo $? 0 [root@L2TP rp-l2tp-0.4]# cp handlers/l2tp-control /usr/local/sbin/ [root@L2TP rp-l2tp-0.4]# mkdir /var/run/xl2tpd [root@L2TP rp-l2tp-0.4]# ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control [root@L2TP rp-l2tp-0.4]# cd ../ [root@L2TP src]# wget http://downloads.8090st.com/xl2tpd/xl2tpd-1.2.4.tar.gz [root@L2TP src]# tar -zxvf xl2tpd-1.2.4.tar.gz [root@L2TP src]# cd xl2tpd-1.2.4 [root@L2TP xl2tpd-1.2.4]# make install
3. 配置
[root@L2TP xl2tpd-1.2.4]# mkdir /etc/xl2tpd [root@L2TP xl2tpd-1.2.4]# vim /etc/xl2tpd/xl2tpd.conf 注意, ip range不要和你的lan ip冲突。 =====在文件末尾行添加如下===== [global] ipsec saref = yes [lns default] ip range = 10.10.10.10-10.10.10.20 local ip = 10.10.10.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes =========结 束=========
4. 修改ppp配置
[root@L2TP xl2tpd-1.2.4]# vim /etc/ppp/options.xl2tpd require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
5. 添加用户名/密码
[root@L2TP xl2tpd-1.2.4]# vim /etc/ppp/chap-secrets # client server secret IP addresses vpnuser l2tpd vpnpasswd *
6. 启用包转发
[root@L2TP xl2tpd-1.2.4]# iptables --table nat --append POSTROUTING --jump MASQUERADE [root@L2TP xl2tpd-1.2.4]# /etc/init.d/iptables save
7.启动l2tp
[root@L2TP xl2tpd-1.2.4]# /usr/local/sbin/xl2tpd -D #以debug方式启动l2tp
[root@L2TP xl2tpd-1.2.4]# /usr/local/sbin/xl2tpd -s start #启动l2tp [root@L2TP xl2tpd-1.2.4]# lsof -i udp:1701 #检查l2tp端口 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME xl2tpd 3324 root 3u IPv4 19295 0t0 UDP *:l2tp
8.扫尾工作
[root@L2TP xl2tpd-1.2.4]# vim /etc/rc.local
====在文件末尾行添加如下====
iptables --table nat --append POSTROUTING --jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done /etc/init.d/ipsec restart /usr/local/sbin/xl2tpd