L2TP+IPsec vpn搭建 - 靳闯博客

参考 CentOS6.X 配置L2TP For IPsec VPN服务器详细步骤

基于阿里云新加坡的centos6.x搭建l2tp+ipsec vpn

安装几个需要的软件包

yum install wget lsof vim nss

【我是阿里云机器默认是阿里云的源不用修改】改下yum源，使用阿里云的yum源

centos|ubuntu更改yum源为阿里云的yum源

#安装开发软件包组
yum groupinstall "Development tools" -y

安装ipsec 和 xl2tpd

#openswan 也就是ipsec
yum install openswan

#由于yum源中没有，我们手动下载xl2tpd rpm包
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/x/xl2tpd-1.3.8-1.el6.x86_64.rpm

#这里安装xl2tpd 会自动把ppp和其他需要的包给安装上
yum install xl2tpd-1.3.8-1.el6.x86_64.rpm

配置ipsec预共享秘钥，和修改配置文件

#添加预共享秘钥
vim /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
#下面一行为添加的: ip可以为任意也可以为你的外网ip地址,"vpn"就是连接时需要用的秘钥，自己定义即可
0.0.0.0 %any: PSK "vpn"



#修改ipsec.conf 配置文件
vim /etc/ipsec.conf
config setup
    protostack=netkey
    dumpdir=/var/run/pluto/
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf

#下面为新添加，注意left这个IP地址，如果你是云服务器且还只能看到内网ip看不到外网ip的，这里就填写内网ip地址。
conn l2tp-psk
    rightsubnet=vhost:%priv
    also=l2tp-psk-nonat
conn l2tp-psk-nonat
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.18.212.34
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=40
    dpdtimeout=130
    dpdaction=clear
    sha2-truncbug=yes

修改xl2tpd 相关配置文件

#修改vpn连接ip 和 分配客户端的地址池
vim /etc/xl2tpd/xl2tpd.conf 
[global]
#连接ip地址，我用的弹性ip地址，机器内看不到外网ip这里就填写内网ip地址
listen-addr = 172.18.212.34

#分配的地址网段自定义即可
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


#修改拨入获取的dns
vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
#dns根据实际情况情况而定，你上国际网站那就默认的即可，加速的话用国内dns即可
ms-dns  8.8.8.8
ms-dns 114.114.114.114
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

配置连接的用户账号和密码

vim /etc/ppp/chap-secrets
#按格式添加即可，中间用空格或者tab隔开
# Secrets for authentication using CHAP
# client    server    secret            IP addresses
jinc    *    123456    *

现在配置内核选项，linux的路由转发等

vim /etc/sysctl.conf
#如果有的直接修改，没有的添加
net.ipv4.ip_forward = 1   #修改为1 表示打开路由转发功能
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.eth0.accept_source_route=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.accept_source_route=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.conf.lo.send_redirects=0
net.ipv4.conf.lo.rp_filter=0

#使修改的配置生效
sysctl -p

#启动服务  这里如果启动失败或者报错，请检查配置文件，或是否安装了需要的包
service xl2tpd start
service ipsec start

#验证ipsec 是否完全正确
ipsec verify

#一般来说 没有error 和fail 就可以了，对应有问题的可能是少装什么包或者哪里没有配置好
Verifying installed system and configuration files

Version check and ipsec on-path                       [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.10.1.el6.x86_64
Checking for IPsec support in kernel                  [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                  [OK]
         ICMP default/accept_redirects                [OK]
         XFRM larval drop                             [OK]
Pluto ipsec.conf syntax                               [OK]
Hardware random device                                [N/A]
Checking rp_filter                                    [OK]
Checking that pluto is running                        [OK]
 Pluto listening for IKE on udp 500                   [OK]
 Pluto listening for IKE/NAT-T on udp 4500            [OK]
 Pluto ipsec.secret syntax                            [OK]
Checking 'ip' command                                 [OK]
Checking 'iptables' command                           [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options              [OK]
Opportunistic Encryption                              [DISABLED]

手机端配置连接

#观察日志
Mar  6 12:05:32 debug010000002015 xl2tpd[23389]: Connection established to 210.123.73.45, 58164.  Local: 65126, Remote: 50489 (ref=0/0).  LNS session is 'default'
Mar  6 12:05:32 debug010000002015 xl2tpd[23389]: Call established with 210.123.73.45, Local: 8094, Remote: 17899, Serial: -1408866546
Mar  6 12:05:32 debug010000002015 pppd[24590]: pppd 2.4.5 started by root, uid 0
Mar  6 12:05:32 debug010000002015 pppd[24590]: Using interface ppp0
Mar  6 12:05:32 debug010000002015 pppd[24590]: Connect: ppp0 <--> /dev/pts/1
Mar  6 12:05:32 debug010000002015 pppd[24590]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Mar  6 12:05:32 debug010000002015 pppd[24590]: Cannot determine ethernet address for proxy ARP
Mar  6 12:05:32 debug010000002015 pppd[24590]: local  IP address 192.168.1.1
Mar  6 12:05:32 debug010000002015 pppd[24590]: remote IP address 192.168.1.129

如果以上的配置都没有问题，连接也是没问题的了，但是连接后不能上网的，接下来配置iptables转发

#我这里清空所有规则，只配置了转发的方便测试。
iptables -F
iptables -F -t nat
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
service iptables save
service iptables restart

手机访问测试

或许你不想写点什么·但我依旧在这里