Skip to content


centos5.8 LINUX 安装L2TP/IPSec VPN

第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信。L2TP本身并没有任何加密,但是我们可以使用IPSec对L2TP包进行加密。L2TP VPN比PPTP VPN搭建复杂一些。
IPSec 使用预共享密钥(PSK)进行加密和验证,L2TP 负责封包,PPP 负责具体的用户验证
一、部署IPSEC 、安装 openswan
1、安装关联包

  1. yum install make gcc gmp-devel bison flex

2、编译安装
使用Openswan来实现IPSec

  1. wget http://ftp.openswan.org/openswan/openswan-2.6.38.tar.gz
  2. tar zxvf openswan-2.6.38.tar.gz
  3. cd openswan-2.6.38
  4. make programs install

3、配置ipsec
vi /etc/ipsec.conf

  1. config setup
  2. nat_traversal=yes
  3. virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
  4. oe=off
  5. protostack=netkey
  6.  
  7. conn L2TP-PSK-NAT
  8. rightsubnet=vhost:%priv
  9. also=L2TP-PSK-noNAT
  10.  
  11. conn L2TP-PSK-noNAT
  12. authby=secret
  13. pfs=no
  14. auto=add
  15. keyingtries=3
  16. rekey=no
  17. ikelifetime=8h
  18. keylife=1h
  19. type=transport
  20. left=YOUR.SERVER.IP
  21. leftprotoport=17/1701
  22. right=%any
  23. rightprotoport=17/%any

YOUR.SERVER.IP为vpn服务器的公网ip
注意前面有tab缩进,否则可能出现下面错误

  1. failed to start openswan IKE daemon - the following error occured:
  2. can not load config '/etc/ipsec.conf': /etc/ipsec.conf:58: syntax error, unexpected KEYWORD, expecting $end [rightsubnet]

4、 设置 Shared Key

vi /etc/ipsec.secrets

  1. YOUR.SERVER.IP %any: PSK "YourSharedSecret"

YOUR.SERVER.IP为vpn服务器的公网ip
YourSharedSecret为共享密钥

5、 修改包转发设置

  1. for each in /proc/sys/net/ipv4/conf/*
  2. do
  3. echo 0 > $each/accept_redirects
  4. echo 0 > $each/send_redirects
  5. done
  6.  
  7. echo 1 >/proc/sys/net/core/xfrm_larval_drop
  8. echo 1 >/proc/sys/net/ipv4/ip_forward
  9.  
  10. sed -i '/net.ipv4.ip_forward / {s/0/1/g} ' /etc/sysctl.conf
  11. sed -i '/net.ipv4.conf.default.rp_filter / {s/1/0/g} ' /etc/sysctl.conf
  1. touch /var/lock/subsys/local

6、 重启 IPSec ,测试

/etc/init.d/ipsec restart

  1. ipsec_setup: Stopping Openswan IPsec...
  2. ipsec_setup: stop ordered, but IPsec appears to be already stopped!
  3. ipsec_setup: doing cleanup anyway...
  4. ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.18-308.el5..

ipsec verify
没有报[FAILED]就可以了。

  1. Checking your system to see if IPsec got installed and started correctly:
  2. Version check and ipsec on-path                                 [OK]
  3. Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey)
  4. Checking for IPsec support in kernel                            [OK]
  5.  SAref kernel support                                           [N/A]
  6.  NETKEY:  Testing XFRM related proc values                      [OK]
  7.         [OK]
  8.         [OK]
  9. Checking that pluto is running                                  [OK]
  10.  Pluto listening for IKE on udp 500                             [OK]
  11.  Pluto listening for NAT-T on udp 4500                          [OK]
  12. Two or more interfaces found, checking IP forwarding            [FAILED]
  13. Checking NAT and MASQUERADEing                                  [OK]
  14. Checking for 'ip' command                                       [OK]
  15. Checking /bin/sh is not /bin/dash                               [OK]
  16. Checking for 'iptables' command                                 [OK]
  17. Opportunistic Encryption Support                                [DISABLED]

错误1:
SAref kernel support [N/A]
/etc/xl2tpd/xl2tpd.conf这个文件里

  1. [global]
  2. ipsec saref = no

Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey)
以netkey方式运行不支持局域网多个nat客户;
开启SAref kernel support后以klips方式运行支持

错误2:
Two or more interfaces found, checking IP forwarding
修改ip_forward,只要 cat /proc/sys/net/ipv4/ip_forward 返回结果是1就没事
echo 1 >/proc/sys/net/ipv4/ip_forward

错误3:
Please enable /proc/sys/net/core/xfrm_larval_drop
echo 1 > /proc/sys/net/core/xfrm_larval_drop

二、安装 L2TP
1、关联包

  1. yum install libpcap-devel ppp

2.编译安装

  1. wget http://jaist.dl.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz
  2. tar -zxvf rp-l2tp-0.4.tar.gz
  3. cd rp-l2tp-0.4
  4. ./configure
  5. make
  6. cp handlers/l2tp-control /usr/local/sbin/
  7. mkdir /var/run/xl2tpd/
  8. ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
  9.  
  10.  
  11. wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz
  12. tar -zxvf xl2tpd-1.3.0.tar.gz
  13. cd xl2tpd-1.3.0
  14. make
  15. make install

安装显示

  1. install -d -m 0755 /usr/local/sbin
  2. install -m 0755 xl2tpd /usr/local/sbin/xl2tpd
  3. install -d -m 0755 /usr/local/share/man/man5
  4. install -d -m 0755 /usr/local/share/man/man8
  5. install -m 0644 doc/xl2tpd.8 /usr/local/share/man/man8/
  6. install -m 0644 doc/xl2tpd.conf.5 doc/l2tp-secrets.5 \
  7.                  /usr/local/share/man/man5/
  8. # pfc
  9. install -d -m 0755 /usr/local/bin
  10. install -m 0755 pfc /usr/local/bin/pfc
  11. install -d -m 0755 /usr/local/share/man/man1
  12. install -m 0644 contrib/pfc.1 /usr/local/share/man/man1/
  13. # control exec
  14. install -d -m 0755 /usr/local/sbin
  15. install -m 0755 xl2tpd-control /usr/local/sbin/xl2tpd-control

3、配置

  1. mkdir /etc/xl2tpd
  2. vi /etc/xl2tpd/xl2tpd.conf
  1. [global]
  2. ipsec saref = yes
  3.  
  4. [lns default]
  5. ip range = 192.168.81.2-192.168.81.254
  6. local ip = 192.168.81.1 //你的内网口
  7. refuse chap = yes
  8. refuse pap = yes
  9. require authentication = yes
  10. ppp debug = yes
  11. pppoptfile = /etc/ppp/options.xl2tpd
  12. length bit = yes

4、修改 ppp 配置

vi /etc/ppp/options.xl2tpd

  1. require-mschap-v2
  2. ms-dns 8.8.8.8
  3. ms-dns 8.8.4.4
  4. asyncmap 0
  5. auth
  6. crtscts
  7. lock
  8. hide-password
  9. modem
  10. debug
  11. name l2tpd
  12. proxyarp
  13. lcp-echo-interval 30
  14. lcp-echo-failure 4

5、添加用户名/密码

vi /etc/ppp/chap-secrets

  1. # user      server      password            ip
  2. vpnuser        l2tpd       userpass        *

8、启动 xl2tpd

  1. iptables -t nat -A POSTROUTING -s 192.168.81.0/24 -o eth0 -j MASQUERADE
  2.  
  3. iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
  4. iptables -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
  5. iptables -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
  6.  
  7. iptables -I FORWARD -s 192.168.81.0/24 -j ACCEPT
  8. iptables -I FORWARD -d 192.168.81.0/24 -j ACCEPT

/usr/local/sbin/xl2tpd

错误

  1. Feb 20 15:20:38 localc1g ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 250:  7859 Aborted                 (core dumped) /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
  2. Feb 20 15:20:38 localc1g ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)
  3. Feb 20 15:20:38 localc1g ipsec__plutorun: restarting IPsec after pause...
  1. Feb 20 16:58:47 localc1g pppd[13553]: The remote system is required to authenticate itself
  2. Feb 20 16:58:47 localc1g pppd[13553]: but I couldn't find any suitable secret (password) for it to use to do so.

检查chap-secrets文件server是否正确

  1. Feb 21 11:30:52 localc1g pluto[16897]: "L2TP-PSK-NAT"[11] 122.221.55.121 #11: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
  2. Feb 21 11:30:52 localc1g pluto[16897]: | payload malformed after IV

检查客户端PSK是否正确

9、开机运行
放入/etc/rc.local中

  1. touch /var/lock/subsys/local
  2. for each in /proc/sys/net/ipv4/conf/*
  3. do
  4.   echo 0 > $each/accept_redirects
  5.   echo 0 > $each/send_redirects
  6. done
  7. echo 1 >/proc/sys/net/core/xfrm_larval_drop
  8. echo 1 >/proc/sys/net/ipv4/ip_forward
  9. /etc/init.d/ipsec restart
  10. /usr/local/sbin/xl2tpd

参考:
http://www.myvm.net/archives/554
http://amumy.blog.163.com/blog/static/17312970201210282323568/
http://www.vpsyou.com/2010/08/10/centos-install-l2tpipsec-and-simple-troubleshooting.html
http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php
https://www.dls-yan.com/2012/10/04/783.html
http://blog.csdn.net/rosetta/article/details/7794826

http://book.51cto.com/art/201204/331170.htm
http://blog.csdn.net/cumtmimi/article/details/1814073

1、“IPSEC服务”服务不在运行状态

请依次执行下列操作:

计算机管理->服务和应用程序->服务,找到IPSEC Services ,双击打开,设启动方式为自动。

重新开机再设置策略

2、IPSEC Services 如何打开

补充:如果点打开时出现提示
在 本地计算机 无发启动 IPSEC Services 服务
错误1747:未知的验证服务
现在就是自动的 只是前面的装备 没有启动
网络客户端装上后 还是一样不能启动

修复方法:
Code:
开始>运行 输入:CMD 在窗口中输入:netsh winsock reset

3、修改注册表
缺省的Windows XP L2TP 传输策略不允许L2TP 传输不使用IPSec 加密。可以通过修改
Windows XP 注册表来禁用缺省的行为:
手工修改:
1) 进入Windows XP 的“开始” “运行”里面输入“Regedt32”,打开“注册表编辑
器”,定位“HKEY_Local_Machine / System / CurrentControl Set / Services / RasMan /
Parameters ”主键。
2) 为该主键添加以下键值:
键值:ProhibitIpSec
数据类型:reg_dword
值:1

Posted in VPN.

Tagged with , , .


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. rolay says

    缩进量是多少,总是通不过



Some HTML is OK

or, reply to this post via trackback.