Skip to content

centos5.8 LINUX 安装L2TP/IPSec VPN

第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信。L2TP本身并没有任何加密,但是我们可以使用IPSec对L2TP包进行加密。L2TP VPN比PPTP VPN搭建复杂一些。
IPSec 使用预共享密钥(PSK)进行加密和验证,L2TP 负责封包,PPP 负责具体的用户验证
一、部署IPSEC 、安装 openswan
1、安装关联包

yum install make gcc gmp-devel bison flex

2、编译安装
使用Openswan来实现IPSec

wget http://ftp.openswan.org/openswan/openswan-2.6.38.tar.gz
tar zxvf openswan-2.6.38.tar.gz
cd openswan-2.6.38
make programs install

3、配置ipsec
vi /etc/ipsec.conf

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=YOUR.SERVER.IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

YOUR.SERVER.IP为vpn服务器的公网ip
注意前面有tab缩进,否则可能出现下面错误

failed to start openswan IKE daemon – the following error occured:
can not load config ‘/etc/ipsec.conf’: /etc/ipsec.conf:58: syntax error, unexpected KEYWORD, expecting $end [rightsubnet]

4、 设置 Shared Key

vi /etc/ipsec.secrets

YOUR.SERVER.IP %any: PSK “YourSharedSecret”

YOUR.SERVER.IP为vpn服务器的公网ip
YourSharedSecret为共享密钥

5、 修改包转发设置

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

echo 1 >/proc/sys/net/core/xfrm_larval_drop
echo 1 >/proc/sys/net/ipv4/ip_forward

sed -i ‘/net.ipv4.ip_forward / {s/0/1/g} ‘ /etc/sysctl.conf
sed -i ‘/net.ipv4.conf.default.rp_filter / {s/1/0/g} ‘ /etc/sysctl.conf


touch /var/lock/subsys/local

6、 重启 IPSec ,测试

/etc/init.d/ipsec restart

ipsec_setup: Stopping Openswan IPsec…
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway…
ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.18-308.el5..

ipsec verify
没有报[FAILED]就可以了。


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for ‘ip’ command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]

错误1:
SAref kernel support [N/A]
/etc/xl2tpd/xl2tpd.conf这个文件里

[global]
ipsec saref = no

Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey)
以netkey方式运行不支持局域网多个nat客户;
开启SAref kernel support后以klips方式运行支持

错误2:
Two or more interfaces found, checking IP forwarding
修改ip_forward,只要 cat /proc/sys/net/ipv4/ip_forward 返回结果是1就没事
echo 1 >/proc/sys/net/ipv4/ip_forward

错误3:
Please enable /proc/sys/net/core/xfrm_larval_drop
echo 1 > /proc/sys/net/core/xfrm_larval_drop

二、安装 L2TP
1、关联包

yum install libpcap-devel ppp

2.编译安装

wget http://jaist.dl.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz
tar -zxvf rp-l2tp-0.4.tar.gz
cd rp-l2tp-0.4
./configure
make
cp handlers/l2tp-control /usr/local/sbin/
mkdir /var/run/xl2tpd/
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control

wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz
tar -zxvf xl2tpd-1.3.0.tar.gz
cd xl2tpd-1.3.0
make
make install

安装显示

install -d -m 0755 /usr/local/sbin
install -m 0755 xl2tpd /usr/local/sbin/xl2tpd
install -d -m 0755 /usr/local/share/man/man5
install -d -m 0755 /usr/local/share/man/man8
install -m 0644 doc/xl2tpd.8 /usr/local/share/man/man8/
install -m 0644 doc/xl2tpd.conf.5 doc/l2tp-secrets.5 \
/usr/local/share/man/man5/
# pfc
install -d -m 0755 /usr/local/bin
install -m 0755 pfc /usr/local/bin/pfc
install -d -m 0755 /usr/local/share/man/man1
install -m 0644 contrib/pfc.1 /usr/local/share/man/man1/
# control exec
install -d -m 0755 /usr/local/sbin
install -m 0755 xl2tpd-control /usr/local/sbin/xl2tpd-control

3、配置

mkdir /etc/xl2tpd
vi /etc/xl2tpd/xl2tpd.conf


[global]
ipsec saref = yes

[lns default]
ip range = 192.168.81.2-192.168.81.254
local ip = 192.168.81.1 //你的内网口
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

4、修改 ppp 配置

vi /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

5、添加用户名/密码

vi /etc/ppp/chap-secrets

# user server password ip
vpnuser l2tpd userpass *

8、启动 xl2tpd

iptables -t nat -A POSTROUTING -s 192.168.81.0/24 -o eth0 -j MASQUERADE

iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 500 -j ACCEPT
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 4500 -j ACCEPT

iptables -I FORWARD -s 192.168.81.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.81.0/24 -j ACCEPT

/usr/local/sbin/xl2tpd

错误

Feb 20 15:20:38 localc1g ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 250: 7859 Aborted (core dumped) /usr/local/libexec/ipsec/pluto –nofork –secretsfile /etc/ipsec.secrets –ipsecdir /etc/ipsec.d –use-netkey –uniqueids –nat_traversal –virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
Feb 20 15:20:38 localc1g ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6)
Feb 20 15:20:38 localc1g ipsec__plutorun: restarting IPsec after pause…


Feb 20 16:58:47 localc1g pppd[13553]: The remote system is required to authenticate itself
Feb 20 16:58:47 localc1g pppd[13553]: but I couldn’t find any suitable secret (password) for it to use to do so.

检查chap-secrets文件server是否正确


Feb 21 11:30:52 localc1g pluto[16897]: “L2TP-PSK-NAT”[11] 122.221.55.121 #11: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Feb 21 11:30:52 localc1g pluto[16897]: | payload malformed after IV

检查客户端PSK是否正确

9、开机运行
放入/etc/rc.local中

touch /var/lock/subsys/local
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
echo 1 >/proc/sys/net/core/xfrm_larval_drop
echo 1 >/proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec restart
/usr/local/sbin/xl2tpd

参考:
http://www.myvm.net/archives/554
http://amumy.blog.163.com/blog/static/17312970201210282323568/
http://www.vpsyou.com/2010/08/10/centos-install-l2tpipsec-and-simple-troubleshooting.html
http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php
https://www.dls-yan.com/2012/10/04/783.html
http://blog.csdn.net/rosetta/article/details/7794826

http://book.51cto.com/art/201204/331170.htm
http://blog.csdn.net/cumtmimi/article/details/1814073

1、“IPSEC服务”服务不在运行状态

请依次执行下列操作:

计算机管理->服务和应用程序->服务,找到IPSEC Services ,双击打开,设启动方式为自动。

重新开机再设置策略

2、IPSEC Services 如何打开

补充:如果点打开时出现提示
在 本地计算机 无发启动 IPSEC Services 服务
错误1747:未知的验证服务
现在就是自动的 只是前面的装备 没有启动
网络客户端装上后 还是一样不能启动

修复方法:
Code:
开始>运行 输入:CMD 在窗口中输入:netsh winsock reset

3、修改注册表
缺省的Windows XP L2TP 传输策略不允许L2TP 传输不使用IPSec 加密。可以通过修改
Windows XP 注册表来禁用缺省的行为:
手工修改:
1) 进入Windows XP 的“开始” “运行”里面输入“Regedt32”,打开“注册表编辑
器”,定位“HKEY_Local_Machine / System / CurrentControl Set / Services / RasMan /
Parameters ”主键。
2) 为该主键添加以下键值:
键值:ProhibitIpSec
数据类型:reg_dword
值:1

Posted in VPN.

Tagged with , , .

By C1G 2013/02/22

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. rolay says

    缩进量是多少,总是通不过

    2013/11/06, 16:55



Some HTML is OK

or, reply to this post via trackback.

« »