Skip to content


centos5.8 LINUX 安装L2TP/IPSec VPN

第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信。L2TP本身并没有任何加密,但是我们可以使用IPSec对L2TP包进行加密。L2TP VPN比PPTP VPN搭建复杂一些。 IPSec 使用预共享密钥(PSK)进行加密和验证,L2TP 负责封包,PPP 负责具体的用户验证 一、部署IPSEC 、安装 openswan 1、安装关联包

yum install make gcc gmp-devel bison flex

2、编译安装 使用Openswan来实现IPSec

wget http://ftp.openswan.org/openswan/openswan-2.6.38.tar.gz tar zxvf openswan-2.6.38.tar.gz cd openswan-2.6.38 make programs install

3、配置ipsec vi /etc/ipsec.conf

config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=YOUR.SERVER.IP leftprotoport=17/1701 right=%any rightprotoport=17/%any

YOUR.SERVER.IP为vpn服务器的公网ip 注意前面有tab缩进,否则可能出现下面错误

failed to start openswan IKE daemon – the following error occured: can not load config ‘/etc/ipsec.conf’: /etc/ipsec.conf:58: syntax error, unexpected KEYWORD, expecting $end [rightsubnet]

4、 设置 Shared Key

vi /etc/ipsec.secrets

YOUR.SERVER.IP %any: PSK “YourSharedSecret”

YOUR.SERVER.IP为vpn服务器的公网ip YourSharedSecret为共享密钥

5、 修改包转发设置

for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done echo 1 >/proc/sys/net/core/xfrm_larval_drop echo 1 >/proc/sys/net/ipv4/ip_forward sed -i ‘/net.ipv4.ip_forward / {s/0/1/g} ‘ /etc/sysctl.conf sed -i ‘/net.ipv4.conf.default.rp_filter / {s/1/0/g} ‘ /etc/sysctl.conf touch /var/lock/subsys/local

6、 重启 IPSec ,测试

/etc/init.d/ipsec restart

ipsec_setup: Stopping Openswan IPsec… ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway… ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.18-308.el5..

ipsec verify 没有报[FAILED]就可以了。

Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK] Checking for ‘ip’ command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for ‘iptables’ command [OK] Opportunistic Encryption Support [DISABLED]

错误1: SAref kernel support [N/A] /etc/xl2tpd/xl2tpd.conf这个文件里

[global] ipsec saref = no

Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey) 以netkey方式运行不支持局域网多个nat客户; 开启SAref kernel support后以klips方式运行支持

错误2: Two or more interfaces found, checking IP forwarding 修改ip_forward,只要 cat /proc/sys/net/ipv4/ip_forward 返回结果是1就没事 echo 1 >/proc/sys/net/ipv4/ip_forward

错误3: Please enable /proc/sys/net/core/xfrm_larval_drop echo 1 > /proc/sys/net/core/xfrm_larval_drop

二、安装 L2TP 1、关联包

yum install libpcap-devel ppp

2.编译安装

wget http://jaist.dl.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz tar -zxvf rp-l2tp-0.4.tar.gz cd rp-l2tp-0.4 ./configure make cp handlers/l2tp-control /usr/local/sbin/ mkdir /var/run/xl2tpd/ ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz tar -zxvf xl2tpd-1.3.0.tar.gz cd xl2tpd-1.3.0 make make install

安装显示

install -d -m 0755 /usr/local/sbin install -m 0755 xl2tpd /usr/local/sbin/xl2tpd install -d -m 0755 /usr/local/share/man/man5 install -d -m 0755 /usr/local/share/man/man8 install -m 0644 doc/xl2tpd.8 /usr/local/share/man/man8/ install -m 0644 doc/xl2tpd.conf.5 doc/l2tp-secrets.5 \ /usr/local/share/man/man5/ # pfc install -d -m 0755 /usr/local/bin install -m 0755 pfc /usr/local/bin/pfc install -d -m 0755 /usr/local/share/man/man1 install -m 0644 contrib/pfc.1 /usr/local/share/man/man1/ # control exec install -d -m 0755 /usr/local/sbin install -m 0755 xl2tpd-control /usr/local/sbin/xl2tpd-control

3、配置

mkdir /etc/xl2tpd vi /etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes [lns default] ip range = 192.168.81.2-192.168.81.254 local ip = 192.168.81.1 //你的内网口 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes

4、修改 ppp 配置

vi /etc/ppp/options.xl2tpd

require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4

5、添加用户名/密码

vi /etc/ppp/chap-secrets

# user server password ip vpnuser l2tpd userpass *

8、启动 xl2tpd

iptables -t nat -A POSTROUTING -s 192.168.81.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1701 -j ACCEPT iptables -A INPUT -p udp -m state –state NEW -m udp –dport 500 -j ACCEPT iptables -A INPUT -p udp -m state –state NEW -m udp –dport 4500 -j ACCEPT iptables -I FORWARD -s 192.168.81.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.81.0/24 -j ACCEPT

/usr/local/sbin/xl2tpd

错误

Feb 20 15:20:38 localc1g ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 250: 7859 Aborted (core dumped) /usr/local/libexec/ipsec/pluto –nofork –secretsfile /etc/ipsec.secrets –ipsecdir /etc/ipsec.d –use-netkey –uniqueids –nat_traversal –virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 Feb 20 15:20:38 localc1g ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6) Feb 20 15:20:38 localc1g ipsec__plutorun: restarting IPsec after pause… Feb 20 16:58:47 localc1g pppd[13553]: The remote system is required to authenticate itself Feb 20 16:58:47 localc1g pppd[13553]: but I couldn’t find any suitable secret (password) for it to use to do so.

检查chap-secrets文件server是否正确

Feb 21 11:30:52 localc1g pluto[16897]: “L2TP-PSK-NAT”[11] 122.221.55.121 #11: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Feb 21 11:30:52 localc1g pluto[16897]: | payload malformed after IV

检查客户端PSK是否正确

9、开机运行 放入/etc/rc.local中

touch /var/lock/subsys/local for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done echo 1 >/proc/sys/net/core/xfrm_larval_drop echo 1 >/proc/sys/net/ipv4/ip_forward /etc/init.d/ipsec restart /usr/local/sbin/xl2tpd

参考: http://www.myvm.net/archives/554 http://amumy.blog.163.com/blog/static/17312970201210282323568/ http://www.vpsyou.com/2010/08/10/centos-install-l2tpipsec-and-simple-troubleshooting.html http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php https://www.dls-yan.com/2012/10/04/783.html http://blog.csdn.net/rosetta/article/details/7794826

http://book.51cto.com/art/201204/331170.htm http://blog.csdn.net/cumtmimi/article/details/1814073

1、“IPSEC服务”服务不在运行状态

请依次执行下列操作:

计算机管理->服务和应用程序->服务,找到IPSEC Services ,双击打开,设启动方式为自动。

重新开机再设置策略

2、IPSEC Services 如何打开

补充:如果点打开时出现提示 在 本地计算机 无发启动 IPSEC Services 服务 错误1747:未知的验证服务 现在就是自动的 只是前面的装备 没有启动 网络客户端装上后 还是一样不能启动

修复方法: Code: 开始>运行 输入:CMD 在窗口中输入:netsh winsock reset

3、修改注册表 缺省的Windows XP L2TP 传输策略不允许L2TP 传输不使用IPSec 加密。可以通过修改 Windows XP 注册表来禁用缺省的行为: 手工修改: 1) 进入Windows XP 的“开始” “运行”里面输入“Regedt32”,打开“注册表编辑 器”,定位“HKEY_Local_Machine / System / CurrentControl Set / Services / RasMan / Parameters ”主键。 2) 为该主键添加以下键值: 键值:ProhibitIpSec 数据类型:reg_dword 值:1

Posted in VPN.

Tagged with , , .


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. rolay says

    缩进量是多少,总是通不过



Some HTML is OK

or, reply to this post via trackback.