第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信。L2TP本身并没有任何加密,但是我们可以使用IPSec对L2TP包进行加密。L2TP VPN比PPTP VPN搭建复杂一些。 IPSec 使用预共享密钥(PSK)进行加密和验证,L2TP 负责封包,PPP 负责具体的用户验证 一、部署IPSEC 、安装 openswan 1、安装关联包
yum install make gcc gmp-devel bison flex2、编译安装 使用Openswan来实现IPSec
wget http://ftp.openswan.org/openswan/openswan-2.6.38.tar.gz tar zxvf openswan-2.6.38.tar.gz cd openswan-2.6.38 make programs install3、配置ipsec vi /etc/ipsec.conf
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=YOUR.SERVER.IP leftprotoport=17/1701 right=%any rightprotoport=17/%anyYOUR.SERVER.IP为vpn服务器的公网ip 注意前面有tab缩进,否则可能出现下面错误
failed to start openswan IKE daemon – the following error occured: can not load config ‘/etc/ipsec.conf’: /etc/ipsec.conf:58: syntax error, unexpected KEYWORD, expecting $end [rightsubnet]4、 设置 Shared Key
vi /etc/ipsec.secrets
YOUR.SERVER.IP %any: PSK “YourSharedSecret”YOUR.SERVER.IP为vpn服务器的公网ip YourSharedSecret为共享密钥
5、 修改包转发设置
for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done echo 1 >/proc/sys/net/core/xfrm_larval_drop echo 1 >/proc/sys/net/ipv4/ip_forward sed -i ‘/net.ipv4.ip_forward / {s/0/1/g} ‘ /etc/sysctl.conf sed -i ‘/net.ipv4.conf.default.rp_filter / {s/1/0/g} ‘ /etc/sysctl.conf touch /var/lock/subsys/local6、 重启 IPSec ,测试
/etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec… ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway… ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.18-308.el5..ipsec verify 没有报[FAILED]就可以了。
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK] Checking for ‘ip’ command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for ‘iptables’ command [OK] Opportunistic Encryption Support [DISABLED]错误1: SAref kernel support [N/A] /etc/xl2tpd/xl2tpd.conf这个文件里
[global] ipsec saref = noLinux Openswan U2.6.38/K2.6.18-308.el5 (netkey) 以netkey方式运行不支持局域网多个nat客户; 开启SAref kernel support后以klips方式运行支持
错误2: Two or more interfaces found, checking IP forwarding 修改ip_forward,只要 cat /proc/sys/net/ipv4/ip_forward 返回结果是1就没事 echo 1 >/proc/sys/net/ipv4/ip_forward
错误3: Please enable /proc/sys/net/core/xfrm_larval_drop echo 1 > /proc/sys/net/core/xfrm_larval_drop
二、安装 L2TP 1、关联包
yum install libpcap-devel ppp2.编译安装
wget http://jaist.dl.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz tar -zxvf rp-l2tp-0.4.tar.gz cd rp-l2tp-0.4 ./configure make cp handlers/l2tp-control /usr/local/sbin/ mkdir /var/run/xl2tpd/ ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz tar -zxvf xl2tpd-1.3.0.tar.gz cd xl2tpd-1.3.0 make make install安装显示
install -d -m 0755 /usr/local/sbin install -m 0755 xl2tpd /usr/local/sbin/xl2tpd install -d -m 0755 /usr/local/share/man/man5 install -d -m 0755 /usr/local/share/man/man8 install -m 0644 doc/xl2tpd.8 /usr/local/share/man/man8/ install -m 0644 doc/xl2tpd.conf.5 doc/l2tp-secrets.5 \ /usr/local/share/man/man5/ # pfc install -d -m 0755 /usr/local/bin install -m 0755 pfc /usr/local/bin/pfc install -d -m 0755 /usr/local/share/man/man1 install -m 0644 contrib/pfc.1 /usr/local/share/man/man1/ # control exec install -d -m 0755 /usr/local/sbin install -m 0755 xl2tpd-control /usr/local/sbin/xl2tpd-control3、配置
mkdir /etc/xl2tpd vi /etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes [lns default] ip range = 192.168.81.2-192.168.81.254 local ip = 192.168.81.1 //你的内网口 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes4、修改 ppp 配置
vi /etc/ppp/options.xl2tpd
require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 45、添加用户名/密码
vi /etc/ppp/chap-secrets
# user server password ip vpnuser l2tpd userpass *8、启动 xl2tpd
iptables -t nat -A POSTROUTING -s 192.168.81.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1701 -j ACCEPT iptables -A INPUT -p udp -m state –state NEW -m udp –dport 500 -j ACCEPT iptables -A INPUT -p udp -m state –state NEW -m udp –dport 4500 -j ACCEPT iptables -I FORWARD -s 192.168.81.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.81.0/24 -j ACCEPT/usr/local/sbin/xl2tpd
错误
Feb 20 15:20:38 localc1g ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 250: 7859 Aborted (core dumped) /usr/local/libexec/ipsec/pluto –nofork –secretsfile /etc/ipsec.secrets –ipsecdir /etc/ipsec.d –use-netkey –uniqueids –nat_traversal –virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 Feb 20 15:20:38 localc1g ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6) Feb 20 15:20:38 localc1g ipsec__plutorun: restarting IPsec after pause… Feb 20 16:58:47 localc1g pppd[13553]: The remote system is required to authenticate itself Feb 20 16:58:47 localc1g pppd[13553]: but I couldn’t find any suitable secret (password) for it to use to do so.检查chap-secrets文件server是否正确
Feb 21 11:30:52 localc1g pluto[16897]: “L2TP-PSK-NAT”[11] 122.221.55.121 #11: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Feb 21 11:30:52 localc1g pluto[16897]: | payload malformed after IV检查客户端PSK是否正确
9、开机运行 放入/etc/rc.local中
touch /var/lock/subsys/local for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done echo 1 >/proc/sys/net/core/xfrm_larval_drop echo 1 >/proc/sys/net/ipv4/ip_forward /etc/init.d/ipsec restart /usr/local/sbin/xl2tpd参考: http://www.myvm.net/archives/554 http://amumy.blog.163.com/blog/static/17312970201210282323568/ http://www.vpsyou.com/2010/08/10/centos-install-l2tpipsec-and-simple-troubleshooting.html http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php https://www.dls-yan.com/2012/10/04/783.html http://blog.csdn.net/rosetta/article/details/7794826
http://book.51cto.com/art/201204/331170.htm http://blog.csdn.net/cumtmimi/article/details/1814073
1、“IPSEC服务”服务不在运行状态
请依次执行下列操作:
计算机管理->服务和应用程序->服务,找到IPSEC Services ,双击打开,设启动方式为自动。
重新开机再设置策略
2、IPSEC Services 如何打开
补充:如果点打开时出现提示 在 本地计算机 无发启动 IPSEC Services 服务 错误1747:未知的验证服务 现在就是自动的 只是前面的装备 没有启动 网络客户端装上后 还是一样不能启动
修复方法: Code: 开始>运行 输入:CMD 在窗口中输入:netsh winsock reset
3、修改注册表 缺省的Windows XP L2TP 传输策略不允许L2TP 传输不使用IPSec 加密。可以通过修改 Windows XP 注册表来禁用缺省的行为: 手工修改: 1) 进入Windows XP 的“开始” “运行”里面输入“Regedt32”,打开“注册表编辑 器”,定位“HKEY_Local_Machine / System / CurrentControl Set / Services / RasMan / Parameters ”主键。 2) 为该主键添加以下键值: 键值:ProhibitIpSec 数据类型:reg_dword 值:1
缩进量是多少,总是通不过