第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信。L2TP本身并没有任何加密,但是我们可以使用IPSec对L2TP包进行加密。L2TP VPN比PPTP VPN搭建复杂一些。

环境说明:

[root@l2tp_server ~]# cat /etc/redhat-release

CentOS release 6.9 (Final)

[root@l2tp_server ~]# uname -r

2.6.-696.10..el6.x86_64

1、需要先添加epel源:

rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-6.noarch.rpm
yum -y install openswan ppp xl2tpd        ##openswan是Linux系统上IPsec的一个实现 官网:http://www.openswan.org/

安装一些依赖包:

yum -y install make gcc gmp-devel bison flex lsof

2、配置IPsec

编辑配置文件/etc/ipsec.conf,只需要将最下面的"YOUR_SERVER_IP"改成你的公网IP即可:

[root@l2tp_server ~]# vim /etc/ipsec.conf 

# /etc/ipsec.conf - Libreswan IPsec configuration file

# This file:  /etc/ipsec.conf

#

# Enable when using this configuration file with openswan instead of libreswan

#version

#

# Manual:     ipsec.conf.

# basic configuration

config setup

    # which IPsec stack to use, "netkey" (the default), "klips" or "mast".

    # For MacOSX use "bsd"

    protostack=netkey

    #

    # Normally, pluto logs via syslog. If you want to log to a file,

    # specify below or to disable logging, eg for embedded systems, use

    # the file name /dev/null

    # Note: SElinux policies might prevent pluto writing to a log file at

    #       an unusual location.

    logfile=/var/log/pluto.log

    #

    # The interfaces= line is only required for the klips/mast stack

    #interfaces="%defaultroute"

    #interfaces="ipsec0=eth0 ipsec1=ppp0"

    #

    # If you want to limit listening on a single IP - not required for

    # normal operation

    #listen=127.0.0.1

    #

    # Do not set debug options to debug configuration issues!

    #

    # plutodebug / klipsdebug = "all", "none" or a combation from below:

    # "raw crypt parsing emitting control kernel pfkey natt x509 dpd

    #  private".

    # Note: "crypt" is not included with "all", as it can show confidential

    #       information. It must be specifically specified

    # examples:

    # plutodebug="control parsing"

    # plutodebug="all crypt"

    # Again: only enable plutodebug or klipsdebug when asked by a developer

    #plutodebug=none

    #klipsdebug=none

    #

    # Enable core dumps (might require system changes, like ulimit -C)

    # This is required for abrtd to work properly

    # Note: SElinux policies might prevent pluto writing the core at

    #       unusual locations

    dumpdir=/var/run/pluto/

    #

    # NAT-TRAVERSAL support

    # exclude networks used on server side by adding %v4:!a.b.c./

    # It seems that T-Mobile in the US and Rogers/Fido in Canada are

    # using / as "private" address space on their wireless networks.

    # This range has never been announced via BGP (at least upto )

    virtual_private=%v4:10.0.0.0/,%v4:192.168.1.0/,%v4:172.16.0.0/,%v6:fd00::/,%v6:fe80::/

# For example connections, see your distribution's documentation directory,

# or https://libreswan.org/wiki/

#

# There is also a lot of information in the manual page, "man ipsec.conf"

#

# It is best to add your IPsec connections as separate files in /etc/ipsec.d/

include /etc/ipsec.d/*.conf

conn L2TP-PSK-NAT

   rightsubnet=vhost:%priv

   also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

   authby=secret

   pfs=no

   auto=add

   keyingtries=5

   rekey=no

   ikelifetime=8h

   keylife=1h

   type=transport

   left=YOUR_SERVER_IP

   leftprotoport=17/1701

   right=%any

   rightprotoport=17/%any

3、设置预共享密钥PSK

[root@l2tp_server ~]# vim /etc/ipsec.secrets
YOUR_SERVER_IP.ADDRESS %any: PSK "YourSharedSecret"

4、修改包转发设置

[root@l2tp_server ~]# for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done
[root@l2tp_server ~]# echo 1 >/proc/sys/net/core/xfrm_larval_drop

修改内核设置,使其支持转发,编辑/etc/sysctl.conf文件:

[root@l2tp_server ~]# sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
[root@l2tp_server ~]# sysctl -p

5、启动IPsec

/etc/init.d/ipsec start

查看系统IPSec安装和启动的正确性:

[root@l2tp_server ~]# ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.10.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ppp0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]

没有FAILD报错就可以/

6、安装L2TP(xl2tpd和rp-l2tp)  xl2tpd是由Xelerance Corporation维护的l2tpd应用。但是xl2tpd没有l2tp-control,需要从rp-l2tp这个里面提取。所以要装这两个软件包。

yum -y install libpcap-devel ppp policycoreutils    #依赖软件

安装xl2tpd和rp-l2tp:

[root@localhost ~]# cd /usr/local/src/
[root@localhost src]# wget http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz
[root@localhost src]# tar -zxvf rp-l2tp-0.4.tar.gz
[root@localhost src]# cd rp-l2tp-0.4
[root@localhost rp-l2tp-0.4]# ./configure  && make 
[root@localhost rp-l2tp-0.4]# cp handlers/l2tp-control /usr/local/sbin/
[root@localhost rp-l2tp-0.4]# mkdir /var/run/xl2tpd/
[root@localhost rp-l2tp-0.4]# ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
##安装xl2tpd
[root@localhost ~]# cd /usr/local/src
[root@localhost src]# wget https://github.com/xelerance/xl2tpd/archive/v1.3.10.1.tar.gz
[root@localhost src]# tar xf v1.3.10.1.tar.gz && cd xl2tpd-1.3.10.1 && make && make install




7、编辑xl2tpd配置文件




[root@localhost ~]# mkdir /etc/xl2tpd/
[root@localhost ~]# vim /etc/xl2tpd/xl2tpd.conf







;

; This is a minimal sample xl2tpd configuration file for use

; with L2TP over IPsec.

;

; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec

; clients connect. In this example, the internal (protected) network

; is 192.168.1.0/.  A special IP range within this network is reserved

; for the remote clients: 192.168.1.128/

; (i.e. 192.168.1.128 ... 192.168.1.254)

;

; The listen-addr parameter can be used if you want to bind the L2TP daemon

; to a specific IP address instead of to all interfaces. For instance,

; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98

; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)

; will be used by xl2tpd as its address on pppX interfaces.

[global]
ipsec saref = yes

; listen-addr = 192.168.1.98

;

; requires openswan-2.5. or higher - Also does not yet work in combination

; with kernel mode l2tp as present in linux 2.6.+

; ipsec saref = yes

; Use refinfo of  if using an SAref kernel patch based on openswan 2.6. or

;  when using any of the SAref kernel patches for kernels up to 2.6..

; saref refinfo =

;

; force userspace = yes

;

; debug tunnel = yes

[lns default]

ip range = 192.168.20.2-192.168.20.220

local ip = 192.168.20.1

require chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPNserver

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes




8、配置PPP




[root@localhost ~]# vim /etc/ppp/options.xl2tpd






require-mschap-v2

ms-dns 8.8.8.8
auth

mtu

mru

crtscts

hide-password

modem
lock

name l2tpd

proxyarp

lcp-echo-interval

lcp-echo-failure 




9、设置拨号用户名和密码




[root@localhost ~]# vim /etc/ppp/chap-secrets






   # Secrets for authentication using CHAP

   # client        server  secret                  IP addresses

       test        l2tpd                     *




10、以debug方式启动l2tp,查看有无错误:




[root@localhost ~]# xl2tpd -D

xl2tpd[]: Enabling IPsec SAref processing for L2TP transport mode SAs

xl2tpd[]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes

xl2tpd[]: setsockopt recvref[]: Protocol not available

xl2tpd[]: Not looking for kernel support.

xl2tpd[]: xl2tpd version xl2tpd-1.3.10.1 started on localhost.localdomain PID:

xl2tpd[]: Written by Mark Spencer, Copyright (C) , Adtran, Inc.

xl2tpd[]: Forked by Scott Balmos and David Stipp, (C)

xl2tpd[]: Inherited by Jeff McAdams, (C)

xl2tpd[]: Forked again by Xelerance (www.xelerance.com) (C) -

xl2tpd[]: Listening on IP address 0.0.0.0, port 




11、加入开机自启动




[root@localhost ~]# echo -e "/usr/local/sbin/xl2tpd\n/etc/init.d/ipsec restart\necho 1 >/proc/sys/net/core/xfrm_larval_drop"  >> /etc/rc.local 
[root@localhost ~]# echo  "for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done" >> /etc/rc.local 





12、添加iptables转发规则,如果服务端是在内网的话,需要在路由器上做1701端口的映射,以及添加到对应VPN网段的路由




iptables --table nat --append POSTROUTING --jump MASQUERADE
/etc/init.d/iptables save
/etc/init.d/iptables restart




13、Windows端连接配置:






14、Win 10 连接vpn 输入用户名密码后没有反应的解决办法


单击开始—>运行,键入regedit,点击确定找到下面的注册表项 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters


在编辑菜单上,单击新建DWORD值


在名称框中键入“ProhibitIpSec”


在数值数据框中,键入1、然后确定’


继续找到下面的注册表项


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent


新建一个DWORD类型的键AssumeUDPEncapsulationContextOnSendRule值为2


然后重启计算机。
												


											
CentOS Linux 安装IPSec+L2TP的更多相关文章
	

    
								
  1. CentOS Linux VPS安装IPSec+L2TP VPN
		
    CentOS Linux VPS安装IPSec+L2TP VPN 时间 -- :: 天使羊波波闪耀光芒 相似文章 () 原文 http://www.live-in.org/archives/818.h ...
    
		
    2. 
						
  2. CentOS Linux安装python3
		
    本文的方法是在CentOS上新装了python3,如果本机安装了python2则保留,因为可能有程序依赖目前的python2环境,比如yum!!!!! 一.安装python3.7 1. 安装依赖环境  ...
    
		
    3. 
						
  3. [转]CENTOS LINUX安装并使用NFS共享文件
		
    FROM :http://www.qiansw.com/centos-linux-nfs.html NFS是linux常用的一种文件分享工具. 下面介绍安装及使用方法. CentOS 5.5 yum  ...
    
		
    4. 
						
  4. Docker 安装入门 Centos Linux安装Docker 部署mysql
		
    这次购买了阿里云云服务器,并且安装了Centos 7.5 学习使用Docker, 确认版本信息 Docker 运行在 CentOS 7 上,要求系统为64位.系统内核版本为 3.10 以上. Dock ...
    
		
    5. 
						
  5. centos linux安装telnet 过程及问题(源于内部tomcat网站,外部无法访问)
		
    首先本地没有telnet客户端及服务器 root权限下安装 yum install telnet yum install telnet-server vi /etc/xinetd.d/telnet 这 ...
    
		
    6. 
						
  6. CentOS/Linux安装VNCserver
		
    VNC全称是Virtual Network Computing,属于远程控制类软件.其优点是支持跨操作系统的远程图形化控制.在日常工作中,服务器常常是存在机房,不可能每次需要图形界面操作就跑到机房,因 ...
    
		
    7. 
						
  7. CentOs linux安装SVN服务
		
    SVN服务器有2种运行方式:1.独立服务器(例如:svn://xxx.com/xxx):2.借助apache   (例如:http://svn.xxx.com/xxx):为了不依赖apache,我选择 ...
    
		
    8. 
						
  8. CentOs Linux 安装MySql服务失败 安装需要依靠包error:Failed  dependencies
		
    [root@sh158-xen data]#rpm -ivh MySQL-server-5.5.24-1.linux2.6.x86_64.rpm error: Failed dependencies: ...
    
		
    9. 
						
  9. mac centos linux 安装PHP扩展 INTL(国际化)  ———— error: 'ext/standard/php_smart_str.h'
		
    PHP简单源码安装扩展 五个步骤: 详细说明下: cd /fujieace/php7.0/ext/intl:#进入INTL扩展目录? 在编译扩展时候需要phpize准备环境,准备程序需要获取这个目录的 ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. FTP服务器FileZilla Server配置及使用方法
			
    FileZilla Server下载安装完成后,安装过程不写说明了,网上一抓一大把,直接从配置开始记录. 1.创建服务器 ²  Password:栏位中输入本服务器Filezilla服务的密码, ²  ...
    
			
    2. 
						
  2. 在Scala IDEA for Eclipse或IDEA里程序编译实现与在Spark Shell下的对比(其实就是那么一回事)
			
    不多说,直接上干货! 比如,我这里拿主成分分析(PCA). 1.主成分分析(PCA)的概念介绍 主成分分析(PCA) 是一种对数据进行旋转变换的统计学方法,其本质是在线性空间中进行一个基变换,使得变换 ...
    
			
    3. 
						
  3. Access 将SQL查询结果强制转换为某种类型
			
    每个函数都可以强制将一个表达式转换成某种特定数据类型. 语法 CBool(expression) CByte(expression) CCur(expression) CDate(expression ...
    
			
    4. 
						
  4. Java操作Excel之POI简单例子
			
    /** * 利用POI操作Excel表单 * * 需要jar包: * HSSF针对03及以前版本,即.xls后缀 * |---poi-3.16.jar * XSSF针对07及以后版本,即xlsx后缀  ...
    
			
    5. 
						
  5. [Windows] 一些简单的CMD命令
			
    开始菜单中的“运行”是通向程序的快捷途径,输入特定的命令后,即可快速的打开Windows搜索的大部分程序,熟练的运用它,将给我们的操作带来诸多便捷. winver 检查Windows版本 wmimgm ...
    
			
    6. 
						
  6. 熟悉servlet的页面跳转
			
    jspweb里面用到的servlet跳转页面的方法 使用的jar包只有 commons-lang3-3.5.jar 运行时,tomcat会先根据web.xml里面的信息,查找servlet <? ...
    
			
    7. 
						
  7. oracle存储过程jdbc调用
			
    package com.jckb.procedure; import java.sql.CallableStatement; import java.sql.Connection; import ja ...
    
			
    8. 
						
  8. ajax的jquery写法和原生写法
			
    一.ajax的简介 Ajax被认为是(Asynchronous(异步) JavaScript And Xml的缩写).现在,允许浏览器与服务器通信而无须刷新当前页面的技术都被叫做Ajax. 同步是指: ...
    
			
    9. 
						
  9. JavaScript中函数声明和函数表达式的区别
			
    声明一个函数: var x=1; foo(); function foo() { console.log(x);//1 } myfun();//报错 定义一个函数表达式: var myfun=myfo ...
    
			
    10. 
						
  10. html常用的小技能
			
    在html中有很多常用小技能,记下来,下次直接看自己的,就不用四处找啦! 1.<li>标签去掉点号:list-style-type:none; 去掉前: 去掉后: 2.<li> ...
    
			
    11.