以下步骤完全使用于Ubuntu 14.04版本

首先安装以下所需包

sudo apt-get install openswan xl2tpd ppp lsof
!注意!Ubuntu 15.10会提示无法找到openswan包,解决办法是用喜欢的编辑器编辑以下文件,实例用vim
sudo vim /etc/apt/sources.list
在文件最后添加一行
deb http://us.archive.ubuntu.com/ubuntu precise main universe
保存后,执行下面命令
sudo apt-get update
sudo apt-get install openswan

防火墙和转发

设置允许转发数据包

iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+

将上面的%SERVERIP%替换成服务器IP,eth+换成服务器的网卡名。!注意!不一定所有的网卡都是eth开头的

执行下列命令允许内核转发,并且禁用ICP重定向

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf

echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf

echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf

echo "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.conf

echo "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.conf

echo "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.conf

echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf

如果有其他网络接口,执行同样的设置

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

应用以上设置

sysctl -p

保证每次开机这些设置生效

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+

配置OpenSwan(IPSEC)

用编辑器打开以下文件

/etc/ipsec.conf 
# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample

#

# Manual:     ipsec.conf.

version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration

config setup

    dumpdir=/var/run/pluto/

    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

    nat_traversal=yes

    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

    virtual_private=%v4:10.0.0.0/,%v4:192.168.0.0/,%v4:172.16.0.0/,%v6:fd00::/,%v6:fe80::/

    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.

    oe=off

    protostack=netkey

    #decide which protocol stack is going to be used.

conn L2TP-PSK-NAT

    rightsubnet=vhost:%priv

    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

    authby=secret

    #shared secret. Use rsasig for certificates.

    pfs=no

    #Disable pfs

    rekey=no

    dpddelay=

    dpdtimeout=

    dpdaction=clear

    auto=add

    #start at boot

    keyingtries=

    #Only negotiate a conn.  times.

    ikelifetime=8h

    keylife=1h

    type=transport

    #because we use l2tp as tunnel protocol

    left=%SERVERIP%

    leftprotoport=/%any

    right=%any

    rightprotoport=/%any

    forceencaps=yes

    #force all to be nat'ed. because of iOS

将上述%SERVERIP%换成服务器IP

共享密钥

用编辑器打开以下文件

/etc/ipsec.secrets

添加以下格式的内容

%SERVERIP%  %any:   PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"

%SERVERIP%为服务器IP地址。PSK为共享密钥,可以用以下命令生成随机密钥

openssl rand -hex

验证OpenSwan(IPSEC)设置

ipsec verify

我的机器示例输出如下

Linux Openswan U2.6.37/K4.2.0--generic (netkey)

Checking for IPsec support in kernel                            [OK]

 SAref kernel support                                           [N/A]

 NETKEY:  Testing XFRM related proc values                      [OK]

    [OK]

    [OK]

Hardware RNG detected, testing if used properly                 [FAILED]

  Hardware RNG is present but 'rngd' or 'clrngd' is not running.

  No harware random used!

Checking that pluto is running                                  [OK]

 Pluto listening for IKE on udp                              [OK]

 Pluto listening for NAT-T on udp                           [OK]

Two or more interfaces found, checking IP forwarding            [OK]

Checking NAT and MASQUERADEing                                  [OK]

Checking for 'ip' command                                       [OK]

Checking /bin/sh is not /bin/dash                               [WARNING]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]

配置xl2tpd

用编辑器编辑下述文件

/etc/xl2tpd/xl2tpd.conf

将内容替换为以下内容

[global]

ipsec saref = yes

saref refinfo = 

[lns default]

ip range = 172.16.1.2-172.16.1.100

local ip = 172.16.1.1

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

配置PPP

编辑以下文件

/etc/ppp/options.xl2tpd

将文件内容替换为以下内容

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

auth

mtu

mru

crtscts

hide-password

modem

name l2tpd

proxyarp

lcp-echo-interval

lcp-echo-failure

添加用户(用户认证)

编辑以下文件添加用户

/etc/ppp/chap-secrets

格式内容如下

# Secrets for authentication using CHAP

# client       server  secret                  IP addresses

alice          l2tpd   0F92E5FC2414101EA            *

bob            l2tpd   DF98F09F74C06A2F             *

可以使用以下脚本自动添加用户名和密码。复制内容到本地文件。重命名为addvpnuser.sh

#this script add vpn user to /etc/ppp/chap-secret

#you must be root to run this script

if [ $EUID -ne  ]

then

    echo "You must be root to run this script."

    exit -

fi

if ! getopts ":a:d:q:" opt

then

    echo "Usage: ./addvpnuser.sh -a username | -d username | -q username"

    echo "-a for add, -d for delete and -q for query user's password ."

    exit -

fi

OPTIND=

while getopts ":a:d:q:" opt

do

    case $opt in

        a)

            #add user switch is triggered.

            #check the username parameter is correct.

            if [[ $OPTARG = -* ]]

            then

               echo "Option -a needs an username as a parameter."

               ((OPTIND--))

               continue

            fi

            #check whether the user to be added is existed.

            if grep -qP "^$OPTARG\t" /etc/ppp/chap-secrets

            then

                echo "cannot add user '$OPTARG' because the user has already existed."

                continue

            fi

            #get a random number less than .

            n=$RANDOM

            n=$(( n %  ))

            #VPN Server Type.

            TYPE="l2tpd"

            #get the server external IP.

            IP=`wget http://ipinfo.io/ip -qO -`

            #get the PRE PSK key of the VPN.

            PREKEY=`cat /etc/ipsec.secrets | tail - | awk '{print $4}' | cut -d\" -f2`

            #calculate user's password using the following algorithm.

            PW=`echo -n $OPTARG$RANDOM | md5sum | cut -c$n-$(( n+ ))`

            echo -e "$OPTARG\t$TYPE\t$PW\t*" >> /etc/ppp/chap-secrets

            #successfully added user to configure file.

            #print out user information. copy and send to him.

            if [ $? -eq  ]

            then

                echo "Type: $TYPE"

                #IP=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut -d: -f2`

                echo "VPN Server IP: $IP"

                echo "User: $OPTARG Password: $PW"

                echo "PRE PSK KEY: $PREKEY"

                echo "Done."

            else

                #failed to write the file.

                echo "cannot write to configure file."

            fi

            ;;

        d)

            #echo "-d was triggered. Parameter: $OPTARG"

            #check the username parameter is correct.

            if [[ $OPTARG = -* ]]

            then

               echo "Option -d requires an username as a parameter."

               ((OPTIND--))

               continue

            fi

            #check whether the user to be deleted is exist.

            if ! grep -qP "^$OPTARG\t" /etc/ppp/chap-secrets

            then

                echo "user '$OPTARG' does not exist."

                continue

            fi

            #maybe can use $$(pid) instead

            RANDOM1=$RANDOM

            RANDOM2=$RANDOM

            #delete and overwrite file.

            grep -vP "^$OPTARG\t" /etc/ppp/chap-secrets > /etc/ppp/chap-secrets$RANDOM1$RANDOM2

            mv /etc/ppp/chap-secrets$RANDOM1$RANDOM2 /etc/ppp/chap-secrets

            #check result.

            if [ $? -eq  ]

            then

                echo "user '$OPTARG' has been successfully deleted."

            else

                echo "cannot write to file. Please check it."

            fi

            ;;

        q)

            #check the username parameter is correct.

            if [[ $OPTARG = -* ]]

            then

               echo "Option -q requires an username as a parameter."

               ((OPTIND--))

               continue

            fi

            grep -P "^$OPTARG\t" /etc/ppp/chap-secrets | awk '{print $1, $3}' >/dev/null

            ;;

        \?)

            echo "Invalid option -$OPTARG"

            ;;

        :)

            echo "Option -$OPTARG requires an username as a parameter."

            ;;

    esac

done

保存后为文件添加可执行权限

chmod  addvpnuser.sh

执行示例

#添加VPN用户

./addvpnuser.sh -a [username]

#删除VPN用户

./addvpnuser.sh -d [username]

#查询VPN用户密码

./addvpnuser.sh -q [username]

测试

执行下列命令重启IPsec和xl2tpd服务

/etc/init.d/ipsec restart

/etc/init.d/xl2tpd restart

防火墙

如果开启了ufw防火墙的话,则需要开放udp 500, udp 4500, udp 1701三个端口

ufw allow /udp

ufw allow /udp

ufw allow /udp

注意

配置过程中发现按照上述步骤操作,通过Android或者iOS设备可以连接到VPN服务器,但是不能连接到互联网。经过调试发现是由于Ubuntu开启了ufw(防火墙),数据包被防火墙屏蔽掉了。解决办法如下

打开以下文件

/etc/default/ufw

将下列行中的DROP替换成ACCEPT

DEFAULT_FORWARD_POLICY="DROP"

替换成

DEFAULT_FORWARD_POLICY="ACCEPT"

调试

出现无法连接或者无法联网的情况,下列命令可以帮助调试

sudo tcpdump -i ppp0

sudo tail -f /var/log/auth.log

sudo tail -f /var/log/syslog

Ubuntu 15.10搭建IPSec L2TP服务器的更多相关文章

  1. 在Ubuntu 15下搭建V/P/N服务器pptpd安装和配置

    在Ubuntu 15下搭建VPN服务器pptpd安装和配置 在ubuntu下配置vpn的方式有很多种,其中比较常见的是pptpd,它配置简单,但是安全性不高,不过对于一般使用来说足够了,我按照程搭建了 ...

  2. OpenWrt上搭建纯L2TP服务器[ZT]

    转自:http://www.openwrt.pro/post-389.html 纯L2TP(l2tp + ppp,无IPSec) 首先安装xl2tpd软件包 opkg update opkg inst ...

  3. ubuntu 15.10 安装swift开发环境 2016/4/17

    ubuntu 15.10 64位 下载地址 https://swift.org/download/#using-downloads 1.首先在ubuntu终端上 (ctl+alt+t打开) 下载cla ...

  4. Ubuntu 15.10 x64 安装 Android SDK

    操作系统:Ubuntu 15.10 x64 目标:安装 Android SDK 本文最后更新时间:2015-11-3 安装32位库文件 2013年9月的iPhone 5s是第一款64位手机,而Andr ...

  5. 将Ubuntu 15.10升级到Ubuntu 16.04

    Ubuntu 16.04 LTS 代号为 Xenial Xerus,其最终版将于 2016 年 4 月 21 日正式发布,Ubuntu16.04 将是非常受欢迎的开源操作系统 Ubuntu 的第 6 ...

  6. Ubuntu 15.10安装elementary desktop

    elementaryOS的风格类似于macos,基于Ubuntu改造,个人比较喜欢其界面理念,简单清晰.因此下载了elementaryOS Freya使用,使用过程中,各个软件版本的升级比较落后,比如 ...

  7. 安装Ubuntu 15.10后要做的事

    Ubuntu 15.10发布了,带来了很多新特性,同样也依然带着很多不习惯的东西,所以装完系统后还要进行一系列的优化. 1.删除libreoffice libreoffice虽然是开源的,但是Java ...

  8. Ubuntu 14.04搭建简单git服务器

    /****************************************************************************** * Ubuntu 14.04搭建简单gi ...

  9. 【转】安装Ubuntu 15.10后要做的事

    Ubuntu 15.10发布了,带来了很多新特性,同样也依然带着很多不习惯的东西,所以装完系统后还要进行一系列的优化. 1.删除libreoffice libreoffice虽然是开源的,但是Java ...

随机推荐

  1. 02-C#入门(循环)

    记得第一次学编程的时候,就听说过一句话:“新手学习和掌握一门编程语言是很容易的,但是如果你学会了某种编程语言,再去学习新的语言,就很难掌握了”,现在深深地感受到了这方面的阻力. 其实流程控制.循环,包 ...

  2. gtest学习一:在vs2013中搭建gtest环境

    gtest版本:1.7.0,在哪里下载源码就不说了,网上太多了~ 配置过程: 1.下载解压后,进入googletest/msvc目录,直接打开gtest.sln,发现有四个工程:gtest.gtest ...

  3. 转(Response.WriteFile 无法下载大文件解决方法)

    以前用Response.WriteFile(filename),但当遇到大文件时无法完整下载. 该方法最大的问题,它不是直接将数据抛到客户端,而是在服务器端(IIS)上缓存.当下载文件比较大时,服务器 ...

  4. MongoDB常用操作

    (备注: 对于 window, 不需要sudo) 验证成功与否: * 启动服务器: $sudo mongod --dbpath C:\data\db (需要 指明数据库存放的目录) * 打开shell ...

  5. centos 7 用yum安装 mysql

    首先centos7 已经不支持mysql,因为收费了你懂得,所以内部集成了mariadb,而安装mysql的话会和mariadb的文件冲突,所以需要先卸载掉mariadb,以下为卸载mariadb,安 ...

  6. 施耐德Sepam 40系列备自投逻辑

    1# 主供: VL1= NOT PVTS_1_3 V1 = VL1 AND P59_1_7 AND P59_1_8 AND P59_1_9VL2 = VL1 AND I12 AND I21 AND I ...

  7. Zepto 使用过程中遇到的问题总结

    简言之,zepto 是移动端的 jQuery,虽然很多地方不完全相同,不过详细的内容就不介绍了,主要把使用 zepto 时遇到过的问题总结一下. zepto 是分成多个模块的,最基础的文件不包含 to ...

  8. MongoDB可视化工具RoboMongo----Windows安装 1

    https://robomongo.org/download 非常小白的安装 自动安装完成. 启动MongoDB Mongodb启动教程 启动RoMongo 创建新的Mongodb 自定义db名称 连 ...

  9. SQL语言基础

    主要学习链接1 http://www.cnblogs.com/anding/p/5281558.html 搜索学习链接2 http://www.cnblogs.com/libingql/p/41342 ...

  10. IAR调节字体大小

    在主面板上点击tools->Options,然后点开Editor,选择下面的Colors and Fonts选项,最后选右上方的Font,选择要设置的字体就OK了.