参考
https://github.com/xelerance/Openswan/wiki/L2tp-ipsec-configuration-using-openswan-and-xl2tpd
安装
openswan xl2tpd lsof ppp
http://mirrors.zju.edu.cn/epel/6/i386/epel-release-6-8.noarch.rpm
配置openswan 两部分
公网接口IP地址
# /etc/ipsec.secrets
193.110.157.148 %any 0.0.0.0: PSK “test”
# /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
protostack=netkey
#protostack=mast # used for SAref + MAST only
interfaces=”%defaultroute”
oe=off
conn l2tp-psk
authby=secret
pfs=no
auto=add
rekey=no
# overlapip=yes # for SAref + MAST
# sareftrack=yes # for SAref + MAST
type=transport
left=193.110.157.148
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
配置xl2tpd
[global] ; you cannot leave out listen-addr, causes possible wrong src ip on return packets listen-addr = 193.110.157.148 ; ipsec saref = yes ; For SAref + MAST only ; debug tunnel = yes [lns default] ip range = 10.254.253.128-10.254.253.250 local ip = 10.254.253.1 assign ip = yes require chap = yes refuse pap = yes require authentication = yes name = OpenswanVPN ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
配置PPP两部分
/etc/ppp/options.xl2tpd
ipcp-accept-local ipcp-accept-remote ms-dns 193.110.157.123 noccp auth crtscts idle 1800 mtu 1200 mru 1200 nodefaultroute debug lock proxyarp connect-delay 5000
账户部分
root@localhost ppp]# vi chap-secrets # client server secret IP addresses test * "test" 10.254.253.128/25
系统配置 两种方法
手动添加
# /etc/sysct.conf
# only values specific for ipsec/l2tp functioning are shown here. merge with existing file
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
自动添加
[root@localhost ~]# sysctl -a |egrep “ipv4.*(accept|send)_redirects” |awk -F “=” ‘{print $1″= 0″}’ >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: “net.bridge.bridge-nf-call-ip6tables” is an unknown key
error: “net.bridge.bridge-nf-call-iptables” is an unknown key
error: “net.bridge.bridge-nf-call-arptables” is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
[root@localhost ~]#
开放防火墙及设置转发
i
iptables -I INPUT -p udp –dport 500 -j ACCEPT
iptables -I INPUT -p udp –dport 4500 -j ACCEPT
iptables -I INPUT -p udp –dport 1701 -j ACCEPT
iptables -I INPUT -p esp -j ACCEPT
iptables -I FORWARD -s 10.254.253.0/24 -j ACCEPT
iptables -I FORWARD -d 10.254.253.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.254.253.0/24 -o eth0 -j MASQUERADE
检测状态
[root@localhost ~]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K(no kernel code presently loaded) Checking for IPsec support in kernel [FAILED] SAref kernel support [N/A] Checking that pluto is running [FAILED] whack: Pluto is not running (no "/var/run/pluto/pluto.ctl") Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] [root@localhost ~]#
123