Ubuntu 14.04 搭L2TP-Over-IPSec服务器

本文最后更新于:6 年前

Tip: VI编辑文件时, 先找配置项是否存在,若存在,修改,反之新增

1. 安装openswan
1
2
3
4
# apt-get install openswan
# 查看版本
# ipsec --version
Linux Openswan U2.6.38/K3.13.0-37-generic (netkey)
2. 修改 /etc/ipsec.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# vi /etc/ipsec.conf

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=你的服务器公网IP地址
    leftprotoport=17/%any
    right=%any
    rightprotoport=17/%any
3. 配置密钥
1
2
3
# vi /etc/ipsec.secrets
你的服务器公网IP地址 %any: PSK "自定义密钥"
222.22.22.22 %any: PSK "xxxxxxxx"
4. 运行以下命令
1
2
3
4
5
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
5. 检查一下 IPSec 能否正常工作
# ipsec verify
6. 重启openswan
1
2
3
# service ipsec restart
或者
# /etc/init.d/ipsec restart
7. 安装xl2tpd:
1
# apt-get install xl2tpd
8. 配置/etc/xl2tpd/xl2tpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# vi /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes

[lns default]
ip range = 10.0.2.2-10.0.2.255
local ip = 10.0.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
9. 如果你之前没有在服务器上安装过pptpd,那么下面这一步你要进行安装:
# apt-get install pptpd
10. 配置/etc/ppp/options.xl2tpd,如果没有就新建一个,内容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# vi /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1400
connect-delay 5000
noccp
11. 添加或修改用户
1
2
3
# vi /etc/ppp/chap-secrets
xiaochunyong    *       123456  *
ely.xiao        *       123456  *
12. 重启 xl2tpd
1
# service xl2tpd restart
13. 设置 iptables 的数据包转发
1
2
# iptables --table nat --append POSTROUTING --jump MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward
14. 设置自启动项,编辑/etc/rc.local,加入下面的语句:
1
2
3
4
5
6
7
8
9
10
# vi /etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

附录(如果客户端连接VPN服务器发生异常,可以查看日志文件/var/log/auth.log):
1
tail -f /var/log/auth.log
我安装L2TP/IPSec VPN 遇到的问题:
  • 连接VPN服务器时,一直提示L2TP-VPN 服务器未响应
    在日志/var/log/auth.log中找到下面这行错误ERROR: asynchronous network error report on eth1 (sport=4500) for message to 101.224.23.44 port 4500, complainant 101.224.23.44: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)], 解决办法:
    1
    2
    3
    4
    5
    vi /etc/ipsec.conf

    leftprotoport=17/1701
    改为
    leftprotoport=17/%any

某个博客上找到了解决方法:

这才是终极原帖~ https://lists.openswan.org/pipermail/users/2013-July/022546.html

1
2
3
4
5
6
7
8
Good day @robert-woodward
I solved my problem a few minutes ago,
thanks to this post https://lists.openswan.org/pipermail/users/2013-July/022546.html
Especially to this part of message:
“I also make it my habit to make leftprotoport 17/%any instead of 17/1701

After i changed leftprotoport from 17/1701 to 17/%any in ipsec.conf and restarted ipsec service – everything got back to normal and vpn started working properly.
I hope this would solve your issue too.