linux l2tp

yum install openswan xl2tpd ppp

/etc/ipsec.conf

config setup
	protostack=netkey
	dumpdir=/var/run/pluto/
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
	nat_traversal=yes
	oe=off

 

/etc/ipsec.d/l2tp-psk.conf

conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	ikelifetime=8h
	keylife=1h
	type=transport
	left=HOST_IP
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any
	dpddelay=40
	dpdtimeout=130
	dpdaction=clear
	leftnexthop=%defaultroute
	rightnexthop=%defaultroute

/etc/ipsec.secrets
HOST_IP %any: PSK "密钥"

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
[lns default]
ip range = 192.168.0.200-192.168.0.254
local ip = 192.168.0.196
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options
length bit = yes

/etc/sysctl.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0

test

sysctl -p
service ipsec start

ipsec verify

rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

 

#network 参考(新手别完全照抄)。
*nat
:PREROUTING ACCEPT [39:3503]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
# Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [121:13264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.7.0/24 -j ACCEPT
-A FORWARD -s 192.168.7.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 28 15:50:40 2012

Command:
iptables -t nat -A POSTROUTING -s 192.168.195.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.196.0/24 -o eth0 -j MASQUERADE

 

使用ipsec whack --status查看vpn的状态;

-----------------------------------------------------

windows 系统使用l2tp出现 809错误时处理方式:

微软官网推荐方法,新建注册表值
注: 修改后必需要重启电脑才能生效

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

 

--------------------------------------------------------------------------------------------------

参考2:

一、/etc/ipsec.conf

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=YOUR.SERVER.IP.ADDRESS
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

 

二、/etc/ipsec.secrets:

YOUR.SERVER.IP.ADDRESS   %any:  PSK "YourSharedSecret"

(「YOUR.SERVER.IP.ADDRESS」这部分换成你的服务器的 IP 地址,把「YourSharedSecret」部分换成随便一个字串,例如你喜欢的一句话,等等。)

三、运行以下命令:

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

四、检查一下 IPSec 能否正常工作:

sudo ipsec verify

如果在结果中看到「Opportunistic Encryption Support」被禁用了,没关系,其他项 OK 即可。

五、重启 openswan:

sudo /etc/init.d/ipsec restart

六、安装 L2TP

运行以下命令:

sudo aptitude install xl2tpd

八、用文字编辑器打开 /etc/xl2tpd/xl2tpd.conf,改成这样:

[global]
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

这里要注意的是 ip range 一项里的 IP 地址不能和你正在用的 IP 地址重合,也不可与网络上的其他 IP 地址冲突。

九、安装 ppp。这是用来管理 VPN 用户的。

sudo aptitude install ppp

十、检查一下 /etc/ppp 目录里有没有 options.xl2tpd 这个文件,没有的话就建一个,文件内容如下:

require-mschap-v2
ms-dns 208.67.222.222
ms-dns 208.67.220.220
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

注意 ms-dns 可更换为你最近服务地址。

十一、添加 VPN 用户。
用文字编辑器打开 /etc/ppp/chap-secrets:

# user      server      password            ip
test        l2tpd       testpassword        *

如果你之前设置过 PPTP VPN,chap-secrets 文件里可能已经有了其他用户的列表。
你只要把 test l2tpd testpassword * 这样加到后面即可。

十二、重启 xl2tpd:

sudo /etc/init.d/xl2tpd restart

 

参考:
https://segmentfault.com/a/1190000000646294  (配置)

此条目发表在network分类目录。将固定链接加入收藏夹。