{"id":541,"date":"2016-09-30T00:03:12","date_gmt":"2016-09-30T00:03:12","guid":{"rendered":"http:\/\/16c222aa19898e5058938167c8ab6c57"},"modified":"2017-10-24T13:06:04","modified_gmt":"2017-10-24T05:06:04","slug":"linux-l2tp","status":"publish","type":"post","link":"https:\/\/www.xiaobo.li\/notes\/archives\/541","title":{"rendered":"linux l2tp"},"content":{"rendered":"<p>yum install openswan xl2tpd ppp<\/p>\n<p><b>\/etc\/ipsec.conf<\/b><\/p>\n<pre>config setup\r\n\tprotostack=netkey\r\n\tdumpdir=\/var\/run\/pluto\/\r\n\tvirtual_private=%v4:10.0.0.0\/8,%v4:192.168.0.0\/16,%v4:172.16.0.0\/12,%v4:25.0.0.0\/8,%v4:100.64.0.0\/10,%v6:fd00::\/8,%v6:fe80::\/10\r\n\tnat_traversal=yes\r\n\toe=off\r\n<\/pre>\n<p>&nbsp;<\/p>\n<p><b>\/etc\/ipsec.d\/l2tp-psk.conf<\/b><\/p>\n<pre>conn L2TP-PSK-NAT\r\n\trightsubnet=vhost:%priv\r\n\talso=L2TP-PSK-noNAT\r\n\r\nconn L2TP-PSK-noNAT\r\n\tauthby=secret\r\n\tpfs=no\r\n\tauto=add\r\n\tkeyingtries=3\r\n\trekey=no\r\n\tikelifetime=8h\r\n\tkeylife=1h\r\n\ttype=transport\r\n\tleft=<span style=\"color: #ff6600;\">HOST_IP<\/span>\r\n\tleftprotoport=17\/1701\r\n\tright=%any\r\n\trightprotoport=17\/%any\r\n\tdpddelay=40\r\n\tdpdtimeout=130\r\n\tdpdaction=clear\r\n<span style=\"color: #ff6600;\">\tleftnexthop=%defaultroute\r\n\trightnexthop=%defaultroute\r\n\r\n<\/span><\/pre>\n<p><b>\/etc\/ipsec.secrets<br \/>\n<\/b><code class=\"hljs haml has-numbering\"><span class=\"hljs-tag\">HOST_IP %<span class=\"hljs-title\">any<\/span><\/span>: PSK \"\u5bc6\u94a5\"<\/code><\/p>\n<p class=\"prettyprint\"><b><code class=\"hljs haml has-numbering\">\/etc\/xl2tpd\/xl2tpd.conf<\/code><\/b><\/p>\n<p class=\"prettyprint\"><code class=\"hljs haml has-numbering\">[global]<br \/>\nipsec saref = yes<br \/>\n[lns default]<br \/>\nip range = 192.168.0.200-192.168.0.254<br \/>\nlocal ip = 192.168.0.196<br \/>\nrefuse chap = yes<br \/>\nrefuse pap = yes<br \/>\nrequire authentication = yes<br \/>\nppp debug = yes<br \/>\npppoptfile = \/etc\/ppp\/options<br \/>\nlength bit = yes<\/code><\/p>\n<p class=\"prettyprint\"><code class=\"hljs haml has-numbering\"><b>\/etc\/sysctl.conf<\/b><br \/>\n<\/code><code class=\"hljs haml has-numbering\">net.ipv4.conf.all.send_redirects = 0<br \/>\nnet.ipv4.conf.default.send_redirects = 0<br \/>\nnet.ipv4.conf.all.accept_redirects = 0<br \/>\nnet.ipv4.conf.default.accept_redirects = 0<br \/>\nnet.ipv4.conf.default.rp_filter = 0<br \/>\n<\/code><\/p>\n<p><b><code class=\"hljs haml has-numbering\">test<\/code><\/b><\/p>\n<div class=\"crayon-pre\" style=\"font-size: 13px !important; line-height: 15px !important; -moz-tab-size: 4; -o-tab-size: 4; -webkit-tab-size: 4; tab-size: 4;\">\n<div id=\"crayon-57ec02b606d26857732874-1\" class=\"crayon-line\"><span class=\"crayon-v\">sysctl<\/span> <span class=\"crayon-o\">-<\/span><span class=\"crayon-i\">p<\/span><\/div>\n<div id=\"crayon-57ec02b606d26857732874-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-e\">service <\/span><span class=\"crayon-e\">ipsec <\/span><span class=\"crayon-e\">start<\/span><\/div>\n<div id=\"crayon-57ec02b606d26857732874-3\" class=\"crayon-line\">\n<p><span class=\"crayon-e\">ipsec <\/span><span class=\"crayon-v\">verify<\/span><\/p>\n<p><b>rp_filter<\/b><br \/>\necho 0 &gt; \/proc\/sys\/net\/ipv4\/conf\/lo\/rp_filter<br \/>\necho 0 &gt; \/proc\/sys\/net\/ipv4\/conf\/eth0\/rp_filter<\/p>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<p>#network \u53c2\u8003(\u65b0\u624b\u522b\u5b8c\u5168\u7167\u6284)\u3002<br \/>\n*nat<br \/>\n:PREROUTING ACCEPT [39:3503]<br \/>\n:POSTROUTING ACCEPT [0:0]<br \/>\n:OUTPUT ACCEPT [0:0]<br \/>\n-A POSTROUTING -s 192.168.7.0\/24 -o eth0 -j MASQUERADE<br \/>\nCOMMIT<br \/>\n# Completed on Thu Jun 28 15:50:40 2012<br \/>\n# Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012<br \/>\n*filter<br \/>\n:INPUT ACCEPT [0:0]<br \/>\n:FORWARD ACCEPT [0:0]<br \/>\n:OUTPUT ACCEPT [121:13264]<br \/>\n-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br \/>\n-A INPUT -p icmp -j ACCEPT<br \/>\n-A INPUT -i lo -j ACCEPT<br \/>\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT<br \/>\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT<br \/>\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT<br \/>\n-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT<br \/>\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT<br \/>\n-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT<br \/>\n-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT<br \/>\n-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited<br \/>\n-A FORWARD -d 192.168.7.0\/24 -j ACCEPT<br \/>\n-A FORWARD -s 192.168.7.0\/24 -j ACCEPT<br \/>\n-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br \/>\nCOMMIT<br \/>\n# Completed on Thu Jun 28 15:50:40 2012<\/p>\n<p><b>Command:<\/b><br \/>\niptables -t nat -A POSTROUTING -s 192.168.195.0\/24 -o eth0 -j MASQUERADE<br \/>\niptables -t nat -A POSTROUTING -s 192.168.196.0\/24 -o eth0 -j MASQUERADE<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: 'Microsoft YaHei'; font-size: 16px;\">\u4f7f\u7528ipsec whack --status\u67e5\u770bvpn\u7684\u72b6\u6001\uff1b<\/span><\/p>\n<p><span style=\"font-family: 'Microsoft YaHei'; font-size: 16px;\">-----------------------------------------------------<\/span><\/p>\n<p><span style=\"font-family: 'Microsoft YaHei'; font-size: 16px;\">windows \u7cfb\u7edf\u4f7f\u7528l2tp\u51fa\u73b0 809\u9519\u8bef\u65f6\u5904\u7406\u65b9\u5f0f\uff1a<\/span><\/p>\n<p><span style=\"font-family: 'Microsoft YaHei'; font-size: 16px;\">\u5fae\u8f6f\u5b98\u7f51\u63a8\u8350\u65b9\u6cd5\uff0c\u65b0\u5efa\u6ce8\u518c\u8868\u503c<br \/>\n<b><span style=\"color: #e53333;\">\u6ce8\uff1a \u4fee\u6539\u540e\u5fc5\u9700\u8981\u91cd\u542f\u7535\u8111\u624d\u80fd\u751f\u6548<\/span><\/b><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: 'Microsoft YaHei'; font-size: 16px;\">Windows Registry Editor Version 5.00<\/span><\/p>\n<p><span style=\"font-family: 'Microsoft YaHei'; font-size: 16px;\"><br \/>\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PolicyAgent]<br \/>\n\"AssumeUDPEncapsulationContextOnSendRule\"=dword:00000002<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: 'Microsoft YaHei'; font-size: 16px;\">\u00a0<\/span><\/p>\n<p>--------------------------------------------------------------------------------------------------<\/p>\n<p><b><span style=\"font-size: 16px;\">\u53c2\u80032\uff1a<\/span><\/b><\/p>\n<p><span style=\"font-size: 16px;\">\u4e00\u3001\/etc\/ipsec.conf<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">version 2.0\r\nconfig setup\r\n    nat_traversal=yes\r\n    virtual_private=%v4:10.0.0.0\/8,%v4:192.168.0.0\/16,%v4:172.16.0.0\/12\r\n    oe=off\r\n    protostack=netkey\r\n\r\nconn L2TP-PSK-NAT\r\n    rightsubnet=vhost:%priv\r\n    also=L2TP-PSK-noNAT\r\n\r\nconn L2TP-PSK-noNAT\r\n    authby=secret\r\n    pfs=no\r\n    auto=add\r\n    keyingtries=3\r\n    rekey=no\r\n    ikelifetime=8h\r\n    keylife=1h\r\n    type=transport\r\n    left=YOUR.SERVER.IP.ADDRESS\r\n    leftprotoport=17\/1701\r\n    right=%any\r\n    rightprotoport=17\/%any<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 16px;\">\u4e8c\u3001\/etc\/ipsec.secrets\uff1a<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">YOUR.SERVER.IP.ADDRESS   %any:  PSK \"YourSharedSecret\"<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\uff08\u300cYOUR.SERVER.IP.ADDRESS\u300d\u8fd9\u90e8\u5206\u6362\u6210\u4f60\u7684\u670d\u52a1\u5668\u7684 IP \u5730\u5740\uff0c\u628a\u300cYourSharedSecret\u300d\u90e8\u5206\u6362\u6210\u968f\u4fbf\u4e00\u4e2a\u5b57\u4e32\uff0c\u4f8b\u5982\u4f60\u559c\u6b22\u7684\u4e00\u53e5\u8bdd\uff0c\u7b49\u7b49\u3002\uff09<\/span><\/p>\n<p><span style=\"font-size: 16px;\">\u4e09\u3001\u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">for each in \/proc\/sys\/net\/ipv4\/conf\/*\r\ndo\r\n    echo 0 &gt; $each\/accept_redirects\r\n    echo 0 &gt; $each\/send_redirects\r\ndone<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\u56db\u3001\u68c0\u67e5\u4e00\u4e0b IPSec \u80fd\u5426\u6b63\u5e38\u5de5\u4f5c\uff1a<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">sudo ipsec verify<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\u5982\u679c\u5728\u7ed3\u679c\u4e2d\u770b\u5230\u300cOpportunistic Encryption Support\u300d\u88ab\u7981\u7528\u4e86\uff0c\u6ca1\u5173\u7cfb\uff0c\u5176\u4ed6\u9879 OK \u5373\u53ef\u3002<\/span><\/p>\n<p><span style=\"font-size: 16px;\">\u4e94\u3001\u91cd\u542f openswan:<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">sudo \/etc\/init.d\/ipsec restart<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\u516d\u3001\u5b89\u88c5 L2TP<\/span><\/p>\n<p><span style=\"font-size: 16px;\">\u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">sudo aptitude install xl2tpd<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\u516b\u3001\u7528\u6587\u5b57\u7f16\u8f91\u5668\u6253\u5f00 \/etc\/xl2tpd\/xl2tpd.conf\uff0c\u6539\u6210\u8fd9\u6837\uff1a<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">[global]\r\nipsec saref = yes\r\n\r\n[lns default]\r\nip range = 10.1.2.2-10.1.2.255\r\nlocal ip = 10.1.2.1\r\n;require chap = yes\r\nrefuse chap = yes\r\nrefuse pap = yes\r\nrequire authentication = yes\r\nppp debug = yes\r\npppoptfile = \/etc\/ppp\/options.xl2tpd\r\nlength bit = yes<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\u8fd9\u91cc\u8981\u6ce8\u610f\u7684\u662f ip range \u4e00\u9879\u91cc\u7684 IP \u5730\u5740\u4e0d\u80fd\u548c\u4f60\u6b63\u5728\u7528\u7684 IP \u5730\u5740\u91cd\u5408\uff0c\u4e5f\u4e0d\u53ef\u4e0e\u7f51\u7edc\u4e0a\u7684\u5176\u4ed6 IP \u5730\u5740\u51b2\u7a81\u3002<\/span><\/p>\n<p><span style=\"font-size: 16px;\">\u4e5d\u3001\u5b89\u88c5 ppp\u3002\u8fd9\u662f\u7528\u6765\u7ba1\u7406 VPN \u7528\u6237\u7684\u3002<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">sudo aptitude install ppp<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\u5341\u3001\u68c0\u67e5\u4e00\u4e0b \/etc\/ppp \u76ee\u5f55\u91cc\u6709\u6ca1\u6709 options.xl2tpd \u8fd9\u4e2a\u6587\u4ef6\uff0c\u6ca1\u6709\u7684\u8bdd\u5c31\u5efa\u4e00\u4e2a\uff0c\u6587\u4ef6\u5185\u5bb9\u5982\u4e0b\uff1a<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">require-mschap-v2\r\n<span style=\"color: #ff9900;\">ms-dns 208.67.222.222\r\nms-dns 208.67.220.220<\/span>\r\nasyncmap 0\r\nauth\r\ncrtscts\r\nlock\r\nhide-password\r\nmodem\r\ndebug\r\nname l2tpd\r\nproxyarp\r\nlcp-echo-interval 30\r\nlcp-echo-failure 4<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\u6ce8\u610f ms-dns \u53ef\u66f4\u6362\u4e3a\u4f60\u6700\u8fd1\u670d\u52a1\u5730\u5740\u3002<\/span><\/p>\n<p><span style=\"font-size: 16px;\">\u5341\u4e00\u3001\u6dfb\u52a0 VPN \u7528\u6237\u3002<br \/>\n\u7528\u6587\u5b57\u7f16\u8f91\u5668\u6253\u5f00 \/etc\/ppp\/chap-secrets:<\/span><\/p>\n<pre><span style=\"font-size: 16px;\"># user      server      password            ip\r\ntest        l2tpd       testpassword        *<\/span><\/pre>\n<p><span style=\"font-size: 16px;\">\u5982\u679c\u4f60\u4e4b\u524d\u8bbe\u7f6e\u8fc7 PPTP VPN\uff0cchap-secrets \u6587\u4ef6\u91cc\u53ef\u80fd\u5df2\u7ecf\u6709\u4e86\u5176\u4ed6\u7528\u6237\u7684\u5217\u8868\u3002<br \/>\n\u4f60\u53ea\u8981\u628a test l2tpd testpassword * \u8fd9\u6837\u52a0\u5230\u540e\u9762\u5373\u53ef\u3002<\/span><\/p>\n<p><span style=\"font-size: 16px;\">\u5341\u4e8c\u3001\u91cd\u542f xl2tpd:<\/span><\/p>\n<pre><span style=\"font-size: 16px;\">sudo \/etc\/init.d\/xl2tpd restart<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p>\u53c2\u8003\uff1a<br \/>\n<a href=\"https:\/\/segmentfault.com\/a\/1190000000646294\" target=\"_blank\" rel=\"noopener\">https:\/\/segmentfault.com\/a\/1190000000646294<\/a>\u00a0 \uff08\u914d\u7f6e\uff09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp;<\/p>\n<p>yum install openswan xl2tpd ppp<\/p>\n<p>&nbsp;<\/p>\n<p><b>\/etc\/ipsec.conf<\/b><\/p>\n<p>&nbsp;<\/p>\n<p>config setup<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protostack=netkey<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dumpdir=\/var\/run\/pluto\/<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; virtual_private=%v4:10.0.0.0\/8,%v4:192.168.0.0\/16,%v4:172.16.0.0\/12,%v4:25.0.0.0\/8,%v4:100.64.0.0\/10,%v6:fd00::\/8,%v6:fe80::\/10<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nat_traversal=yes<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; oe=off<\/p>\n<p>&nbsp;<\/p>\n<p><b>\/etc\/ipsec.d\/l2tp-psk.conf<\/b><\/p>\n<p>conn L2TP-PSK-NAT<br \/>\n&nbsp;&nbsp;&nbsp; rightsubnet=vhost:%priv<br \/>\n&nbsp;&nbsp;&amp;n...<\/p>\n<p> <a href=\"https:\/\/www.xiaobo.li\/notes\/archives\/541\">\u7ee7\u7eed\u9605\u8bfb <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[291],"tags":[],"class_list":["post-541","post","type-post","status-publish","format-standard","hentry","category-network"],"_links":{"self":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts\/541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/comments?post=541"}],"version-history":[{"count":0,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts\/541\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/media?parent=541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/categories?post=541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/tags?post=541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}