CentOS6下安装L2TP/IPSec VPN安装配置

上次把VPS重新初始化后，一直没空重新部署VPN，ipad无法翻墙，真心的不爽。正好之前用的是PPTP，这次想要尝试下L2TP。
两者有什么区别呢？对比如下：

VPN数据传输协议：PPTP、L2TP
PPTP                                         L2TP
基于IP的互联网                       基于多种广域网络连接,介质入帧中继，IPX.25
没有报头压缩                         报头压缩
没有隧道身份验证                    隧道身份验证
采用PPP加密                         使用IPSec加密

安装IPSec

IPSec会对IP数据包进行加密和验证，这意味着你的电脑/移动设备与服务器之间传输的数据无法被解密、也不能被伪造。推荐使用openswan这个后台软件来跑IPSec。

wget http://download.openswan.org/openswan/openswan-2.6.38.tar.gz
tar zxvf openswan-2.6.38.tar.gz
cd openswan-2.6.38
make programs install

经验教训：个别版本的openswan和xl2tpd配合使用，存在问题，会造成无法正常使用，绝对是血的教训，为了这个问题，折腾了一个下午，最后一尝试2.6.38就可以了。
截至2012-12-25，CentOS 6.3源里自带的openswan版本无法正常使用
修改/etc/ipsec.conf

添加以下内容：

vi /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=start

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=106.187.35.56
    leftprotoport=17/1701
    right=%any

# vi /etc/ipsec.secrets
改成：106.187.35.56 %any: PSK “hello”
106.187.35.56这部分换成你的服务器IP地址，hello随便换成一个字符串，比如你喜欢的任何一句话

修改包转发设置

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

可能存在的问题：
Two or more interfaces found, checking IP forwarding [FAILED]
vi /etc/sysctl.conf
修改 net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter =0
sysctl -p

SAref kernel support [N/A]
这样的话， /etc/xl2tpd/xl2tpd.conf这个文件里
[global]
ipsec saref = no

重启ipsec，并测试运行效果
service ipsec restart
ipsec verify
如下即为正常工作：

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K3.6.5-linode47 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

安装x2ltpd

# yum install libpcap-devel
# yum install ppp
因为xl2tpd在官方的源里没有，需要
wget http://mirrors.ustc.edu.cn/fedora/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -Uvh epel-release-6-8.noarch.rpm
# yum install xl2tpd

# vi /etc/xl2tpd/xl2tpd.conf 

; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

; IMPORTANT: always set listen-addr to a specific address, to work around a
; udpfromto bug!!!

[global]
 listen-addr =vydbs.com
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
 ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; ipsec refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

修改/etc/ppp/options.xl2tpd

# vi /etc/ppp/options.xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.4.4
ms-dns 8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

iptables配置

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables-save
service iptables restart

最后

service xl2tpd restart
service iptables restart
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on

用户配置：

# vi /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses

用户       *       密码        *

参考：
在CentOS 6下配置 L2TP IPsec VPN服务器的六步
http://yp.oss.org.cn/blog/show_resource.php?resource_id=1586
CentOS安装L2TP VPN笔记
http://xfeng.me/centos-install-l2tp-vpn-note/
CentOS安装配置L2TP并结合freeradius验证
http://www.xj123.info/3180.html