上次把VPS重新初始化后,一直没空重新部署VPN,ipad无法翻墙,真心的不爽。正好之前用的是PPTP,这次想要尝试下L2TP。
两者有什么区别呢?对比如下:
VPN数据传输协议:PPTP、L2TP
PPTP L2TP
基于IP的互联网 基于多种广域网络连接,介质入帧中继,IPX.25
没有报头压缩 报头压缩
没有隧道身份验证 隧道身份验证
采用PPP加密 使用IPSec加密
安装IPSec
IPSec会对IP数据包进行加密和验证,这意味着你的电脑/移动设备与服务器之间传输的数据无法被解密、也不能被伪造。推荐使用openswan这个后台软件来跑IPSec。
wget http://download.openswan.org/openswan/openswan-2.6.38.tar.gz
tar zxvf openswan-2.6.38.tar.gz
cd openswan-2.6.38
make programs install
经验教训:个别版本的openswan和xl2tpd配合使用,存在问题,会造成无法正常使用,绝对是血的教训,为了这个问题,折腾了一个下午,最后一尝试2.6.38就可以了。
截至2012-12-25,CentOS 6.3源里自带的openswan版本无法正常使用
修改/etc/ipsec.conf
添加以下内容:
vi /etc/ipsec.conf # /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $ # This file: /usr/local/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Again: only enable plutodebug or klipsdebug when asked by a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. netkey,klips,mast,auto or none protostack=netkey # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=start conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=106.187.35.56 leftprotoport=17/1701 right=%any
# vi /etc/ipsec.secrets
改成:106.187.35.56 %any: PSK “hello”
106.187.35.56这部分换成你的服务器IP地址,hello随便换成一个字符串,比如你喜欢的任何一句话
修改包转发设置
for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done
可能存在的问题:
Two or more interfaces found, checking IP forwarding [FAILED]
vi /etc/sysctl.conf
修改 net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter =0
sysctl -p
SAref kernel support [N/A]
这样的话, /etc/xl2tpd/xl2tpd.conf这个文件里
[global]
ipsec saref = no
重启ipsec,并测试运行效果
service ipsec restart
ipsec verify
如下即为正常工作:
# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K3.6.5-linode47 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
安装x2ltpd
# yum install libpcap-devel # yum install ppp 因为xl2tpd在官方的源里没有,需要 wget http://mirrors.ustc.edu.cn/fedora/epel/6/i386/epel-release-6-8.noarch.rpm # rpm -Uvh epel-release-6-8.noarch.rpm # yum install xl2tpd
# vi /etc/xl2tpd/xl2tpd.conf ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. ; IMPORTANT: always set listen-addr to a specific address, to work around a ; udpfromto bug!!! [global] listen-addr =vydbs.com ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; ipsec refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes [lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99 ; leave chap unspecified for maximum compatibility with windows, iOS, etc ; require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
修改/etc/ppp/options.xl2tpd
# vi /etc/ppp/options.xl2tpd require-mschap-v2 ipcp-accept-local ipcp-accept-remote ms-dns 8.8.4.4 ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
iptables配置
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT iptables-save service iptables restart
最后
service xl2tpd restart service iptables restart chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on
用户配置:
# vi /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses 用户 * 密码 *
参考:
在CentOS 6下配置 L2TP IPsec VPN服务器的六步
http://yp.oss.org.cn/blog/show_resource.php?resource_id=1586
CentOS安装L2TP VPN笔记
http://xfeng.me/centos-install-l2tp-vpn-note/
CentOS安装配置L2TP并结合freeradius验证
http://www.xj123.info/3180.html