CentOS上L2TP安装与配置

On 08/24/2011, in Linux, VPS, 折腾, by ultragtx

2012.04.10 更新:ubuntu上除了安装,以及xl2tpd的启动脚本以外,本文的配置方法测试可行。采用编译安装可以参考这篇文章

2011.11.28 更新:CentOS 6 32bit 下xl2tpd,openswan等安装参照这篇文章,xl2tpd的启动脚本参考这篇文章,配置还是照本文的配置就ok(已经做了一些小修改),如果iptables重启后要重新配置一下才好使可以考虑将iptables那段添加到/etc/rc.local里面

先说下我的环境:CentOS 5.4 32bit 安装了Nginx

针对CentOS有L2TP的一键安装包,首先我推荐尝试一下这个安装包,毕竟很方便,但是我RP不好,这个一键包不仅没能让L2TP在我的机器上正确运行,还因为iptables配置不正确导致Nginx出现404,502错误,如果你也遇到了这个问题,可以简单的通过
service iptables stop
来重置并关闭iptables,以修复nginx的404,502错误,接下来再启用iptables就没什么问题了.但是来l2tp也就肯定不能连接了

这篇文章参考了这里,这里,这里,这里和这里的文章,建议一起看看
下面进入正题:

  1. 安装必须的包
    1
    
    yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced
  2. 编译安装OpenSwan
    1
    2
    3
    4
    
    wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
    tar zxvf openswan-2.6.24.tar.gz
    cd openswan-2.6.24
    make programs install
  3. 安装xl2tpd
    1
    
    yum install xl2tpd
  4. 编辑 /etc/ipsec.conf 注意$vpsip替换成你机器的ip
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    
    config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey
     
    conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT
     
    conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=$vpsip #改这里
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
  5. 编辑 /etc/ipsec.secrets注意$vpsip替换成你机器的ip, $mypsk替换成你想要的密钥
    1
    
    $vpsip %any: PSK "$mypsk"
  6. 修改/添加 /etc/sysctl.conf
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 0
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.conf.default.send_redirects = 0
    net.ipv4.conf.all.log_martians = 0
    net.ipv4.conf.default.log_martians = 0
    net.ipv4.conf.default.accept_source_route = 0
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.icmp_ignore_bogus_error_responses = 1
  7. 让修改后的sysctl.conf生效
    1
    
    sysctl -p
  8. 验证ipsec运行状态
    1
    2
    
    ipsec setup restart
    ipsec verify

    输出以下内容ipsec就配置成功了

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    
    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path                             	[OK]
    Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey)
    Checking for IPsec support in kernel                        	[OK]
    NETKEY detected, testing for disabled ICMP send_redirects   	[OK]
    NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
    Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
    Checking that pluto is running                              	[OK]
    Pluto listening for IKE on udp 500                          	[OK]
    Pluto listening for NAT-T on udp 4500                       	[OK]
    Two or more interfaces found, checking IP forwarding        	[OK]
    Checking NAT and MASQUERADEing
    Checking for 'ip' command                                   	[OK]
    Checking for 'iptables' command                             	[OK]
    Opportunistic Encryption Support                            	[DISABLED]
  9. 编辑 /etc/xl2tpd/xltpd.conf
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    
    [global]
    ipsec saref = yes
    listen-addr = $vpsip ;服务器地址
    [lns default]
    ip range = 10.1.2.2-10.1.2.254 ;这里改成你想要的ip范围
    local ip = 10.1.2.1 ;这里改成你想要的ip
    refuse chap = yes
    refuse pap = yes
    require authentication = yes
    ppp debug = yes
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes
  10. 编辑 /etc/ppp/options.xl2tpd
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    
    require-mschap-v2
    ms-dns 8.8.8.8
    ms-dns 8.8.4.4
    asyncmap 0
    auth
    crtscts
    lock
    hide-password
    modem
    debug
    name l2tpd
    proxyarp
    lcp-echo-interval 30
    lcp-echo-failure 4
  11. 配置用户名,密码:编辑 /etc/ppp/chap-secrets
    1
    2
    
    # user server password ip
    username * userpass * #改成你的用户名 密码
  12. 重启xl2tp
    1
    
    service xl2tpd restart
  13. 设置iptables,注意$vpsip改成你机器的ip, 最后一行10.1.2.0改成跟你前面设置xltpd.conf时对应的ip
    1
    2
    3
    4
    5
    
    iptables -A INPUT -p 50 -j ACCEPT
    iptables -A INPUT -p udp -d `ifconfig | grep 'inet addr:'| grep -v '$vpsip' | cut -d: -f2 | awk 'NR==1 { print $1}'` --dport 500 -j ACCEPT
    iptables -A INPUT -p udp -d `ifconfig | grep 'inet addr:'| grep -v '$vpsip' | cut -d: -f2 | awk 'NR==1 { print $1}'` --dport 4500 -j ACCEPT
    iptables -A INPUT -p udp -d `ifconfig | grep 'inet addr:'| grep -v '$vpsip' | cut -d: -f2 | awk 'NR==1 { print $1}'` --dport 1701 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -o eth0 -j MASQUERADE
  14. 保存
    1
    2
    
    service iptables save
    service iptables restart
  15. 添加启动项
    1
    2
    3
    
    chkconfig xl2tpd on
    chkconfig iptables on
    chkconfig ipsec on

l2tp配置完成,过程如有疏漏欢迎批评指正

可能的问题及解决方法:

  1. iptables Setting chains to policy ACCEPT: security raw nat mangle filter [FAILED] 问题
    http://vps.openzz.com/archives/224

–以上–

 

Tagged with:  

6 Responses to CentOS上L2TP安装与配置

  1. wedding dresses说道:

    很好,我也去试试,谢谢

  2. […] 内容转自CentOS上L2TP安装与配置,本人在photonvps,kvm.la测试可用。 此条目由 Rolling 发表在 笔记 分类目录,并贴了 iptables、l2tp、Linux、lnmp、VPN、VPS 标签。将固定链接加入收藏夹。 […]

  3. […] 参考文章: CentOS上L2TP安装与配置 […]

  4. leafiy说道:

    貌似超过3个用户就不能再链接了?我测试是这样的,linode vps

  5. […] 参考文章: CentOS上L2TP安装与配置 […]

发表评论

电子邮件地址不会被公开。 必填项已用*标注