2012.04.10 更新:ubuntu上除了安装,以及xl2tpd的启动脚本以外,本文的配置方法测试可行。采用编译安装可以参考这篇文章。
2011.11.28 更新:CentOS 6 32bit 下xl2tpd,openswan等安装参照这篇文章,xl2tpd的启动脚本参考这篇文章,配置还是照本文的配置就ok(已经做了一些小修改),如果iptables重启后要重新配置一下才好使可以考虑将iptables那段添加到/etc/rc.local里面
先说下我的环境:CentOS 5.4 32bit 安装了Nginx
针对CentOS有L2TP的一键安装包,首先我推荐尝试一下这个安装包,毕竟很方便,但是我RP不好,这个一键包不仅没能让L2TP在我的机器上正确运行,还因为iptables配置不正确导致Nginx出现404,502错误,如果你也遇到了这个问题,可以简单的通过
service iptables stop
来重置并关闭iptables,以修复nginx的404,502错误,接下来再启用iptables就没什么问题了.但是来l2tp也就肯定不能连接了
这篇文章参考了这里,这里,这里,这里和这里的文章,建议一起看看
下面进入正题:
- 安装必须的包
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced
- 编译安装OpenSwan
wget http://www.openswan.org/download/openswan-2.6.24.tar.gz tar zxvf openswan-2.6.24.tar.gz cd openswan-2.6.24 make programs install
- 安装xl2tpd
yum install xl2tpd
- 编辑 /etc/ipsec.conf 注意$vpsip替换成你机器的ip
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=$vpsip #改这里 leftprotoport=17/1701 right=%any rightprotoport=17/%any - 编辑 /etc/ipsec.secrets注意$vpsip替换成你机器的ip, $mypsk替换成你想要的密钥
$vpsip %any: PSK "$mypsk"
- 修改/添加 /etc/sysctl.conf
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
- 让修改后的sysctl.conf生效
sysctl -p
- 验证ipsec运行状态
ipsec setup restart ipsec verify
输出以下内容ipsec就配置成功了
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
- 编辑 /etc/xl2tpd/xltpd.conf
[global] ipsec saref = yes listen-addr = $vpsip ;服务器地址 [lns default] ip range = 10.1.2.2-10.1.2.254 ;这里改成你想要的ip范围 local ip = 10.1.2.1 ;这里改成你想要的ip refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
- 编辑 /etc/ppp/options.xl2tpd
require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
- 配置用户名,密码:编辑 /etc/ppp/chap-secrets
# user server password ip username * userpass * #改成你的用户名 密码
- 重启xl2tp
service xl2tpd restart
- 设置iptables,注意$vpsip改成你机器的ip, 最后一行10.1.2.0改成跟你前面设置xltpd.conf时对应的ip
iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p udp -d `ifconfig | grep 'inet addr:'| grep -v '$vpsip' | cut -d: -f2 | awk 'NR==1 { print $1}'` --dport 500 -j ACCEPT iptables -A INPUT -p udp -d `ifconfig | grep 'inet addr:'| grep -v '$vpsip' | cut -d: -f2 | awk 'NR==1 { print $1}'` --dport 4500 -j ACCEPT iptables -A INPUT -p udp -d `ifconfig | grep 'inet addr:'| grep -v '$vpsip' | cut -d: -f2 | awk 'NR==1 { print $1}'` --dport 1701 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -o eth0 -j MASQUERADE - 保存
service iptables save service iptables restart
- 添加启动项
chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on
l2tp配置完成,过程如有疏漏欢迎批评指正
可能的问题及解决方法:
- iptables Setting chains to policy ACCEPT: security raw nat mangle filter [FAILED] 问题
http://vps.openzz.com/archives/224
–以上–