centos使用l2tp\ipsec科学上网

安装 openswan

准备安装编译所需软件包
CentOS:yum install make gcc gmp-devel bison flex
Debian:aptitude install libgmp3-dev bison flex

下载源代码并编译安装

cd /usr/src
wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
tar zxvf openswan-2.6.24.tar.gz
cd openswan-2.6.24
make programs install

修改配置文件

vim /etc/ipsec.conf
version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=YOUR.SERVER.IP.ADDRESS
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

设置 Shared Key

vim /etc/ipsec.secrets
YOUR.SERVER.IP.ADDRESS %any: PSK "YourSharedSecret"

修改包转发设置

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

修改内核设置

vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

重新启动 ipsec,并测试运行效果

/etc/init.d/ipsec restart
ipsec verify

如下即为正常工作
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24/K2.6.32.12-linode25 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for ‘ip’ command [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]

这个时候 ipsec 部分完成了,可以测试一下,新建一个 ipsec+l2tp 的连接,填好服务器地址和 SharedKey,点连接,注意看服务器那边的 /var/log/secure (CentOS) /var/log/auth.log(Debian),如果出现了类似
STATE_QUICK_R2: IPsec SA established transport mode
这样的日志就说明 ipsec 没问题了。

如果你用 OS X,也可以看 /var/log/system.log |grep ppp,有类似pppd[3624]: IPSec connection established也是成功了。

安装l2tp

这里我使用了xl2tpd。这东西有点变态,没有l2tp-control,需要从rp-l2tp这个里面提取。

安装需要的库和软件包

CentOS:yum install libpcap-devel ppp
Debian:aptitude install libpcap-dev ppp
Debian 的话,可能需要建立一个 ppp device node,命令为`mknod /dev/ppp c 108 0`

下载编译安装

cd /usr/src
wget http://downloads.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz
tar zxvf rp-l2tp-0.4.tar.gz
cd rp-l2tp-0.4
./configure
make
cp handlers/l2tp-control /usr/local/sbin/

mkdir /var/run/xl2tpd/
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control

cd /usr/src
wget  http://www.xelerance.com/software/xl2tpd/xl2tpd-1.2.4.tar.gz
tar zxvf xl2tpd-1.2.4.tar.gz
cd xl2tpd-1.2.4
make install

写配置文件

mkdir /etc/xl2tpd
vim /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.254        #内容,注意 ip range 不要和你的 lan ip 冲突
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

ppp 配置文件

vim /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

设置拨号用户名以及密码

vim /etc/ppp/chap-secrets
# user      server      password        ip
username    l2tpd       userpass        *

启用包转发

iptables --table nat --append POSTROUTING --jump MASQUERADE

之后就可以启动 l2tp 了,先用 debug 方式启动,有错误可以直接在 console 看到

xl2tpd -D

把包转发和xl2tpd启动指令设置为开机运行

vim /etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
/usr/local/sbin/xl2tpd