以下是本人在Debian lenny上配置L2TP ×××的记录,你可完全参考,只需修改IP:173.255.200.20为你的IP地址即可。
一:安装配置openswan
听说debian lenny源中的openswan有问题,只有安装2.6.24版才能正常使用。
1 2 3 4 5 6 7 | apt-get install openswan
apt-get install libgmp3-dev gawk flex bison
wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
tar xf openswan-2.6.24.tar.gz
cd openswan-2.6.24
make programs
make install |
apt-get install openswan安装出现提示时一直按回车就OK了,记住。
编辑:/etc/ipsec.conf,内容如下(注意缩进):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | version 2.0 config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=173.255.200.20 leftid=173.255.200.20 leftprotoport=17/1701 right=%any rightid=%any rightprotoport=17/%any |
编辑:/etc/ipsec.secrets,设置加密字段(预共享密钥),内容如下:
1 | 173.255.200.20 %any: PSK "humounet" |
修改:/etc/sysctl.conf,与open***一致,见/blog/201101011221.html
内容为:
1 2 3 4 5 6 | #net.ipv6.conf.all.forwarding = 1 net.ipv4.ip_forward = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 |
使其生效:
1 | sysctl -p |
设置iptables包转发,与open***一致,参见/blog/201101011221.html
1 | iptables -t nat -A POSTROUTING -s 10.168.0.0/16 -o eth0 -j MASQUERADE |
重启ipsec,验证是否配置成功:
1 2 | /etc/init.d/ipsec restart
ipsec verify |
出现以下显示则为成功:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] |
二:安装配置l2tpd:
1 | apt-get install xl2tpd |
编辑:/etc/xl2tpd/xl2tpd.conf,内容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [global] port = 1701 listen-addr = 173.255.200.20; ipsec saref = yes [lns default] ip range = 10.168.2.5-10.168.2.254 local ip = 10.168.2.1 ;require chap = yes refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes |
编辑:/etc/ppp/options.xl2tpd,内容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp mtu 1410 mru 1410 nodefaultroute lcp-echo-interval 30 lcp-echo-failure 6 #idle 1800 connect-delay 10000 |
三:配置访问访问用户
编辑:/etc/ppp/chap-secrets,内容如下例:
1 2 3 | # user server password ip 用户一 * 密码 * 用户二 * 密码 * |
重启l2tpd:
1 | /etc/init.d/xl2tpd restart |
OK!