安装过程小记

安装服务

yum install xl2tpd
yum install libreswan
yum install iptables-services

配置

vim /etc/ipsec.d/l2tp_psk.conf

left=10.105.28.226为服务器本机IP，写内网

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.28.1
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

配置预共享密钥

vim /etc/ipsec.d/ipsec.secrets

: PSK "123456"

配置凭据

vim /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
test    *       test123..       *

修改内核配置

vim /etc/sysctl.conf

#VPN
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.conf.lo.rp_filter=0
net.ipv4.conf.lo.send_redirects=0
#以下根据情况更改，不要照抄，根据后续报错修改
net.ipv4.conf.ens192.rp_filter=0
net.ipv4.conf.ens224.rp_filter=0
net.ipv4.conf.virbr0.rp_filter=0
net.ipv4.conf.virbr0-nic.rp_filter=0

应用
sysctl -p
ipsec setup start

检测配置项
ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan U3.25/K(no kernel code presently loaded) on 3.10.0-1160.el7.x86_64
Checking for IPsec support in kernel              	[FAILED]

 The ipsec service should be started before running 'ipsec verify'

Pluto ipsec.conf syntax                           	[OK]
Two or more interfaces found, checking IP forwarding	[OK]
Checking rp_filter                                	[ENABLED]
 /proc/sys/net/ipv4/conf/ens192/rp_filter         	[ENABLED]
 /proc/sys/net/ipv4/conf/ens224/rp_filter         	[ENABLED]
 /proc/sys/net/ipv4/conf/virbr0/rp_filter         	[ENABLED]
 /proc/sys/net/ipv4/conf/virbr0-nic/rp_filter     	[ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                    	[FAILED]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OBSOLETE KEYWORD]
 Warning: ignored obsolete keyword 'nat_traversal'

根据报错项添加内核配置,重复## 修改内核配置步骤

编辑地址池等配置

vim /etc/xl2tpd/xl2tpd.conf

listen-addr写自己本机IP

; 略
[global]
listen-addr = 192.168.28.1
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
ipsec saref = yes
; 略
[lns default]
; 地址池
ip range = 172.18.1.10-172.18.1.100
local ip = 172.18.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

配置DNS及加密等

vim /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  223.5.5.5
ms-dns  119.29.29.29
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
#obsolete: crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#obsolete: lock
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
require-mschap-v2

防火墙

配置转发
ens192以及192.168.28.1根据情况修改

iptables -t nat -A POSTROUTING -s 172.18.1.0/24 -o ens192 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 192.168.28.1

l2tp需要开放的端口:1701 UDP、4500 UDP 和 500 UDP

启动

systemctl start ipsec
systemctl start xl2tpd

链接

这里拿Windows举例，其他客户端同理。

参考链接

防火墙配置L2TP over IPSec需要放行的端口