搭建L2TP-***

-------------L2TP ***--------------

1、搭建環境

yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man

yum install openswan ppp xl2tpd -y

2、安裝openswan

wget https://download.openswan.org/openswan/openswan-latest.tar.gz  

tar xf openswan-latest.tar.gz

cd openswan-2.6.50/

make programs install

3、安裝xl2tpd和rp-l2tp

yum install libpcap-devel ppp policycoreutils

wget http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz

tar xf rp-l2tp-0.4.tar.gz

cd rp-l2tp-0.4

./configure

make

cp handlers/l2tp-control /usr/local/sbin/

mkdir /var/run/xl2tpd/

ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control

wget https://github.com/xelerance/xl2tpd/archive/v1.3.8.tar.gz

tar xf v1.3.8.tar.gz

cd xl2tpd-1.3.8

make && make install

4、配置

（1）編輯配置文件/etc/ipsec.conf

替換爲如下內容，把下面0.0.0.0換成服務器的外網IP（注意一定要有字符縮進，距離不要改變）

vim /etc/ipsec.conf

version 2.0

config setup

    protostack=netkey

    nhelpers=0

    uniqueids=no

    interfaces=%defaultroute

    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.18.0/24

conn l2tp-psk

    rightsubnet=vhost:%priv

    also=l2tp-psk-nonat

conn l2tp-psk-nonat

    authby=secret

    pfs=no

    auto=add

    keyingtries=3

    rekey=no

    ikelifetime=8h

    keylife=1h

    type=transport

    left=%defaultroute

    leftid=10.0.0.121        //公網IP

    leftprotoport=17/1701

    right=%any

    rightprotoport=17/%any

    dpddelay=40

    dpdtimeout=130

    dpdaction=clear

    sha2-truncbug=yes

（2）設置共享密鑰PSK 編輯配置文件/etc/ipsec.secrets

vim /etc/ipsec.secrets

include /etc/ipsec.d/*.secrets

%any %any: PSK "5dhj.com"

（3）修改內核設置，使其支持轉發，編輯/etc/sysctl.conf文件並生效

vim /etc/sysctl.conf 

net.ipv4.ip_forward = 1  

net.ipv4.conf.default.rp_filter = 0  

net.ipv4.conf.all.rp_filter = 0

net.ipv4.conf.all.send_redirects = 0  

net.ipv4.conf.default.send_redirects = 0  

net.ipv4.conf.all.log_martians = 0  

net.ipv4.conf.default.log_martians = 0  

net.ipv4.conf.default.accept_source_route = 0  

net.ipv4.conf.all.accept_redirects = 0  

net.ipv4.conf.default.accept_redirects = 0  

net.ipv4.icmp_ignore_bogus_error_responses = 1  

sysctl -p

（4）驗證ipsec運行狀態；查看系統IPSec安裝和啓動的正確性

service ipsec restart

ipsec verify

（5） 編輯xl2tpd配置文件

vim /etc/xl2tpd/xl2tpd.conf

[global]

ipsec saref = yes

listen-addr = 172.16.2.162

[lns default]

ip range = 172.16.2.200-172.16.2.220

local ip = 172.16.2.162

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

bps = 1000000

配置ppp 建立options.xl2tpd文件：

vim /etc/ppp/options.xl2tpd  

require-mschap-v2

ms-dns 114.114.114.114

ms-dns 8.8.8.8

asyncmap 0

auth

crtscts

lock

hide-password

modem

debug

name l2tpd

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

（6）配置用戶名,密碼:編輯 /etc/ppp/chap-secrets

vim /etc/ppp/chap-secrets

（7）重啓xl2tp

service xl2tpd restart

（8）添加自啓動

chkconfig ipsec on

chkconfig xl2tpd on