VPN Server di Ubuntu (L2TP)
參考http://blog.changyy.org/2014/01/linux-vpn-server-pptpipsecl2tp-ubuntu.html,但ipsec.conf
設置檢查時會出
現NAT-T失敗,再參考http://www.vmvps.com/ubuntu-1404-install-l2tp-ipsec-vpn-tutorial.html有關ipsec.conf
設置,整合出此篇,留個記錄日後好查
1.
安裝需要的軟體
$ sudo apt-get install pptpd openswan xl2tpd ppp(pptpd 可不用,很多Switch已提供)
2.增加使用者帳/密資料,若有 pppoe 撥號密碼也會存於此檔
$ sudo vim /etc/ppp/chap-secrets
# L2TP
username l2tpd password *
其中 username, password 都是明碼
3.
IPSEC/L2TP$ sudo su
$ echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
$ for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
$ sysctl -p
$ sudo vim /etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
$ sudo vim /etc/ipsec.conf ->
檔案建議先備份
version 2 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
protostack=netkey
#decide which protocol stack is going to be used.
force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
keyingtries=3
#Only negotiate a conn. 3 times.
ikelifetime=8h
keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-April/022947.html
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
type=transport
#because we use l2tp as tunnel protocol
left=SERVER_IP
#fill in server IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
$ sudo vim /etc/ipsec.secrets
SERVER_IP %any: PSK "L2TP_PRIVATE_KEY"
PSK 一樣是明碼使用者自訂
$ sudo vim /etc/xl2tpd/xl2tpd.conf ->檔案建議先備份
[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.255 -> 連線後可用的 IP 段
local ip = 10.1.2.1 ->機器本身的 IP
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
$ sudo vim /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
4.最後重啟各項服務
$ sudo service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in
/etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
$ sudo service xl2tpd restart Restarting xl2tpd: xl2tpd.
$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-58-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
PS:
1.Ubuntu 的網卡 DSL 撥號,雖有開機自動連線功能但有 BUG,建議安裝 pppoeconf,但裝了原網卡功能會不見而無法設置
2.紅色部份請自訂,藍色的則必需相同,粗體請注意
3.家中由 SO-NET 轉 HINET,原本以為調整帳密檔案卻失敗,必需重新 pppoeconf
4.Windows 8 以上,L2TP 記得要到網卡位置,設置 L2TP 的金鑰,否則連的上但出不去