VPN Server di Ubuntu (L2TP)

參考http://blog.changyy.org/2014/01/linux-vpn-server-pptpipsecl2tp-ubuntu.html,但ipsec.conf 設置檢查時會出 現NAT-T失敗,再參考http://www.vmvps.com/ubuntu-1404-install-l2tp-ipsec-vpn-tutorial.html有關ipsec.conf 設置,整合出此篇,留個記錄日後好查

1.安裝需要的軟體
$ sudo apt-get install pptpd openswan xl2tpd ppp(pptpd 可不用,很多Switch已提供)

2.增加使用者帳/密資料,若有 pppoe 撥號密碼也會存於此檔

$ sudo vim /etc/ppp/chap-secrets
  # L2TP
  username l2tpd password *
  其中 username, password 都是明碼 

3.IPSEC/L2TP

$ sudo su
$ echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
$ for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
$ sysctl -p  

$ sudo vim /etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE 

$ sudo vim /etc/ipsec.conf    ->檔案建議先備份

version 2 # conforms to second version of ipsec.conf specification
config setup
    dumpdir=/var/run/pluto/
    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
    nat_traversal=yes
    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
    protostack=netkey
    #decide which protocol stack is going to be used.
    force_keepalive=yes
    keep_alive=60
    # Send a keep-alive packet every 60 seconds.
conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.
    pfs=no
    #Disable pfs
    auto=add
    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
    keyingtries=3
    #Only negotiate a conn. 3 times.
    ikelifetime=8h
    keylife=1h
    ike=aes256-sha1,aes128-sha1,3des-sha1
    phase2alg=aes256-sha1,aes128-sha1,3des-sha1
    # https://lists.openswan.org/pipermail/users/2014-April/022947.html
    # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
    type=transport
    #because we use l2tp as tunnel protocol
    left=SERVER_IP
    #fill in server IP above
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=10
    # Dead Peer Dectection (RFC 3706) keepalives delay
    dpdtimeout=20
    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
    dpdaction=clear
    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

$ sudo vim /etc/ipsec.secrets

  SERVER_IP  %any:  PSK "L2TP_PRIVATE_KEY"

  PSK 一樣是明碼使用者自訂  

$ sudo vim /etc/xl2tpd/xl2tpd.conf  ->檔案建議先備份
[global]
 ipsec saref = yes
[lns default]
 ip range = 10.1.2.2-10.1.2.255  -> 連線後可用的 IP 段
 local ip = 10.1.2.1 ->機器本身的 IP
 ;require chap = yes
 refuse chap = yes
 refuse pap = yes
 require authentication = yes
 ppp debug = yes
 pppoptfile = /etc/ppp/options.xl2tpd
 length bit = yes

$ sudo vim /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
 

4.最後重啟各項服務
$ sudo service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in 
/etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
 

$ sudo service xl2tpd restart
Restarting xl2tpd: xl2tpd.
 

$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-58-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
 
PS:

1.Ubuntu 的網卡 DSL 撥號,雖有開機自動連線功能但有 BUG,建議安裝 pppoeconf,但裝了原網卡功能會不見而無法設置

2.紅色部份請自訂,藍色的則必需相同,粗體請注意 
3.家中由 SO-NET 轉 HINET,原本以為調整帳密檔案卻失敗,必需重新 pppoeconf

4.Windows 8 以上，L2TP 記得要到網卡位置，設置 L2TP 的金鑰，否則連的上但出不去