Debian上安装l2tpd/IPSec VPN服务
本文主要介绍在Debian Lenny下安装l2tpd/IPSec VPN服务。
配置openswan
运行如下命令安装openswan
sudo apt-get install openswan
编辑/etc/ipsec.conf,修改如下行:
net_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 protostack=netkey
并在在文件最后一行,加上:
include /etc/ipsec.d/l2tp-psk.conf
复制l2tp-psk.conf文件
cp /etc/ipsec.d/examples/l2tp-psk.conf /etc/ipsec.d/l2tp-psk.conf
编辑l2tp-psk.conf文件,修改如下,并将其中的YOUR.IP.ADDRESS.HERE替换为主机的IP地址:
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=YOUR.IP.ADDRESS.HERE
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
编辑/etc/ipsec.secrets文件,其中YourPSKHere为将来PSK的Secret,YOUR.IP.ADDRESS.HERE为主机IP:
YOUR.IP.ADDRESS.HERE %any: PSK "YourPSKHere"
禁用accept_redirects和send_redirects,运行如下的命令(可能需要root用户权限)
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
IPSec的配置就已经结束了。可以运行
sudo ipsec verify
来确认配置是否正确。输出的结果如下:
$ sudo ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.24/K2.6.18.8-x86_64-linode10 (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
最后一项的DISABLED并不会影响配置。另外,如果在检测Pluto时提示了Command not found。请安装lsof。
重新启动ipsec,使配置生效
sudo /etc/init.d/ipsec restart
配置xl2tpd
运行如下命令安装xl2tpd
sudo apt-get install xl2tpd
编辑/etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes [lns default] ip range = 10.1.2.2-10.1.2.255 local ip = 10.1.2.1 length bit = yes ;require chap = yes refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd
复制/etc/ppp/options.l2tpd
cp /etc/ppp/options /etc/ppp/options.l2tpd
编辑/etc/ppp/options.l2tpd,修改其中项目如下:
require-mschap-v2 ms-dns 208.67.222.222 ms-dns 208.67.220.220 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
配置VPN用户,编辑/etc/ppp/chap-secrets文件,添加如下行(替换其中的username为今后登录的用户名,password为密码)
username l2tpd password *
启动xl2tpd
sudo /etc/init.d/xl2tpd restart
设置iptables转发
iptables –table nat –append POSTROUTING –jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
设置ipv4转发,修改/etc/sysctl.conf中的如下行:
net.ipv4.ip_forward=1
运行如下命令:
sysctl -p
l2tp VPN至此就已经配置完了。使用如下参数配置VPN客户端,即可连接:
服务器(Server):YOUR.IP.ADDRESS.HERE (或对应的域名)
用户名(Username):username (在/etc/ppp/chap-secrets)
密码(Password):password (在/etc/ppp/chap-secrets)
密钥(PSK/Secret):YourPSKHere (在/etc/ipsec.secret中配置的)
如果客户端连接显示“server did not respond”,通常说明openswan的版本不对,Debian Lenny自带的版本貌似有些问题。在命令行运行如下命令,即可安装openswan-2.6.24:
sudo aptitude install libgmp3-dev gawk flex bison wget http://www.openswan.org/download/openswan-2.6.24.tar.gz tar xf openswan-2.6.24.tar.gz cd openswan-2.6.24 make programs sudo make install sudo apt-get remove openswan sudo /etc/init.d/ipsec restart
Recent Comments