1.安装 l2tp ipsec 所需要的软件包

yum install epel-release

yum install openswan xl2tpd ppp lsof

2.设置ipsec

2.1 编辑 /etc/ipsec.conf

vi /etc/ipsec.conf
把下面xx.xxx.xxx.xxx换成你自己主机实际的外网固定IP。其他的不动。

 

config setup

    protostack=netkey

    dumpdir=/var/run/pluto/

    nat_traversal=yes

    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

conn L2TP-PSK-NAT

    rightsubnet=vhost:%priv

    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

    authby=secret

    pfs=no

    auto=add

    keyingtries=3

    dpddelay=30

    dpdtimeout=120

    dpdaction=clear

    rekey=no

    ikelifetime=8h

    keylife=1h

    type=transport

    left=xxx.xxx.xxx.xxx

    leftprotoport=17/1701

    right=%any

    rightprotoport=17/%any

2.2 编辑/etc/ipsec.secrets

vi /etc/ipsec.secrets

include /etc/ipsec.d/*.secrets

/etc/ipsec.secrets 文件里面默认有一句包含 /etc/ipsec.d/*.secrets 的语句.所以可以直接在 /etc/ipsec.d 目录下新建一自己的个 *.secrets 文件.也可以直接把它注释掉,添加下面的配置语句.

vi /etc/ipsec.d/my.secrets

 

xxx.xxx.xxx.xxx %any: PSK "kuaile"

 

xx.xxx.xxx.xxx换成你自己VPS实际的外网固定IP, YourPsk你自己定一个，到时候连VPN的时候用，比如可以填csdn.net, 注意空格。

2.3 修改/添加 /etc/sysctl.conf

vi /etc/sysctl.conf

确保下面的字段都有，对应的值或下面一样。省事的话直接在/etc/sysctl.conf的末尾直接把下面内容的粘过去。

 

net.ipv4.ip_forward = 1

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0

net.ipv4.conf.default.rp_filter = 0

2.4 让修改后的sysctl.conf生效

sysctl -p

 

2.5 验证ipsec运行状态

ipsec setup start

ipsec verify

verify的内容如下所示，那么就离成功不远了。没有 红色 的fail 就可以了.

 

[root@Centos7 ~]# ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path                       [OK]

Libreswan 3.8 (netkey) on 3.10.0-123.9.3.el7.x86_64

Checking for IPsec support in kernel                  [OK]

 NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects                  [OK]

         ICMP default/accept_redirects                [OK]

         XFRM larval drop                             [OK]

Pluto ipsec.conf syntax                               [OK]

Hardware random device                                [N/A]

Checking rp_filter                                    [OK]

Checking that pluto is running                        [OK]

 Pluto listening for IKE on udp 500                   [OK]

 Pluto listening for IKE/NAT-T on udp 4500            [OK]

 Pluto ipsec.secret syntax                            [OK]

Checking NAT and MASQUERADEing                        [TEST INCOMPLETE]

Checking 'ip' command                                 [OK]

Checking 'iptables' command                           [OK]

Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options              [OK]

Opportunistic Encryption                              [DISABLED]

[root@Centos7 ~]#

3. 设置 l2tp

3.1 编辑 /etc/xl2tpd/xl2tpd.conf

vim /etc/xl2tpd/xl2tpd.conf

 

[global]

ipsec saref = yes

listen-addr = xxx.xxx.xxx.xxx         ;这里是你的主机外网ip地址,;号是注释,和一般的配置文件不同

; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or

;  when using any of the SAref kernel patches for kernels up to 2.6.35.

; saref refinfo = 30

;

 force userspace = yes

;

; debug tunnel = yes

[lns default]

ip range = 10.0.10.2-10.0.10.100      ;这里是VPN client的内网ip地址范围

local ip = 10.0.10.1                  ;这里是VPN server的内网地址

refuse chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPNserver

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

 

3.2 编辑 /etc/ppp/options.xl2tpd

vi /etc/ppp/options.xl2tpd

 

name l2tpd

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

ipcp-accept-local

ipcp-accept-remote

#ms-dns  8.8.8.8

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

 

3.3 配置用户名,密码:编辑 /etc/ppp/chap-secrets

vim /etc/ppp/chap-secrets

client和secret自己填，server和IP留*号，l2tp 可以用上面自己设定的 l2tpd .* 通用

# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

username * userpass *

3.4 启动xl2tp

service xl2tpd start

4. 开放端口以及转发

原样执行下面所有命令

 

/sbin/iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

/sbin/iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT

/sbin/iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT

/sbin/iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT

/sbin/iptables -A INPUT -p esp -j ACCEPT

/sbin/iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT

 

 

/sbin/iptables -A FORWARD -d 10.0.10.0/24 -j ACCEPT

/sbin/iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT

/sbin/iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

 

/sbin/iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE

 

再执行下面保存iptables

service iptables save

service iptables restart

添加开机自启动

systemd enabled ipsec

systemd enabled xl2tpd

如果连接不上的话, 先关掉iptalbes试试 service iptables stop

如果这时还连不上了，那么就是iptables的问题了

特别注意iptables里的顺序， INPUT和FORWARD里的REJECT一定是写在最后面，否则写在他们之后的port就都被REJECT了！

下面是我自己的iptables，可供参考

##########################################################################################

#! /bin/bash

/sbin/iptables -F INPUT

/sbin/iptables -Z INPUT

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -A INPUT -p icmp -j ACCEPT

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT

/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT

/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1723 -j ACCEPT

/sbin/iptables -A INPUT -p gre -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

/sbin/iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT

/sbin/iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT

/sbin/iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT

/sbin/iptables -A INPUT -p esp -j ACCEPT

/sbin/iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT

/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

/sbin/iptables -F FORWARD

/sbin/iptables -Z FORWARD

/sbin/iptables -P FORWARD ACCEPT

/sbin/iptables -A FORWARD -m state --state INVALID -j DROP

#/sbin/iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT

/sbin/iptables -A FORWARD -d 10.0.10.0/24 -j ACCEPT

/sbin/iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT

/sbin/iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

/sbin/iptables -F OUTPUT

/sbin/iptables -Z OUTPUT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

/sbin/iptables -F -t nat

/sbin/iptables -Z -t nat

/sbin/iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE