本文,主要介绍如何在 VPC 网络环境的 ECS 下搭建 L2TP VPN。
环境说明
1、Server 端使用 Centos 6 系统部署
2、客户端使用 Windows 7 拨号
3、环境软件包 openswan ppp xl2tpd
Server 端部署
1、安装环境包
[root@l2tp ~]# yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel vim-enhanced policycoreutils
2、安装软件包
[root@l2tp ~]# yum install -y openswan ppp xl2tpd
3、在 /etc/sysctl.conf 添加如下内容
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
然后使用 sysctl -p 让配置的参数生效。
4、编辑 /etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=0.0.0.0
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
5、编辑 /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
public_ip %any: PSK "YourPsk"
public_ip 是 ECS 公网 IP 或者是绑定的 EIP
YourPsk 为预共享密钥。
6、验证 ipsec 运行状态
[root@l2tp ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.3.2.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options
[OK]
Opportunistic Encryption [DISABLED]
没有出现错误说明 IPSEC 配置正确。
7、编辑 /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 0.0.0.0
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
8、配置用户名和密码,编辑 /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
username l2tpd userpass *
9、重新启动 ipsec 和 xl2tp
[root@l2tp ~]# service ipsec restart
[root@l2tp ~]# service xl2tp restart
客户端配置
1、建立拨号连接
2、设定使用二层隧道加密
拨号成功后在 Server 端会多出一个 ppp0 的网卡: