基於Debian/Ubuntu L2TP/IPSec VPN安裝筆記

一、定義
第二層隧道協議（L2TP，Layer Two Tunneling Protocol)是一種數據鏈路層隧道協議，通常用於虛擬專用網。L2TP協議自身不對傳輸的數據進行加密，但是可以和加密協議搭配使用，從而實現數據的加密傳輸。經常與L2TP協議搭配的加密協議是IPsec，當這兩個協議搭配使用時，通常合稱L2TP/IPsec。

二、安裝過程
1.安裝配置openswan

apt-get install openswan //一直按回車即可

apt-get install libgmp3-dev gawk flex bison

wget http://www.openswan.org/download/openswan-2.6.24.tar.gz

tar xf openswan-2.6.24.tar.gz

cd openswan-2.6.24

make programs

make install
cat >/etc/ipsec.conf<<EOF
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=1.1.1.1 //替換成你的VPSIP
leftid=1.1.1.1 //替換成你的VPSIP
leftprotoport=17/1701
right=%any
rightid=%any
rightprotoport=17/%any
EOF
cat >/etc/ipsec.secrets<<EOF

1.1.1.1 %any: PSK "jiaozhudotorg"EOF
修改sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl -p //立即生效
重啟ipsec，驗證是否配置成功!
/etc/init.d/ipsec restartipsec verify
2.安裝l2tpd
apt-get install xl2tpd
cat >/etc/xl2tpd/xl2tpd.conf<<EOF
[global]
port = 1701
listen-addr =1.1.1.1; //替換
ipsec saref = yes

[lns default]
ip range = 10.168.2.5-10.168.2.254
local ip = 10.168.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF

cat >/etc/ppp/options.xl2tpd<<EOF
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
mtu 1410
mru 1410
nodefaultroute
lcp-echo-interval 30
lcp-echo-failure 6
#idle 1800
connect-delay 10000
EOF

3.添加VPN的訪問用戶!
cat >>/etc/ppp/chap-secrets<<EOF

user * 123456 * EOF
重啟l2tpd
/etc/init.d/xl2tpd restart

補充:由於防火牆設置不當，啟動xl2tpd之後造成nginx打開出現502的現象，添加下面一條記錄後解決問題,照樣將1.1.1.1替換成你vps的IP

iptables -t nat -A POSTROUTING -s 10.168.2.0/24 -j SNAT --to-source "1.1.1.1"