#扶梯# Ubuntu 14.04下安装L2TP微皮恩

微魔之前跟大家分享了pptp的安装教程（传送），但是一方面PPTP协议逐渐被大家所淘汰，另一方面PPTP也爆出了一些漏洞。相反，L2TP则更加受到欢迎（OpenVPN也是十分受欢迎且功能强大的VPN套件，但是因为在Windows下需要客户端，因此略显不便）。今天微魔和大家分享的是L2TP在Ubuntu 14.04的安装教程。具体的套件包括：1）Openswan作为IPSEC服务器；2）xl2tpd作为l2tp载体；3）ppp或PAM作为登陆授权。

Ubuntu 14.04下安装IPSEC/L2TP VPN

1.安装相应软件包

apt-get install openswan xl2tpd ppp lsof

2.设置防火墙和sysctl

iptables -t nat -A POSTROUTING -j SNAT --to-source VPS的ip -o eth+

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

使sysctl生效

sysctl -p

*设置开机

将如下内容加入到/etc/rc.local（需要加载exit 0前面）

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source VPS的ip -o eth+

3.配置Openswan (IPSEC)

将/etc/ipsec.conf替换为如下内容（推荐备份原文件）

version 2 # conforms to second version of ipsec.conf specification

config setup
    dumpdir=/var/run/pluto/
    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

    nat_traversal=yes
    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.

    protostack=netkey
    #decide which protocol stack is going to be used.

    force_keepalive=yes
    keep_alive=60
    # Send a keep-alive packet every 60 seconds.

conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.

    pfs=no
    #Disable pfs

    auto=add
    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

    keyingtries=3
    #Only negotiate a conn. 3 times.

    ikelifetime=8h
    keylife=1h

    ike=aes256-sha1,aes128-sha1,3des-sha1
    phase2alg=aes256-sha1,aes128-sha1,3des-sha1
    # https://lists.openswan.org/pipermail/users/2014-April/022947.html
    # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.

    type=transport
    #because we use l2tp as tunnel protocol

    left=VPS的ip
    #fill in server IP above

    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

    dpddelay=10
    # Dead Peer Dectection (RFC 3706) keepalives delay
    dpdtimeout=20
    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
    dpdaction=clear
    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

4.设置shared secret

修改文件/etc/ipsec.secrets

PSK后面的字段尽量长且复杂，可以使用openssl rand -hex 30生成

VPS的ip  %any:   PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"

5.检验IPSEC

ipsec verify

如果没错误的话，会返回如下内容

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-24-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
    [OK]
    [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

6.配置xl2tpd

配置文件/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
saref refinfo = 30

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

7.本地用户授权

修改文件/etc/xl2tpd/xl2tpd.conf，加入如下内容

unix authentication = yes

移除如下内容

refuse pap = yes

修改文件/etc/ppp/options.xl2tpd，加入如下内容

login

修改文件/etc/pam.d/ppp

auth    required        pam_nologin.so
auth    required        pam_unix.so
account required        pam_unix.so
session required        pam_unix.so

修改文件/etc/ppp/pap-secrets，加入如下内容

*       l2tpd           ""              *

8.修改ppp

修改文件/etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

9.增加用户

修改文件/etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client       server  secret                  IP addresses
alice          l2tpd   0F92E5FC2414101EA            *
bob            l2tpd   DF98F09F74C06A2F             *

10.重启生效

/etc/init.d/ipsec restart 
/etc/init.d/xl2tpd restart

接下来就自己测试吧

本文原始命令源自Raymii，部分内容有修改。