CentOS Linux VPS installs IPSec+L2TP VPN

  
 

Layer 2 Tunneling Protocol (L2TP) is an industry standard Internet tunneling protocol that uses UDP port 1701 for communication. L2TP itself does not have any encryption, but we can use IPSec to encrypt L2TP packets. L2TP VPN is more complicated than PPTP VPN.

First, install IPsec, Openswan is an implementation of IPsec on Linux systems. Official website: http://www.openswan.org/

1. Install the necessary software:

yum install make gcc gmp-devel bison flex lsof

make,gcc We all know what it is for. Gmp-devel: Development tools for the GNU MP arbitrary precision library.bison: A GNU general-purpose parser generator.flex: A tool for creating scanners (text pattern recognizers). Looks like it's all about the compiler?

2. Install Openswan: Since the version on the update source is 2.6.21-5.el5_6.4, the source code is installed here. The latest version is 2.6.35.

cd /tmpwget http://www.openswan.org/download/openswan-2.6.35.tar.gztar -zxvf openswan-2.6.35.tar.gzcd openswan-2.6.35make programs install

PS: Enter the openswan-2.6.35 directory to see that there is already a Makefile. Read INSTALL in the reading directory and write Building userland:make programs install

3. Configure IPSec to edit the configuration file /etc/Ipsec.conf:

cp /etc/ipsec.conf /etc/ipsec.conf.bakvim /etc/ipsec.conf

Find prostackack=auto, modify to:

protostack=netkey

Add at the end:

conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no Auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=YOUR.SERVER.IP.ADDRESS leftprotoport=17/1701 right=%any rightprotoport=17/%any

“YOUR.SERVER .IP.ADDRESS” Replace the external network IP of the VPS. Some of the settings can refer to the contents of the /etc/ipsec.d/examples/l2tp-psk.conf file.

4. Set the shared key PSK edit configuration file /etc/ipsec.secrets:

vim /etc/ipsec.secrets

Enter:

YOUR.SERVER.IP.ADDRESS %any: PSK "YourSharedSecret"

5. Modify the package forwarding settings Copy the following two pieces of code to run in the terminal:

for each in /proc/sys /net/ipv4/conf/*doecho 0 > $each/accept_redirectsecho 0 > $each/send_redirectsdone

echo 1 >/proc/sys/net/core/xfrm_larval_drop

Modify Kernel settings to enable forwarding, edit the /etc/sysctl.conf file:

vim /etc/sysctl.conf

Change the value of <quo;net.ipv4.ip_forward” to 1 .

Make the changes take effect:

sysctl -p

6, restart IPSec:

/etc/init.d/ipsec restart

Check the correctness of the system IPSec installation and startup:

ipsec verify

No report [FAILED] is fine.

The VPS results I used are shown below:

Second, install L2TP (xl2tpd and rp-l2tp) xl2tpd is an l2tpd application maintained by Xelerance Corporation. However, xl2tpd does not have l2tp-control and needs to be extracted from rp-l2tp. So you have to install these two packages.

1, install the necessary software:

yum install libpcap-devel ppp policycoreutils

2, install xl2tpd and rp-l2tp:

cd /tmpwget Http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gztar -zxvf rp-l2tp-0.4.tar.gzcd rp-l2tp-0.4./configuremakecp Handlers/l2tp-control /usr/local/sbin/mkdir /var/run/xl2tpd/ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control

xl2tpd Use the latest xl2tpd-1.3.0:

cd /tmpwget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gztar -zxvf xl2tpd-1.3.0.tar.gzcd xl2tpd-1.3.0makemake install

The following contents are displayed:

3. Create xl2tpd configuration file:

mkdir /etc/xl2tpdvim /etc/xl2tpd/xl2tpd.conf

Join:

[global]ipsec saref = yes

[lns default]ip range = 10.82.88.2- 10.82.88.254local ip = 10.82.88.1refuse chap = yesrefuse pap = yesrequire authentication = yesppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes

4 Configure ppp to create the options.xl2tpd file:

vim /etc/ppp/options.xl2tpd

Join:

require-mschap-v2ms-dns 8.8.8.8ms-dns 8.8.4.4asyncmap 0authcrtsctslockhide-passwordmodemdebugname l2tpdproxyarplcp-echo-interval 30lcp-echo-failure 4

5. Set the dial-up username and password:

vim /etc/ppp/chap-secrets


6. Add iptables forwarding rules:

iptables --table nat --append POSTROUTING --jump MASQUERADE

Save iptables forwarding rules:

/etc/init.d/iptables save

Restart iptables:

/etc/init.d/iptables restart

7, start l2tp in debug mode, view There are no errors:

xl2tpd -D

is shown as follows: xl2tpd[9647]: Enabling IPsec SAref processing for L2TP transport mode SAsxl2tpd[9647]: IPsec SAref does not work with L2TP kernel mode yet , enabling forceuserspace=yesxl2tpd[9647]: setsockopt recvref[22]: Protocol not availablexl2tpd[9647]: This binary does not support kernel L2TP.xl2tpd[9647]: xl2tpd version xl2tpd-1.3.0 started on myserv Er.localdomain PID: 9647xl2tpd[9647]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.xl2tpd[9647]: Forked by Scott Balmos and David Stipp, (C) 2001xl2tpd[9647]: Inherited by Jeff McAdams , (C) 2002xl2tpd[9647]: Forked again by Xelerance (www.xelerance.com) (C) 2006xl2tpd[9647]: Listening on IP address 0.0.0.0, port 1701 indicates that the port is already listening. It is now possible to establish an L2TP dial-up connection on Windows.

Three, set boot start

vim /etc/rc.local

Join:

for each in /proc/sys/net/ipv4/Conf/*doecho 0 > $each/accept_redirectsecho 0 > $each/send_redirectsdone

echo 1 >/proc/sys/net/core/xfrm_larval_drop

/etc/init.d /ipsec restart

/usr/local/sbin/xl2tpd

Fourth, the problem encountered when establishing a connection Create a VPN connection under Windows, select the L2TP IPSec VPN for the attribute-network-VPN type. Security - IPSec Settings - Enter the shared secret.

Tip- ldquo; Error 768: Connection attempt failed because of encrypted data failure. ”IPSEC services were turned off. Start-Run-Enter services.msc, then enable “IPSEC services” in the service.

Copyright © Windows knowledge All Rights Reserved