l2tp&ipsec-linuxserver

步驟一，需要三個套件 pptpd openswan xl2tpd

如果沒有包給你下載安裝，這邊在講openswan

且你直接用tgz.gz檔案解壓縮也無法make install 安裝的話

兩種解法：

1— 改用strongswan

The openswan package is not available for Ubuntu 16.04, but the (very similar) strongswan package is available.

Try running

sudo apt-get install strongswan

to install StrongSwan. There might be some minor differenced between OpenSwan and StrongSwan in configuration files, etc... but they should be minor.

You can view details about the strongswan package for Ubuntu 16.04 here: http://packages.ubuntu.com/xenial/strongswan and details about StrongSwan in general at http://strongswan.org

2 — 更新來源網站

1.vi /etc/apt/sources.list.d/lzu.list (没有lzu.list这个文件的话，会增加这个文件)

编辑，添加如下内容，保存退出

deb http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse

deb http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse

deb http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse

deb http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse

deb http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse

deb-src http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse

deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse

deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse

deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse

deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse

然後

sudo apt-get update

apt-get install openswan

Ps.我用2

編輯 /etc/pptpd.conf 設定檔

步驟二，設定pptpd —> sudo vim /etc/pptpd.conf 此步驟跟l2tp-ipsec VPN建立

沒什麼關係可略過

步驟三，設定xl2tp. —> sudo vim /etc/ppp/options.xl2tpd

把以下設定貼進去預設的可以全幹掉

name xl2tp

require-mschap-v2

ms-dns 1.1.1.1

ms-dns 8.8.8.8

noccp

auth

mtu 1460

mru 1460

crtscts

hide-password

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

步驟四，設定ipsec —> sudo vim /etc/ipsec.conf

把以下config全貼並改調left那行，那行要改成你server對外的ip，其餘預設可以幹掉

version 2.0

config setup

dumpdir=/var/run/pluto/

nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.10.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

oe=off

protostack=netkey

force_keepalive=yes

keep_alive=60

conn L2TP-PSK-NAT

rightsubnet=vhost:%priv

also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret

pfs=no

auto=add

keyingtries=5

rekey=no

ikelifetime=8h

keylife=1h

type=transport

left=192.168.40.70

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

dpddelay=15

dpdtimeout=30

dpdaction=clear

步驟五，設定ipsec連線密鑰匙 — > sudo vim /etc/ipsec.secrets

裡面新增你的ipsec密鑰由於我們上面使用的是psk式的，所以只用這組

%any %any: PSK "iopIOP"

步驟六，設定l2tpd —> sudo vim /etc/xl2tpd/xl2tpd.conf

把裡面參數貼上，需修改的就是你想要的ip range 跟 local ip而已

[global]

ipsec saref = yes

saref refinfo = 30

;debug avp = yes

;debug network = yes

;debug state = yes

;debug tunnel = yes

;debug ppp = yes

[lns default]

ip range = 192.168.11.1-192.168.11.5

local ip = 192.168.40.70

require chap = yes

refuse pap = yes

require authentication = yes

;ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

步驟七，設定使用者連線的密碼跟帳號 —> sudo vim /etc/ppp/chap-secrets

Sam xl2tpd iopIOP *

步驟八，全部照貼設定轉發規則

echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf

echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf

echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf

echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf

echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf

echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf

然後重吃一次設定

sysctl -p

步驟九，檢查iptable以及設定forward NAT

sudo iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE

步驟十，檢查service l2tp status 跟 service ipsec status 有無報錯

最後，在你本機上設定windows或mac都可以用的簡單L2TP/IPSEC設定

撥你的vpn server驗證

IPSec verify 跑出二個錯誤訊息

1—

[FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects

or NETKEY will accept bogus ICMP redirects!

# Disable send redirects

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects

# Disable accept redirects

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects

echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects

https://askubuntu.com/questions/372350/i-got-error-when-i-am-trying-to-install-l2tp-can-any-help-me-solve-this-iss

2—

Hardware RNG detected, testing if used properly [FAILED]

Hardware RNG is present but 'rngd' or 'clrngd' is not running.

No harware random used!

sudo apt-get install rng-tools 裝完無法解決

http://www.cnblogs.com/mafeng/p/6545316.html

service rng-tools start 還是無法解決

////////////////////////////////////////////////////

看到centOS是這樣解決

#每行我用'>'去区分，注意粘贴

> yum install rng-tools

> vim /etc/sysconfig/rngd

> EXTRAOPTIONS="-r /dev/urandom"

> chkconfig rngd on

驗證

> service rngd restart

> ipsec setup restart

> xl2tpd -D

> ipsec verify

////////////////////////////////////////////////////

發現原來rng-tools5.0版有bug，目前還想不到怎麼解決

第三個錯誤訊息是查看ipsec status時候看到的

3—

May 31 02:29:42 sam-ubuntu02 ipsec__plutorun[9845]: 003 "/var/lib/openswan/ipsec.secrets.inc" line 1: error loading RSA private key file

嘗試在/etc/ppp/option.xl2tpd 裡面新增四句

refuse-chap

refuse-eap

refuse-pap

refuse-mschap

require-mschap-v2 跟此bug好像毫無關西-.-

嘗試在/etc/ipsec.d/private 底下執行

openssl rsa -in sam-ubuntu02Key.pem -outform pem -out privateKey.pem

再去以下資料夾把key改成新產生的privateKey.pem

vim /var/lib/openswan/ipsec.secrets.inc

裡面長這樣

service ipsec restart

https://www.wolfssl.com/forums/topic852-solved-unable-to-load-rsa-private-key.html

https://gist.github.com/stengaard/2955132

systemctl status IPSec.service 終於沒有報錯了!!