一、定义
第二层隧道协议(L2TP,Layer Two Tunneling Protocol)是一种数据链路层隧道协议,通常用于虚拟专用网。L2TP协议自身不对传输的数据进行加密,但是可以和加密协议搭配使用,从而实现数据的加密传输。经常与L2TP协议搭配的加密协议是IPsec,当这两个协议搭配使用时,通常合称L2TP/IPsec。
二、安装过程
1.安装配置openswan
apt-get install openswan //一直按回车即可
apt-get install libgmp3-dev gawk flex bison
wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
tar xf openswan-2.6.24.tar.gz
cd openswan-2.6.24
make programs
make install
cat >/etc/ipsec.conf<<EOF
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=1.1.1.1 //替换成你的VPSIP
leftid=1.1.1.1 //替换成你的VPSIP
leftprotoport=17/1701
right=%any
rightid=%any
rightprotoport=17/%any
EOF
cat >/etc/ipsec.secrets<<EOF
1.1.1.1 %any: PSK "jiaozhudotorg"EOF
修改sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl -p //立即生效
重启ipsec,验证是否配置成功!
/etc/init.d/ipsec restartipsec verify
2.安装l2tpd
apt-get install xl2tpd
cat >/etc/xl2tpd/xl2tpd.conf<<EOF
[global]
port = 1701
listen-addr =1.1.1.1; //替换
ipsec saref = yes
[lns default]
ip range = 10.168.2.5-10.168.2.254
local ip = 10.168.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
cat >/etc/ppp/options.xl2tpd<<EOF
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
mtu 1410
mru 1410
nodefaultroute
lcp-echo-interval 30
lcp-echo-failure 6
#idle 1800
connect-delay 10000
EOF
3.添加VPN的访问用户!
cat >>/etc/ppp/chap-secrets<<EOF
user * 123456 * EOF
重启l2tpd
/etc/init.d/xl2tpd restart
补充:由于防火墙设置不当,启动xl2tpd之后造成nginx打开出现502的现象,添加下面一条记录后解决问题,照样将1.1.1.1替换成你vps的IP
iptables -t nat -A POSTROUTING -s 10.168.2.0/24 -j SNAT --to-source "1.1.1.1"