Build an ipsec/xl2tpd VPN in centos 6.5
In this article, yum is installed directly, saving you trouble.
I. Installation (a command is fixed)
Yum install openswan ppp xl2tpd
Like the source code installation of friends can go to the http://pkgs.org to download the source package.
Ii. Configuration
1. edit/etc/ipsec. conf
Vim/etc/ipsec. conf
Replace xx. xxx with the actual Internet fixed IP address of your own VPS. Others do not move.
Config setup
Nat_traversal = yes
Virtual_private = % v4: 10.0.0.0/8, % v4: 192.168.0.0/16, % v4: 172.16.0.0/12
Oe = off
Protostack = netkey
Conn L2TP-PSK-NAT
Rightsubnet = vhost: % priv
Also = L2TP-PSK-noNAT
Conn L2TP-PSK-noNAT
Authby = secret
Pfs = no
Auto = add
Keyingtries = 3
Rekey = no
Ikelifetime = 8 h
Keylife = 1 h
Type = transport
Left = xx. xxx
Leftprotoport = 17/1701
Right = % any
Rightprotoport = 17/% any
2. edit/etc/ipsec. secrets
Vim/etc/ipsec. secrets
192.168.1.100% any: PSK "YourPsk"
Replace 192.168.1.100 with the actual public IP address of your own VPS. Set a key for YourPsk and use it in the security settings when you connect to the VPN.
3. Modify/Add/etc/sysctl. conf
Vim/etc/sysctl. conf
Make sure that all the following fields have the same or the following values. To save trouble, directly paste the following content at the end of/etc/sysctl. conf.
Net. ipv4.ip _ forward = 1
Net. ipv4.conf. default. rp_filter = 0
Net. ipv4.conf. all. send_redirects = 0
Net. ipv4.conf. default. send_redirects = 0
Net. ipv4.conf. all. log_martians = 0
Net. ipv4.conf. default. log_martians = 0
Net. ipv4.conf. default. accept_source_route = 0
Net. ipv4.conf. all. accept_redirects = 0
Net. ipv4.conf. default. accept_redirects = 0
Net. ipv4.icmp _ ignore_bogus_error_responses = 1
Make the modified sysctl. conf take effect:
Sysctl-p
Some ipv6 errors may be reported. Do not worry about them. continue to the next step.
4. Verify the ipsec running status
Service ipsec start
Ipsec verify
The following output is displayed after ipsec verify is executed:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431. el6.x86 _ 64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'IP' command [OK]
Checking/bin/sh is not/bin/dash [OK]
Checking for 'iptable' command [OK]
Opportunistic Encryption Support [DISABLED]
If there is a failed, you cannot proceed. You need to go to Baidu or google to find the answer. I didn't meet it when I set it up. Remember to turn selinux off.
5. edit/etc/xl2tpd/xl2tpd. conf.
Vim/etc/xl2tpd/xl2tpd. conf
The content is as follows:
[Global]
Ipsec saref = yes
Listen-addr = 120.26.115.39; server address
[Lns default]
Ip range = 192.168.1.2-192.168.1.100; here is the Intranet ip address range of the VPN client
Local ip = 192.168.1.1; the Intranet address of the VPN server
Refuse chap = yes
Refuse pap = yes
Require authentication = yes
Ppp debug = yes
Pppoptfile =/etc/ppp/options. xl2tpd
Length bit = y
6. edit/etc/ppp/options. xl2tpd.
Vim/etc/ppp/options. xl2tpd
The content is as follows:
Require-mschap-v2
Ms-dns 8.8.8.8
Ms-dns 8.8.4.4
Asyncmap 0
Auth
Crtscts
Lock
Hide-password
Modem
Debug
Name l2tpd
Proxyarp
Lcp-echo-interval 30
Lcp-echo-failure 4
7. edit/etc/ppp/chap-secrets
This configuration file is used to set the VPN user name and password:
Vim/etc/ppp/chap-secrets
The format is as follows:
# Secrets for authentication using CHAP
# Client server secret IP addresses
Admin *
This setting indicates that the vpn account and password are both admin. you can log on to this vpn account on any aircraft that can access the Internet.
8. Start the xl2tpd Service
Service xl2tpd start
9. open ports and forwarding
1. iptables-t nat-a postrouting-m policy -- dir out -- pol none-j MASQUERADE
2. iptables-a forward-I ppp +-p all-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT
3. iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT
4. iptables-t nat-a postrouting-s 192.168.1.0/24-o eth1-j MASQUERADE
Save rule:
Service iptables save
Now, all IPsec/xl2tpd VPN configurations have been completed. Now we can test it.
10. Test the connection vpn on win7
Open Network Sharing Center -- set new connection or network -- connect to work zone -- create vpn
Click the Network icon in the lower-right corner-vpn connection-click Properties
1. The common ip address is the public ip address of the vps.
2. vpn type: L2 tunneling protocol using Ipsec (L2TP/IPsec)
Data Encryption: required (Disconnect if the server refuses)
Advanced Settings: Use a pre-shared key for authentication
Key: YourPsk (previously set)
Click OK and enter the user name and password to log in.