Build an ipsec/xl2tpd VPN in centos 6.5

Source: Internet
Author: User
Tags vps

Build an ipsec/xl2tpd VPN in centos 6.5

In this article, yum is installed directly, saving you trouble.

I. Installation (a command is fixed)

Yum install openswan ppp xl2tpd

Like the source code installation of friends can go to the http://pkgs.org to download the source package.

Ii. Configuration

1. edit/etc/ipsec. conf

Vim/etc/ipsec. conf

Replace xx. xxx with the actual Internet fixed IP address of your own VPS. Others do not move.

Config setup

Nat_traversal = yes

Virtual_private = % v4: 10.0.0.0/8, % v4: 192.168.0.0/16, % v4: 172.16.0.0/12

Oe = off

Protostack = netkey

Conn L2TP-PSK-NAT

Rightsubnet = vhost: % priv

Also = L2TP-PSK-noNAT

Conn L2TP-PSK-noNAT

Authby = secret

Pfs = no

Auto = add

Keyingtries = 3

Rekey = no

Ikelifetime = 8 h

Keylife = 1 h

Type = transport

Left = xx. xxx

Leftprotoport = 17/1701

Right = % any

Rightprotoport = 17/% any


2. edit/etc/ipsec. secrets

Vim/etc/ipsec. secrets

192.168.1.100% any: PSK "YourPsk"

Replace 192.168.1.100 with the actual public IP address of your own VPS. Set a key for YourPsk and use it in the security settings when you connect to the VPN.

3. Modify/Add/etc/sysctl. conf

Vim/etc/sysctl. conf

Make sure that all the following fields have the same or the following values. To save trouble, directly paste the following content at the end of/etc/sysctl. conf.

Net. ipv4.ip _ forward = 1

Net. ipv4.conf. default. rp_filter = 0

Net. ipv4.conf. all. send_redirects = 0

Net. ipv4.conf. default. send_redirects = 0

Net. ipv4.conf. all. log_martians = 0

Net. ipv4.conf. default. log_martians = 0

Net. ipv4.conf. default. accept_source_route = 0

Net. ipv4.conf. all. accept_redirects = 0

Net. ipv4.conf. default. accept_redirects = 0

Net. ipv4.icmp _ ignore_bogus_error_responses = 1

Make the modified sysctl. conf take effect:

Sysctl-p

Some ipv6 errors may be reported. Do not worry about them. continue to the next step.

4. Verify the ipsec running status

Service ipsec start

Ipsec verify

The following output is displayed after ipsec verify is executed:

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path [OK]

Linux Openswan U2.6.32/K2.6.32-431. el6.x86 _ 64 (netkey)

Checking for IPsec support in kernel [OK]

SAref kernel support [N/A]

NETKEY: Testing for disabled ICMP send_redirects [OK]

NETKEY detected, testing for disabled ICMP accept_redirects [OK]

Checking that pluto is running [OK]

Pluto listening for IKE on udp 500 [OK]

Pluto listening for NAT-T on udp 4500 [OK]

Checking for 'IP' command [OK]

Checking/bin/sh is not/bin/dash [OK]

Checking for 'iptable' command [OK]

Opportunistic Encryption Support [DISABLED]

If there is a failed, you cannot proceed. You need to go to Baidu or google to find the answer. I didn't meet it when I set it up. Remember to turn selinux off.

5. edit/etc/xl2tpd/xl2tpd. conf.

Vim/etc/xl2tpd/xl2tpd. conf

The content is as follows:

[Global]

Ipsec saref = yes

Listen-addr = 120.26.115.39; server address

[Lns default]

Ip range = 192.168.1.2-192.168.1.100; here is the Intranet ip address range of the VPN client

Local ip = 192.168.1.1; the Intranet address of the VPN server

Refuse chap = yes

Refuse pap = yes

Require authentication = yes

Ppp debug = yes

Pppoptfile =/etc/ppp/options. xl2tpd

Length bit = y

6. edit/etc/ppp/options. xl2tpd.

Vim/etc/ppp/options. xl2tpd

The content is as follows:

Require-mschap-v2

Ms-dns 8.8.8.8

Ms-dns 8.8.4.4

Asyncmap 0

Auth

Crtscts

Lock

Hide-password

Modem

Debug

Name l2tpd

Proxyarp

Lcp-echo-interval 30

Lcp-echo-failure 4

7. edit/etc/ppp/chap-secrets

This configuration file is used to set the VPN user name and password:

Vim/etc/ppp/chap-secrets

The format is as follows:

# Secrets for authentication using CHAP

# Client server secret IP addresses

Admin *

This setting indicates that the vpn account and password are both admin. you can log on to this vpn account on any aircraft that can access the Internet.

8. Start the xl2tpd Service

Service xl2tpd start

9. open ports and forwarding

1. iptables-t nat-a postrouting-m policy -- dir out -- pol none-j MASQUERADE

2. iptables-a forward-I ppp +-p all-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT

3. iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT

4. iptables-t nat-a postrouting-s 192.168.1.0/24-o eth1-j MASQUERADE

Save rule:

Service iptables save

Now, all IPsec/xl2tpd VPN configurations have been completed. Now we can test it.

10. Test the connection vpn on win7

Open Network Sharing Center -- set new connection or network -- connect to work zone -- create vpn

Click the Network icon in the lower-right corner-vpn connection-click Properties

1. The common ip address is the public ip address of the vps.

2. vpn type: L2 tunneling protocol using Ipsec (L2TP/IPsec)

Data Encryption: required (Disconnect if the server refuses)

Advanced Settings: Use a pre-shared key for authentication

Key: YourPsk (previously set)

Click OK and enter the user name and password to log in.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.