How to build an L2TP/IPSec VPN on Ubuntu

1. L2 L2TP tunnel protocol is an access method that requires certificates. You need to install a certificate server on the VPN server intranet, then let the VPN server trust the certificate authority, then publish the certificate server, download the certificate. You must download and install the certificate before connecting to the VPN client.

2. IPSEC Internet security protocol is a smart card access mode.
Linode has been in use for a while, and PPTP has always been used as a wall-over VPN. In fact, it is rarely used. Recently, if you want to stay in bed, you can go through the ipad to view the news. But after checking the method, we always recommend using L2TP/IPSec VPN.

After reading the building methods on many blogs, I thought it was a simple task, but I had to spend two nights on it. I tried to record this tossing step, which may reduce the number of misoperations.
 
The basic environment I set up is as follows:
Linode VPS
Ubuntu Server 12.04
Log on as a root user
1. L2TP/IPSec literacy
L2TP/IPSec is L2TP over IPSec: L2TP Over IPSec VPN is used in combination with the L2TP protocol and the IPSec protocol. It authenticates users and assigns intranet IP addresses.
The IPSec protocol is used to encrypt the communication and provide the overall point-to-site VPN solution.
If you are interested, go to the Hillstone L2TP Over IPSec VPN technical solution White Paper. It is unclear and will not affect the subsequent construction.
 
2. IPSec deployment
2.1 install IPSec
Generally, openswan is used to implement IPSec. Many steps have been circulated on the Internet to compile the source code. However, after I try it, it seems that there are still problems, so it is easy, use the latest release package for installation.
Apt-get install openswan
 
2.2 modify the IPSec configuration file/etc/ipsec. conf.
Config setup
Nat_traversal = yes
Virtual_private = % v4: 10.0.0.0/8, % v4: 192.168.0.0/16, % v4: 172.16.0.0/12
Oe = off
Protostack = netkey
 
Conn % default
Forceencaps = yes
 
Conn L2TP-PSK-NAT
Rightsubnet = vhost: % no, % priv
Also = L2TP-PSK-noNAT
 
Conn L2TP-PSK-noNAT
Authby = secret
Pfs = no
Auto = add
Keyingtries = 3
Rekey = no
Ikelifetime = 8 h
Keylife = 1 h
Type = transport
Left = fill in your own linode IP address
Leftprotoport = 17/1701
Right = % any
Rightprotoport = 17/% any
 
2.3 set PSK pre-shared key
Edit/etc/ipsec. secrets and insert the following line:
Public IPv4 address of the server % any: PSK "wangyuxiong.com"
 
2.4 adjust the system's network policy
For each in/proc/sys/net/ipv4/conf /*
Do
Echo 0> $ each/accept_redirects
Echo 0> $ each/send_redirects
Done
 
Copy the above code completely and add it to/etc/rc. local to make it take effect every time the system starts.
 
2.5 restart the IPSec service once
Service ipsec restart
 
2.6 run ipsec verify. The result is as follows:
Root @ metaboy :~ # Ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.13.7-x86_64-linode38 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'IP' command [OK]
Checking/bin/sh is not/bin/dash [OK]
Checking for 'iptable' command [OK]
Opportunistic Encryption Support [DISABLED]

3. L2TP deployment
3.1. Install L2TP
Apt-get install xl2tpd
 
3.2 edit the L2TP configuration file/etc/xl2tpd/xl2tpd. conf.
Replace the file content with the following content:
[Global]
; Listen-addr = 192.168.1.98
[Lns default]
Ip range = 10.1.1.2-10.1.1.255
Local ip = 10.1.1.1
Require chap = yes
Refuse pap = yes
Require authentication = yes
Name = LinuxVPNserver
Ppp debug = yes
Pppoptfile =/etc/ppp/options. xl2tpd
Length bit = yes

 
4. Configure PPP
4.1 install PPP
Apt-get install pop
 
4.2 configure/etc/ppp/options. xl2tpd
Copy a configuration file sample from xl2tpd to our configuration file directory:
Cp/usr/share/doc/xl2tpd/examples/ppp-options.xl2tpd/etc/ppp/options. xl2tpd
Edit/etc/ppp/options. xl2tpd with the following content:
Ipcp-accept-local
Ipcp-accept-remote
Ms-dns 8.8.8.8
Ms-dns 8.8.4.4
Noccp
Auth
Crtscts
Idle 1800
Mtu 1410
Mru 1410
Nodefaultroute
Debug
Name l2tpd
Lock
Proxyarp
Connect-delay 5000
 
Note that this name is very important. Remember to use it later.
 
4.3. Add a user account. The "account" is in/etc/ppp/chap-secrets.
# Secrets for authentication using CHAP
# Client server secret IP addresses
User l2tpd wangyuxiong.com *
The server name must be consistent with the name in step 4.2 configuration.
 
4.4 restart xl2tpd
Service xl2tpd restart
 
5. Forwarding settings
5.1 enable forwarding settings:
Edit/etc/sysctl. conf, find the net. ipv4.ip _ forward = 1 line, remove the previous #, and run sysctl-p to make it take effect.
 
5.2 Permanent effect
Edit/etc/rc. local and add the following line:
Iptables-t nat-a postrouting-s 10.1.1.0/24-o eth0-j MASQUERADE
Run the iptables command once on the terminal to make the forwarding take effect immediately.
 
After completing these steps, you can experience your life.