Previously published an article on how to set up pptp vpn service under Ubuntu (see http://www.linuxidc.com/Linux/2014-07/104193.htm), but in some cases, PPTP will be affected and cannot be used normally, another option is to use an L2TP/IPSec VPN. Ubuntu OpenVPN client configuration tutorial http://www.linuxidc.com/L
Previously published an article on how to set up pptp vpn service under Ubuntu (see http://www.linuxidc.com/Linux/2014-07/104193.htm), but in some cases, PPTP will be affected and cannot be used normally, another option is to use an L2TP/IPSec VPN.
Ubuntu OpenVPN client configuration tutorial http://www.linuxidc.com/Linux/2013-06/86562.htm
Build OpenVPN http://www.linuxidc.com/Linux/2012-11/74790.htm in Ubuntu 10.04
Ubuntu 13.04 VPN (OpenVPN) configuration and connection cannot simultaneously access the internal and external network problems http://www.linuxidc.com/Linux/2013-07/86899.htm
How to build a secure remote network architecture http://www.linuxidc.com/Linux/2013-11/92646.htm with OpenVPN in Linux
Install software package
- Sudo apt-get install xl2tpd openswan ppp
IPSec/Openswan
Open the/etc/ipsec. conf file and configure it as follows:
- Config setup
- Nat_traversal = yes
- Virtual_private = % v4: 10.0.0.0/8, % v4: 192.168.0.0/16, % v4: 172.16.0.0/12, % v4 :! 10.152.2.0/24
- # The network address here can be configured as the subnet of the remote client. In other words,
# These address ranges should be the addresses of the clients behind your NAT router.
- Oe = off
- Protostack = netkey
- Conn L2TP-PSK-NAT
- Rightsubnet = vhost: % priv
- Also = L2TP-PSK-noNAT
- Conn L2TP-PSK-noNAT
- Authby = secret
- Pfs = no
- Auto = add
- Keyingtries = 3
- Rekey = no
- # Apple iOS does not send a delete reminder,
# So we need to identify the disconnected client through the dead peer Detection
- Dpddelay = 30
- Dpdtimeout = 120
- Dpdaction = clear
- # Set ikelifetime and keylife to be consistent with the default settings for Windows
- Ikelifetime = 8 h
- Keylife = 1 h
- Type = transport
- # Replace the IP address with your local IP address (generally, private address or NAT address)
- Left = x. x
- # Windows 2000/XP client used for upgrade
- Leftprotoport = 17/1701
- # To support old clients, set leftprotoport = 17/% any
Right = % any
- Rightprotoport = 17/% any
- # Force all connections to be NAT, because iOS
- Forceencaps = yes
Note that in your ipsec. conf file, "config setup" and "L2TP-PSK-NAT", "L2TP-PSK-NAT" should be written with the line header, while other lines should be indented with 8 spaces.
Open/etc/ipsec. secrets and configure:
- X. x % any: PSK "somegoodpassword"
Here, x. x is replaced with the IP address of your server and a complicated password is set.
Start the IPSEC service:
- /Etc/init. d/ipsec start
Run the following command to check whether ipsec works properly:
- Sudo ipsec verify
There should be no errors:
- Checking your system to see ifIPsec got installed and started correctly:
- Version check and ipsec on-path [OK]
- LinuxOpenswan U2.6.28/K2.6.32-32-generic-pae (netkey)
- CheckingforIPsec support in kernel [OK]
- NETKEY detected, testing for disabled ICMP send_redirects [OK]
- NETKEY detected, testing for disabled ICMP accept_redirects [OK]
- Checking that pluto is running [OK]
- Pluto listening for IKE on udp 500 [OK]
- Pluto listening for NAT-T on udp 4500 [OK]
- Checkingfor 'IP' command [OK]
- Checkingfor 'iptable' command [OK]
- OpportunisticEncryptionSupport [DISABLED]
Create a file named ipsec. vpn under/etc/init. d with the following content:
- Case "$1" in
- Start)
- Echo "Starting my Ipsec VPN"
- Iptables-t nat-a postrouting-o eth0-s 10.152.2.0/24-j MASQUERADE
- Echo 1>/proc/sys/net/ipv4/ip_forward
- For each in/proc/sys/net/ipv4/conf /*
- Do
- Echo 0> $ each/accept_redirects
- Echo 0> $ each/send_redirects
- Done
- /Etc/init. d/ipsec start
- /Etc/init. d/xl2tpd start
- ;;
- Stop)
- Echo "Stopping my Ipsec VPN"
- Iptables -- table nat -- flush
- Echo 0>/proc/sys/net/ipv4/ip_forward
- /Etc/init. d/ipsec stop
- /Etc/init. d/xl2tpd stop
- ;;
- Restart)
- Echo "Restarting my Ipsec VPN"
- Iptables-t nat-a postrouting-o eth0-s 10.152.2.0/24-j MASQUERADE
- Echo 1>/proc/sys/net/ipv4/ip_forward
- For each in/proc/sys/net/ipv4/conf /*
- Do
- Echo 0> $ each/accept_redirects
- Echo 0> $ each/send_redirects
- Done
- /Etc/init. d/ipsec restart
- /Etc/init. d/xl2tpd restart
- ;;
- *)
- Echo "Usage:/etc/init. d/ipsec. vpn {start | stop | restart }"
- Exit 1
- ;;
- Esac
This will configure firewall forwarding. Remember to modify the local IP address pool 10.152.2.0/24 of the above file for your own.
Set the executable permission for this file:
- Sudo chmod 755 ipsec. vpn
Disable the running of the default ipsec service script:
- Sudo update-rc.d-f ipsec remove
Then, enable the custom one:
- Sudo update-rc.d ipsec. vpn defaults
For more details, refer to the highlights on the next page.: Http://www.linuxidc.com/Linux/2014-07/104263p2.htm