Install l2tp/ipsec vpn in Centos 7

Source: Internet
Author: User

Install l2tp/ipsec vpn in Centos 7
1. install the software package required by l2tp ipsec

Yum install epel-release

Yum install openswan xl2tpd ppp lsof

2. Set ipsec
2.1 edit/etc/ipsec. conf

Vi/etc/ipsec. conf
Replace xx. xxx with the actual Internet fixed IP address of your host. Others do not move.

Config setup

Protostack = netkey

Dumpdir =/var/run/pluto/

Nat_traversal = yes

Virtual_private = % v4: 10.0.0.0/8, % v4: 192.168.0.0/16, % v4: 172.16.0.0/12, % v4: 25.0.0.0/8, % v4: 100.64.0.0/10, % v6: fd00:/8, % v6: fe80:/10

Conn L2TP-PSK-NAT

Rightsubnet = vhost: % priv

Also = L2TP-PSK-noNAT

Conn L2TP-PSK-noNAT

Authby = secret

Pfs = no

Auto = add

Keyingtries = 3

Dpddelay = 30

Dpdtimeout = 120

Dpdaction = clear

Rekey = no

Ikelifetime = 8 h

Keylife = 1 h

Type = transport

Left = xxx. xxx

Leftprotoport = 17/1701

Right = % any

Rightprotoport = 17/% any

2.2 edit/etc/ipsec. secrets

Vi/etc/ipsec. secrets

Include/etc/ipsec. d/*. secrets

/Etc/ipsec. by default, the secrets file contains/etc/ipsec. d /*. secrets statement. therefore, you can directly go to/etc/ipsec. d. Create your own directory *. secrets file. you can also comment it out and add the following configuration statement.

Vi/etc/ipsec. d/my. secrets

xxx.xxx.xxx.xxx %any: PSK "kuaile"

Replace xx. xxx with the actual Internet fixed IP address of your own VPS, and set YourPsk to be used when you connect to the VPN. For example, you can enter csdn.net and pay attention to spaces.

2.3 Modify/Add/etc/sysctl. conf

Vi/etc/sysctl. conf


Make sure that all the following fields have the same or the following values. To save trouble, directly paste the following content at the end of/etc/sysctl. conf.

net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
2.4 make the modified sysctl. conf take effect


Sysctl-p

2.5 verify the ipsec running status

Ipsec setup start

Ipsec verify


Verify's content is as follows, so it is not far from success. There is no red fail.

[Root @ Centos7 ~] # Ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path [OK]

Libreswan 3.8 (netkey) on 3.10.0-123.9.3.el7.x86 _ 64

Checking for IPsec support in kernel [OK]

NETKEY: Testing XFRM related proc values

ICMP default/send_redirects [OK]

ICMP default/accept_redirects [OK]

XFRM larval drop [OK]

Pluto ipsec. conf syntax [OK]

Hardware random device [N/A]

Checking rp_filter [OK]

Checking that pluto is running [OK]

Pluto listening for IKE on udp 500 [OK]

Pluto listening for IKE/NAT-T on udp 4500 [OK]

Pluto ipsec. secret syntax [OK]

Checking NAT and MASQUERADEing [test incomplete]

Checking 'IP' command [OK]

Checking 'iptable' command [OK]

Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec. conf options [OK]

Opportunistic Encryption [DISABLED]

[Root @ Centos7 ~] #

3. Set l2tp
3.1 Edit/etc/xl2tpd/xl2tpd. conf

Vim/etc/xl2tpd/xl2tpd. conf

[Global]

Ipsec saref = yes

Listen-addr = xxx. xxx; here is your host's Internet IP address; the number is a comment, which is different from the general configuration file

; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or

; When using any of the SAref kernel patches for kernels up to 2.6.35.

; Saref refinfo = 30

;

Force userspace = yes

;

; Debug tunnel = yes

[Lns default]

Ip range = 10.0.10.2-10.0.10.100; the Intranet ip address range of the VPN client

Local ip = 10.0.10.1; the Intranet address of the VPN server

Refuse chap = yes

Refuse pap = yes

Require authentication = yes

Name = LinuxVPNserver

Ppp debug = yes

Pppoptfile =/etc/ppp/options. xl2tpd

Length bit = yes

3.2 edit/etc/ppp/options. xl2tpd

Vi/etc/ppp/options. xl2tpd

Name l2tpd

Require-mschap-v2

Ms-dns 8.8.8.8

Ms-dns 8.8.4.4

Ipcp-accept-local

Ipcp-accept-remote

# Ms-dns 8.8.8.8

Noccp

Auth

Crtscts

Idle 1800

Mtu 1410

Mru 1410

Nodefaultroute

Debug

Lock

Proxyarp

Connect-delay 5000

3.3 configure the user name and password: edit/etc/ppp/chap-secrets

Vim/etc/ppp/chap-secrets


Fill in the client and secret by yourself, and leave the * number for the server and IP. l2tp can use the l2tpd. * General

# Secrets for authentication using CHAP

# Client server secret IP addresses

Username * userpass *

3.4 start xl2tp
service xl2tpd start

4. open ports and forwarding

Execute all the following commands as is

/Sbin/iptables-a input-p udp-m policy -- dir in -- pol ipsec-m udp -- dport 1701-j ACCEPT

/Sbin/iptables-a input-p udp-m udp -- dport 1701-j ACCEPT

/Sbin/iptables-a input-p udp-m udp -- dport 500-j ACCEPT

/Sbin/iptables-a input-p udp-m udp -- dport 4500-j ACCEPT

/Sbin/iptables-a input-p esp-j ACCEPT

/Sbin/iptables-a input-m policy -- dir in -- pol ipsec-j ACCEPT

/Sbin/iptables-a forward-d 10.0.10.0/24-j ACCEPT

/Sbin/iptables-a forward-s 10.0.10.0/24-j ACCEPT

/Sbin/iptables-a forward-I ppp +-m state -- state NEW, RELATED, ESTABLISHED-j ACCEPT

/Sbin/iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT

/Sbin/iptables-t nat-a postrouting-s 10.0.10.0/24-o eth0-j MASQUERADE

Run the following command to save iptables:

Service iptables save

Service iptables restart

Add auto-start

Systemd enabled ipsec

Systemd enabled xl2tpd


If the connection fails, disable iptalbes and try service iptables stop.

If the connection fails, iptables is a problem.

Pay special attention to the Order in iptables. The REJECT in INPUT and FORWARD must be written at the end, otherwise the port written after them will be REJECT!

The following is my own iptables for your reference.

######################################## ######################################## ##########

#! /Bin/bash

/Sbin/iptables-F INPUT

/Sbin/iptables-Z INPUT

/Sbin/iptables-P INPUT ACCEPT

/Sbin/iptables-a input-m state -- state INVALID-j DROP

/Sbin/iptables-a input-p icmp-j ACCEPT

/Sbin/iptables-a input-I lo-j ACCEPT

/Sbin/iptables-a input-p tcp-m state -- state NEW, RELATED, ESTABLISHED-m tcp -- dport 22-j ACCEPT

/Sbin/iptables-a input-p tcp-m state -- state NEW, RELATED, ESTABLISHED-m tcp -- dport 80-j ACCEPT

/Sbin/iptables-a input-p tcp-m state -- state NEW, RELATED, ESTABLISHED-m tcp -- dport 1723-j ACCEPT

/Sbin/iptables-a input-p gre-m state -- state NEW, RELATED, ESTABLISHED-j ACCEPT

/Sbin/iptables-a input-p udp-m policy -- dir in -- pol ipsec-m udp -- dport 1701-j ACCEPT

/Sbin/iptables-a input-p udp-m udp -- dport 1701-j ACCEPT

/Sbin/iptables-a input-p udp-m udp -- dport 500-j ACCEPT

/Sbin/iptables-a input-p udp-m udp -- dport 4500-j ACCEPT

/Sbin/iptables-a input-p esp-j ACCEPT

/Sbin/iptables-a input-m policy -- dir in -- pol ipsec-j ACCEPT

/Sbin/iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT

/Sbin/iptables-a input-j REJECT -- reject-with icmp-host-prohibited

/Sbin/iptables-F FORWARD

/Sbin/iptables-Z FORWARD

/Sbin/iptables-P FORWARD ACCEPT

/Sbin/iptables-a forward-m state -- state INVALID-j DROP

#/Sbin/iptables-a forward-m policy -- dir in -- pol ipsec-j ACCEPT

/Sbin/iptables-a forward-d 10.0.10.0/24-j ACCEPT

/Sbin/iptables-a forward-s 10.0.10.0/24-j ACCEPT

/Sbin/iptables-a forward-I ppp +-m state -- state NEW, RELATED, ESTABLISHED-j ACCEPT

/Sbin/iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT

/Sbin/iptables-a forward-j REJECT -- reject-with icmp-host-prohibited

/Sbin/iptables-F OUTPUT

/Sbin/iptables-Z OUTPUT

/Sbin/iptables-P OUTPUT ACCEPT

/Sbin/iptables-a output-m state -- state INVALID-j DROP

/Sbin/iptables-F-t nat

/Sbin/iptables-Z-t nat

/Sbin/iptables-t nat-a postrouting-s 10.0.10.0/24-o eth0-j MASQUERADE

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.