Install the L2TPVPN server on LinodeVPS

Source: Internet
Author: User
The openVPN service previously deployed on Linode was closed after I migrated the instance to Tokyo. After that, I spent some time re-configuring it, but there was still a connection problem and I still could not access the Internet (Editor's note: After configuring L2TP, the bypass is basically a route problem, you are sure you want to fix the issue ). Consider the openVPN service deployed on Linode. After I migrate the instance to Tokyo, I will stop. After that, I spent some time re-configuring it, but there was still a connection problem and I still could not access the Internet (Editor's note: After configuring L2TP, the bypass is basically a route problem, you are sure you want to fix the issue ). Considering that the ipad only supports L2TP, it took some time to record it.
I have to say that I am lucky. I found a very good summary article to build an L2TP/IPSec VPN on Linode, which not only summarizes my own problems, but also provides links to other detailed tutorials, it is quite convenient.

1) install IPSec
Ubuntu is convenient.
Sudo apt-get install openswan

2) configure IPSec Connection
Modify/etc/ipsec. conf and replace % YOUR. SERVER. IP. ADDRESS % with your server address.
Version 2.0:
Config setup
Nat_traversal = yes
Virtual_private = % v4: 10.0.0.0/8, % v4: 192.168.0.0/16, % v4: 172.16.0.0/12
Oe = off
Protostack = netkey
Conn L2TP-PSK-NAT
Rightsubnet = vhost: % priv
Also = L2TP-PSK-noNAT
Conn L2TP-PSK-noNAT
Authby = secret
Pfs = no
Auto = add
Keyingtries = 3
Rekey = no
Ikelifetime = 8 h
Keylife = 1 h
Type = transport
Left = % YOUR. SERVER. IP. ADDRESS %
Leftprotoport = 17/1701
Right = % any
Rightprotoport = 17/% any

3) configure an IPSec shared key
Modify/etc/ipsec. secrets. replace % YOUR. SERVER. IP. ADDRESS % with your server address. In addition, foreign forums have mentioned the second method to avoid unnecessary issues.
% YOUR. SERVER. IP. ADDRESS % any: PSK "YourSharedSecret"
: PSK "YourSharedSecret"

4) modify the packet forwarding settings
Run the following command:
For each in/proc/sys/net/ipv4/conf /*
Do
Echo 0> $ each/accept_redirects
Echo 0> $ each/send_redirects
Done
Echo 1>/proc/sys/net/ipv4/ip_forward
Sysctl-p
Ipsec verify # used to verify the configuration
Restart the ipsec server.
Sudo/etc/init. d/ipsec restart

5) install and configure xl2tpd
I once again admire the convenience of ubuntu.
Sudo apt-get install xl2tpd
Modify/etc/xl2tpd/xl2tpd. conf.
[Global]
Ipsec saref = yes
[Lns default]
Ip range = 10.1.2.2-10.1.2.255
Local ip = 10.1.2.1
; Require chap = yes
Refuse chap = yes
Refuse pap = yes
Require authentication = yes
Ppp debug = yes
Pppoptfile =/etc/ppp/options. xl2tpd
Length bit = yes

6) install and configure ppp
Sudo apt-get install ppp
Modify or create/etc/ppp/options. xl2tpd. Note that Google's Public DNS is used here.
[Global]
Ipsec saref = yes
[Lns default]
Require-mschap-v2
Ms-dns 8.8.8.8
Ms-dns 8.8.4.4
Asyncmap 0
Auth
Crtscts
Lock
Hide-password
Modem
Debug
Name l2tpd
Proxyarp
Lcp-echo-interval 30
Lcp-echo-failure 4
Add a VPN user and modify/etc/ppp/chap-secrets
# User server password ip
Xiuxiu l2tpd testpassword *
Restart xl2tpd
Sudo/etc/init. d/xl2tpd restart

7) settingsIptablesPacket Forwarding
Run the following program.
Iptables? Table nat? Append POSTROUTING? Jump MASQUERADE

8) set the startup script
The IP routing and forwarding configuration disappears after the server is restarted. Therefore, you need to add relevant content in the startup script. modify/etc/rc. local.
Iptables? Table nat? Append POSTROUTING? Jump MASQUERADE
Echo 1>/proc/sys/net/ipv4/ip_forward
For each in/proc/sys/net/ipv4/conf /*
Do
Echo 0> $ each/accept_redirects
Echo 0> $ each/send_redirects
Done
/Etc/init. d/ipsec restart

Problem summary
Ubuntu openswan errno 111, origin ICMP type 3 code 3 (notauthenticated)
This is my own problem. after being depressed for a long time, the result is that there is a bug in the latest openswan for ubuntu, which is in conflict with the latest LinuxKernel. Go to the openswan official website to download older version of the openswan_2.6.32-1xelerance1_i386.deb can be.
ERROR: asynchronous network error report on eth0 (sport = 4500) for message to your. client. ip. address port 4500, complainant your. server, ip. address: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Add leftnexthop = your. server. gateway. ip in the ipsec. conf file.
The remote system is required to authenticate itself
Pppd [4407]: but I couldn't find any suitable secret (password) forit to use to do so.

This is because the password in the l2tp-secrets is not used during the verification process (as for why I don't understand it, please kindly explain), but the password for using pptp (L2TP/IPsec is also to go through pptp, therefore, you need to set a password in/etc/ppp/chap-secrets (for details, see how to set up pptp vpn above ).
Xl2tpd [4062]: Maximum retries exceeded for tunnel 44651. Closing.
Add
Dpddelay = 40
Dpdtimeout = 130
Dpdaction = clear
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.