在 CentOS 7 上部署 L2TP/IPSec VPN 服务

首先安装strongswan和xl2tpd:

yum install strongswan xl2tpd

记得开启IP转发,修改 /etc/sysctl.conf 修改如下:

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

并重启使之生效。(执行sysctl -p 应该也是可以的,但一定要验证一下,实在不行就重启吧。)

接下来修改 /etc/strongswan/ipsec.conf 文件,如下:

config setup
 
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
 
conn l2tp
        keyexchange=ikev1 # IKE版本
        left=<对外IP>
        leftsubnet=0.0.0.0/0
        leftprotoport=17/1701
        authby=secret
        leftfirewall=no
        right=%any
        rightprotoport=17/%any
        type=transport
        auto=add

修改/etc/strongswan/ipsec.secrets文件(没有此文件就新建一个):

# ipsec.secrets - strongSwan IPsec secrets file
: PSK "<PSK>"

IPsec的部分就完成了,接下来是L2TP。

/etc/xl2tpd/xl2tpd.conf 文件的 [lns default] 部分如下:

[lns default]
ip range = 10.10.0.2-10.10.0.100
local ip = 10.10.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
bps = 1000000

PPP的部分,这里只设定了chap验证

/etc/ppp/options.xl2tpd

ms-dns  8.8.8.8
ms-dns  8.8.4.4
noccp
auth
crtscts
idle 600
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 2500

连接密码文件 /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
<user>          *       <password>              *

还要记得开放500,1701和4500端口,并配置iptables转发规则。
注:没有开启firewalld的话,开启转发规则的命令如下:

iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE

然后开启服务:

systemctl start strongswan.service
systemctl start xl2tpd.service

连接的时候选L2TP/IPSec VPN with pre-shared keys,PSK就是刚刚配置文件中的<PSK>,用户名和密码都在 /etc/ppp/chap-secrets 中。


参考链接:

http://qiaodahai.com/setup-l2tp-ipsec-vpn-on-centos.html

5 thoughts on “在 CentOS 7 上部署 L2TP/IPSec VPN 服务”

  1. 博主您好!
    我按您的方法在 Linode kvm (CentOS7)上配置成功,客户端都可以连接,但是连上 VPN 后,却访问不了任何网站。无论 Windows/Mac/Android 都一样,请问可能是哪里有问题?

    1. 是否连接成功?客户端是否拿到ip地址?路由规则是否推过来了?dns配置是否有问题?
      请依次确认。

  2. 楼主你好,我在linode上启动xl2tpd服务失败,查了一下据说是内核不支持modprobe启动l2tp,除了换内核有别的方法可以解决吗?
    [[email protected] ~]# service xl2tpd restart
    Redirecting to /bin/systemctl restart xl2tpd.service
    Job for xl2tpd.service failed because the control process exited with error code. See “systemctl status xl2tpd.service” and “journalctl -xe” for details.
    [[email protected] ~]# journalctl -xe
    Nov 07 12:40:31 li414-232.members.linode.com systemd[1]: xl2tpd.service holdoff time over, scheduling restart.
    Nov 07 12:40:31 li414-232.members.linode.com systemd[1]: Starting Level 2 Tunnel Protocol Daemon (L2TP)…
    — Subject: Unit xl2tpd.service has begun start-up
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit xl2tpd.service has begun starting up.
    Nov 07 12:40:31 li414-232.members.linode.com systemd[1]: xl2tpd.service: control process exited, code=exited status=1
    Nov 07 12:40:31 li414-232.members.linode.com systemd[1]: Failed to start Level 2 Tunnel Protocol Daemon (L2TP).

    1. 我也是和你一样的问题,centos7 ,查看资料之后发现是内核重新挂载l2tp_ppp,在xl2tpd.service中删除掉“ExecStartPre=/sbin/modprobe -q l2tp_ppp”就可以,另外注意Restart项
      systemctl daemon-reload;systemctl start xl2tpd。

Leave a Reply

Your email address will not be published. Required fields are marked *