{"id":1737,"date":"2019-12-27T17:56:33","date_gmt":"2019-12-27T09:56:33","guid":{"rendered":"http:\/\/www.laihp.top\/zqb\/?p=1737"},"modified":"2019-12-27T18:02:13","modified_gmt":"2019-12-27T10:02:13","slug":"ubuntu-16-04-%e9%85%8d%e7%bd%ae-l2tp-over-ipsec-vpn-%e6%9c%8d%e5%8a%a1%e5%99%a8","status":"publish","type":"post","link":"https:\/\/www.laihp.top\/zqb\/?p=1737","title":{"rendered":"Ubuntu 16.04 \u914d\u7f6e L2TP over IPSec VPN \u670d\u52a1\u5668"},"content":{"rendered":"<blockquote><p><strong>VPN<\/strong>\u00a0\u5373 Virtual Private Network\uff08\u865a\u62df\u4e13\u7528\u7f51\uff09\uff0c\u7b80\u5355\u6765\u8bf4\uff0c\u5c31\u662f\u5728\u516c\u5171\u7f51\u7edc\u4e0a\u642d\u5efa\u4e00\u6761<strong>\u865a\u62df<\/strong>\u7684<strong>\u79c1\u6709\u94fe\u8def<\/strong>\uff0c\u53ef\u4ee5\u901a\u8fc7\u8be5\u94fe\u8def\u52a0\u5165\u5230\u8fdc\u7a0b\u7684\u79c1\u6709\u7f51\u7edc\u73af\u5883\u4e2d\u3002\u6240\u4ee5\u5e38\u7528\u6765\u5e2e\u52a9\u5458\u5de5\u5728\u529e\u516c\u5ba4\u5916\u5b89\u5168\u5730\u8bbf\u95ee\u4f01\u4e1a\u5185\u90e8\u7f51\u3002<br \/>\n\u521b\u5efa\u79c1\u6709\u94fe\u8def\u9700\u8981\u4f7f\u7528<strong>\u96a7\u9053<\/strong>\u6280\u672f\uff0c\u7528\u5230\u7684\u534f\u8bae\u5305\u62ec<strong>\u70b9\u5bf9\u70b9\u96a7\u9053\u534f\u8bae\uff08PPTP\uff09<\/strong>\uff0c<strong>\u7b2c2\u5c42\u96a7\u9053\u534f\u8bae\uff08L2TP\uff09<\/strong>\u7b49\u3002macOS \u7cfb\u7edf\u5df2\u7ecf\u4e0d\u518d\u652f\u6301 PPTP \u7c7b\u578b\u7684 VPN\u3002<\/p><\/blockquote>\n<h5 id=\"\u4e00\u3001\u5b89\u88c5\u8f6f\u4ef6\u5305\">\u4e00\u3001\u5b89\u88c5\u8f6f\u4ef6\u5305<\/h5>\n<pre class=\"pure-highlightjs\"><code class=\"null\">sudo apt-get install strongswan xl2tpd ppp lsof<\/code><\/pre>\n<p>IPSec\u00a0\u662f\u7ec4\u5efa\u5b89\u5168\u7684 VPN \u65f6\u4f7f\u7528\u7684\u4e00\u4e2a\u52a0\u5bc6\u548c\u8ba4\u8bc1\u6807\u51c6\uff0c\u800c\u00a0strongSwan\u00a0\u662f\u4e00\u4e2a\u5b8c\u5168\u652f\u6301 IKEv1 \u548c IKEv2 \u7684 IKE \u540e\u53f0\u8fdb\u7a0b\u3002<\/p>\n<h5 id=\"\u4e8c\u3001\u4fee\u6539\u914d\u7f6e\u6587\u4ef6\">\u4e8c\u3001\u4fee\u6539\u914d\u7f6e\u6587\u4ef6<\/h5>\n<h6 id=\"1-\u4fee\u6539\u7cfb\u7edf\u8f6c\u53d1\u914d\u7f6e\">1. \u4fee\u6539\u7cfb\u7edf\u8f6c\u53d1\u914d\u7f6e<\/h6>\n<p><strong>\u5728\u00a0<code>\/etc\/sysctl.conf<\/code>\u00a0\u6587\u4ef6\u672b\u5c3e\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9<\/strong>\uff1a<\/p>\n<figure class=\"highlight plain\">\n<pre class=\"pure-highlightjs\"><code class=\"null\">net.ipv4.ip_forward = 1\r\nnet.ipv4.conf.all.accept_redirects = 0\r\nnet.ipv4.conf.all.send_redirects = 0\r\nnet.ipv4.conf.default.rp_filter = 0\r\nnet.ipv4.conf.default.accept_source_route = 0\r\nnet.ipv4.conf.default.send_redirects = 0\r\nnet.ipv4.icmp_ignore_bogus_error_responses = 1<\/code><\/pre>\n<p>&nbsp;<\/figure>\n<p><strong>\u542f\u7528\u914d\u7f6e<\/strong>\uff1a<\/p>\n<pre class=\"pure-highlightjs\"><code class=\"null\">sudo sysctl -p<\/code><\/pre>\n<h6 id=\"2-\u914d\u7f6e-strongswan-IPSec\">2. \u914d\u7f6e strongswan(IPSec)<\/h6>\n<p><strong>\u5728\u00a0<code>\/etc\/ipsec.conf<\/code>\u00a0\u6587\u4ef6\u672b\u5c3e\u6dfb\u52a0\u5982\u4e0b\u5185\u5bb9<\/strong>\uff1a<\/p>\n<figure class=\"highlight plain\">\n<pre class=\"pure-highlightjs\"><code class=\"null\">version 2 \r\n\r\nconfig setup\r\nconn L2TP-PSK-noNAT\r\n    authby=secret\r\n    #shared secret. Use rsasig for certificates.\r\n\r\n    auto=add\r\n    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.\r\n\r\n    keyingtries=3\r\n    #Only negotiate a conn. 3 times.\r\n\r\n    ikelifetime=8h\r\n    keylife=1h\r\n\r\n    ike=aes256-sha1,aes128-sha1,3des-sha1\r\n\r\n    type=transport\r\n    #because we use l2tp as tunnel protocol\r\n\r\n    left=%any\r\n    # VPN \u670d\u52a1\u5668\u7684 IP \u5730\u5740\uff0c'%any' \u8868\u793a\u4efb\u610f\u5730\u5740 \r\n\r\n    leftprotoport=17\/1701\r\n    right=%any\r\n    rightprotoport=17\/%any\r\n\r\n    dpddelay=10\r\n    # Dead Peer Dectection (RFC 3706) keepalives delay\r\n    dpdtimeout=20\r\n    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.\r\n    dpdaction=clear\r\n    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.<\/code><\/pre>\n<p>&nbsp;<\/figure>\n<p><strong>\u914d\u7f6e\u5171\u4eab\u5bc6\u94a5\u00a0<code>\/etc\/ipsec.secrets<\/code><\/strong>\uff1a<\/p>\n<figure class=\"highlight plain\">\n<pre class=\"pure-highlightjs\"><code class=\"null\">%any : PSK \"PASSWORD\"<\/code><\/pre>\n<\/figure>\n<p><code>%any<\/code>\u00a0\u9488\u5bf9\u4efb\u610f\u670d\u52a1\u5668\u5730\u5740\uff0c<code>PASSWORD<\/code>\u00a0\u9700\u8981\u6539\u4e3a\u8db3\u591f\u5b89\u5168\u7684\u957f\u5bc6\u7801<\/p>\n<h6 id=\"3-\u914d\u7f6e-xl2tpd\">3. \u914d\u7f6e xl2tpd<\/h6>\n<p><strong>\u5728\u00a0<code>\/etc\/xl2tpd\/xl2tpd.conf<\/code>\u00a0\u6587\u4ef6\u672b\u5c3e\u6dfb\u52a0\u5982\u4e0b\u5185\u5bb9<\/strong>\uff1a<\/p>\n<figure class=\"highlight plain\">\n<pre class=\"pure-highlightjs\"><code class=\"null\">[global]\r\nipsec saref = yes\r\nsaref refinfo = 30\r\n\r\n;debug avp = yes\r\n;debug network = yes\r\n;debug state = yes\r\n;debug tunnel = yes\r\n\r\n[lns default]\r\nip range = 192.168.100.100 - 192.168.100.200\r\nlocal ip = 192.168.100.1\r\nrefuse pap = yes\r\nrequire authentication = yes\r\n;ppp debug = yes\r\npppoptfile = \/etc\/ppp\/options.xl2tpd\r\nlength bit = yes<\/code><\/pre>\n<\/figure>\n<p><code>local ip<\/code>\u00a0\u8868\u793a VPN \u865a\u62df\u7f51\u7edc\u7684<strong>\u7f51\u5173<\/strong>\uff0c<code>ip range<\/code>\u00a0\u8868\u793a\u5ba2\u6237\u7aef\u8fde\u63a5 VPN \u670d\u52a1\u5668\u65f6\u80fd\u5206\u914d\u5230\u7684 IP \u5730\u5740<br \/>\n<strong>\u5728\u00a0<code>\/etc\/ppp\/options.xl2tpd<\/code>\u00a0\u6587\u4ef6\u4e2d\u6dfb\u52a0\u5982\u4e0b\u5185\u5bb9<\/strong>\uff1a<\/p>\n<figure class=\"highlight plain\">\n<pre class=\"pure-highlightjs\"><code class=\"null\">require-mschap-v2\r\nms-dns 192.168.0.50\r\nms-dns 114.114.114.114\r\nauth\r\nmtu 1200\r\nmru 1000\r\ncrtscts\r\nhide-password\r\nmodem\r\nname l2tpd\r\nproxyarp\r\nlcp-echo-interval 30\r\nlcp-echo-failure 4<\/code><\/pre>\n<p>&nbsp;<\/figure>\n<p>\u4fee\u6539\u00a0<strong>ms-dns<\/strong>\u00a0\u4e3a\u9700\u8981 vpn \u5ba2\u6237\u7aef\u4f7f\u7528\u7684 dns \u670d\u52a1\u5668<\/p>\n<h6 id=\"4-\u6dfb\u52a0\u7528\u6237\">4. \u6dfb\u52a0\u7528\u6237<\/h6>\n<p><strong>\u4fee\u6539\u00a0<code>\/etc\/ppp\/chap-secrets<\/code>\u00a0\u6587\u4ef6<\/strong>\uff1a<\/p>\n<figure class=\"highlight plain\"><span class=\"line\">starky l2tpd password1 *<\/span> <span class=\"line\">bob l2tpd password2 *<\/span><\/figure>\n<p>\u683c\u5f0f\u4e3a\uff1a\u7528\u6237\u540d\u3001\u670d\u52a1\u3001\u5bc6\u7801\u3001\u9650\u5236 ip \u3002<\/p>\n<blockquote><p>\u4ee5\u4e0a\u7684\u914d\u7f6e\u5b8c\u6210\u4ee5\u540e\uff0c\u91cd\u542f\u670d\u52a1\u5c31\u53ef\u4ee5\u4f7f\u7528\u5ba2\u6237\u7aef\u8fde\u63a5\u4e86\u3002\u4e0d\u8fc7\u6b64\u65f6\u8fd8\u4e0d\u80fd\u901a\u8fc7\u8be5 VPN \u8bbf\u95ee\u4e92\u8054\u7f51\uff0c\u9700\u8981\u90e8\u7f72 IP \u8f6c\u53d1\uff08\u4f7f\u7528 iptables \uff09\u3002<\/p><\/blockquote>\n<h5 id=\"\u4e09\u3001\u914d\u7f6e\u8f6c\u53d1\">\u4e09\u3001\u914d\u7f6e\u8f6c\u53d1<\/h5>\n<p>\u8f93\u5165\u4e0b\u9762\u7684\u6307\u4ee4\uff0c\u5f00\u542f gre \u534f\u8bae\uff0c\u5e76\u6253\u5f00\u670d\u52a1\u5668 47 \u548c 1723 \u53f7\u7aef\u53e3\u3002<\/p>\n<figure class=\"highlight plain\">\n<pre class=\"pure-highlightjs\"><code class=\"null\">sudo iptables -A INPUT -p gre -j ACCEPT \r\nsudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT   \r\nsudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT<\/code><\/pre>\n<p>&nbsp;<\/figure>\n<p>\u5f00\u542f\u4e00\u4e2a NAT \u8f6c\u53d1<\/p>\n<pre class=\"pure-highlightjs\"><code class=\"null\">sudo iptables -t nat -A POSTROUTING -s 192.168.100.0\/24 -o wlp4s0 -j MASQUERADE<\/code><\/pre>\n<p><code>wlp4s0<\/code>\u00a0\u8868\u793a\u5f53\u524d\u670d\u52a1\u5668\u4f7f\u7528\u7684\u7f51\u5361\u8bbe\u5907\u540d\u3002\u53ef\u4ee5\u901a\u8fc7\u00a0<code>ifconfig<\/code>\u00a0\u547d\u4ee4\u67e5\u770b<\/p>\n<blockquote><p>\u901a\u8fc7\u4e0a\u9762\u7684\u6307\u4ee4\uff0ciptables \u505a\u4e86\u8fd9\u6837\u4e00\u4ef6\u4e8b\uff1a\u5c06\u6240\u6709\u4ece\u670d\u52a1\u5668\u4e0a\u4f20\u51fa\u7684\u6e90\u5730\u5740\u4e3a 192.168.100.1-255 \u7684\u6570\u636e\u5305\u6e90 ip \u6539\u6210\u670d\u52a1\u5668\u7684 ip \u3002<\/p><\/blockquote>\n<h5 id=\"\u56db\u3001\u8fde\u63a5\u6d4b\u8bd5\">\u56db\u3001\u8fde\u63a5\u6d4b\u8bd5<\/h5>\n<p>\u9996\u5148\u9700\u8981\u91cd\u542f\u670d\u52a1\uff1a<\/p>\n<figure class=\"highlight plain\">\n<pre class=\"pure-highlightjs\"><code class=\"null\">sudo ipsec restart\r\nsudo service xl2tpd restart<\/code><\/pre>\n<p>&nbsp;<\/figure>\n<p>\u7136\u540e\u5c31\u4f7f\u7528\u5ba2\u6237\u7aef\u8fde\u63a5\u8bd5\u8bd5\u5427\uff01<br \/>\n\u82e5\u8fde\u63a5\u5931\u8d25\uff0c\u53ef\u67e5\u770b\u4ee5\u4e0blog\uff1a<\/p>\n<pre class=\"pure-highlightjs\"><code class=\"null\">\/var\/log\/syslog\r\n\/var\/log\/auth.log<\/code><\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>VPN\u00a0\u5373 Virtual Private Network\uff08\u865a\u62df\u4e13\u7528\u7f51\uff09\uff0c\u7b80\u5355\u6765\u8bf4\uff0c\u5c31\u662f\u5728\u516c\u5171\u7f51\u7edc\u4e0a\u642d\u5efa\u4e00\u6761\u865a &#8230; <a title=\"Ubuntu 16.04 \u914d\u7f6e L2TP over IPSec VPN \u670d\u52a1\u5668\" class=\"read-more\" href=\"https:\/\/www.laihp.top\/zqb\/?p=1737\" aria-label=\"\u7ee7\u7eed\u9605\u8bfbUbuntu 16.04 \u914d\u7f6e L2TP over IPSec VPN \u670d\u52a1\u5668\">\u9605\u8bfb\u66f4\u591a<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-1737","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=\/wp\/v2\/posts\/1737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1737"}],"version-history":[{"count":4,"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=\/wp\/v2\/posts\/1737\/revisions"}],"predecessor-version":[{"id":1741,"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=\/wp\/v2\/posts\/1737\/revisions\/1741"}],"wp:attachment":[{"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.laihp.top\/zqb\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}