Skip to content

Instantly share code, notes, and snippets.

@clicube

clicube/VPN_Server_on_debian7.7.md

Last active June 5, 2017 13:07
Show Gist options
  • Save clicube/8466d4cc4a1972d7df47 to your computer and use it in GitHub Desktop.
Save clicube/8466d4cc4a1972d7df47 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
VPN_Server_on_debian7.7.md

さくらVPS上のdebian7.7でL2TP/IPSecのVPNサーバ

検索してでてきたものをそのままやるだけではうまくいかなかったのでメモ。

設定の手順はすでにインターネット上にあるので、このメモはほぼ設定ファイルの内容が書いてあるだけである。

2015/2/1 debian7.7 @ さくらVPS

https://gist.github.com/CLCL/5742738

http://www.manabii.info/2012/08/debian-gnu-linux-l2tp-ipsec-vpn-nat.html

この記事がとても参考になった

インストール

# apt-get install xl2tpd lsof
# apt-get install openswan=1:2.6.37-3

openswan 1:2.6.37-3+deb7u1 ではうまくいかない

参考:http://superuser.com/questions/740545/l2tp-ipsec-stopped-working-after-openssl-upgrade

設定

/etc/xl2tp/xl2tp.conf

[global]
listen-addr = 49.212.149.122

[lns default]
ip range = 192.168.1.201-192.168.1.220
local ip = 192.168.1.1
length bit = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tp
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns

/etc/ppp/options.l2tp.lsn

ms-dns 210.224.163.3
ms-dns 210.224.163.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ipcp-accept-local
ipcp-accept-remote
noipx
idle 1800
connect-delay 5000
name 2tpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
mtu 1280
mru 1280
nodefaultroute

どの設定が必須の項目なのかはよくわからない。

/etc/ipsec.conf

version	2.0	# conforms to second version of ipsec.conf specification

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

include /etc/ipsec.d/*.conf

/etc/ipsec.d/l2tp-ipsec.conf

conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no

    ikelifetime=8h
    keylife=1h

    type=transport

    left=%defaultroute
    leftprotoport=17/1701

    right=%any
    rightprotoport=17/%any

/etc/ipsec.secrets (下記を追記)

%defaultroute %any : PSK "your_psksecrets"

/etc/ppp/chap-secrets

your_id * "your_pass" *

/etc/iptables.up.rules (抜粋)

# Allow L2TP/IPSec
-A FORWARD -i ppp+ -j ACCEPT
-A FORWARD -o ppp+ -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

*nat

-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

COMMIT

/etc/sysctrl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0

ログの見方

うまくいかない時に見るログの場所

/var/log/auth.log   # ipsecのログ
/var/log/daemon.log # xl2tpのログ

# /usr/sbin/xl2tpd -D # これでxl2tpdを起動させると、コケるログが見える
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment