因为众所周知的原因,l2tp也已沦陷,本文不再维护。
记录我在Ubuntu服务器上安装l2tp/ipsec VPN的过程,以供日后查询。ipsec用于验证和加密数据包,由openswan提供;l2tp即第二层隧道协议,由xl2tpd提供。
默认配置即可,后面另有详细介绍。
sudo apt-get install openswan xl2tpd ppp
注意三件事
- 将YOUR_SERVER_IP_ADDRESS改为你的服务器的ip地址。
- 将YOUR_IPSEC_SHARED_KEY改为你的ipsec共享密钥。
- 注意配置文件的缩进。
sudo cat >/etc/ipsec.conf<<EOF
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=YOUR_SERVER_IP_ADDRESS
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
EOF
sudo cat >/etc/ipsec.secrets<<EOF
YOUR_SERVER_IP_ADDRESS %any: PSK "YOUR_IPSEC_SHARED_KEY"
EOF
sudo service ipsec restart
sudo ipsec verify
输出没有FAILED项即可,WARNING可以不管。
sudo cat >/etc/xl2tpd/xl2tpd.conf<<EOF
[global]
ipsec saref = yes
[lns default]
local ip = 10.10.11.1
ip range = 10.10.11.2-10.10.11.245
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
EOF
sudo cat >/etc/ppp/xl2tpd-options<<EOF
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
EOF
将USER和PASSWORD改为你的用户名和密码即可。
sudo cat >>/etc/ppp/chap-secrets<<EOF
USER * PASSWORD *
EOF
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sysctl -p
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1356
service xl2tpd restart
如果/etc/rc.loal无法正常自动执行,尝试将shebang换成#!/bin/bash。
#!/bin/bash
# for xl2tpd
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1356
exit 0
在/etc/rsyslog.d/
中添加如下配置/etc/rsyslog.d/20-xl2tpd.conf
,xl2tpd
的日志不再输出到/var/log/syslog
而是/var/log/xl2tpd.log
。
if $programname == 'xl2tpd' then /var/log/xl2tpd.log
&~
然后重启rsyslogd
sudo service rsyslog restart
Ubuntu的NetworkManager默认没有l2tp vpn的插件,需要从ppa的源里安装。
sudo apt-add-repository ppa:seriy-pr/network-manager-l2tp
sudo apt-get update
sudo apt-get install network-manager-l2tp
然后停止并禁用xl2tpd服务
sudo service xl2tpd stop
sudo update-rc.d xl2tpd disable
如果安装失败,可以直接从这里下载合适的deb包手动安装。最后重启系统即可在NetworkManager里添加l2tp的vpn。
- ipsec的认证日志默认输出到
/var/log/auth.log
,如果建立vpn连接后看到IPsec SA established transport mode
即表示认证成功。 - xl2tpd的日志默认输出到
/var/log/syslog,可以在
/etc/ppp/xl2tpd-options配置里添加
debug`(重启xl2tpd)来查看更详细的日志。
xl2tpd -D
通常是mtu设置的问题,执行如下命令
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1356
查看/var/log/auth.log
,发现ipsec报如下错误:
probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
问题是由/etc/ipsec.secrets
里的ipsec公钥和客户端里设置的不一致造成的。
Oct 22 09:22:52 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: responding to Main Mode from unknown peer 221.220.255.45
Oct 22 09:22:52 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 22 09:22:52 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 22 09:22:52 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Oct 22 09:22:52 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 22 09:22:52 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.225'
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[15] 221.220.255.45 #15: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: deleting connection "L2TP-PSK-NAT" instance with peer 221.220.255.45 {isakmp=#0/ipsec=#0}
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: new NAT mapping for #15, was 221.220.255.45:500, now 221.220.255.45:4500
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=OAKLEY_SHA2_256 group=modp2048}
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: Dead Peer Detection (RFC 3706): enabled
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: the peer proposed: 188.166.255.207/32:17/1701 -> 192.168.1.225/32:17/0
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #16: responding to Quick Mode proposal {msgid:a022b2a2}
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #16: us: 188.166.255.207<188.166.255.207>:17/1701
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #16: them: 221.220.255.45[192.168.1.225]:17/51661===192.168.1.225/32
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #16: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #16: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #16: Dead Peer Detection (RFC 3706): enabled
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #16: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 22 09:22:53 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #16: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x066a27c5 <0x0b36e22c xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.225 NATD=221.220.255.45:4500 DPD=enabled}
Oct 22 09:23:14 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: received Delete SA(0x066a27c5) payload: deleting IPSEC State #16
Oct 22 09:23:14 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Oct 22 09:23:14 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: received and ignored informational message
Oct 22 09:23:14 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45 #15: received Delete SA payload: deleting ISAKMP State #15
Oct 22 09:23:14 Skyler pluto[1728]: "L2TP-PSK-NAT"[16] 221.220.255.45: deleting connection "L2TP-PSK-NAT" instance with peer 221.220.255.45 {isakmp=#0/ipsec=#0}
报错ERROR了,可以帮助解决吗?