brief introduction
PPTP and L2TP are our most commonly used vpn. Before we used pptp, we found that the new version of ios system does not support PPTP protocol. Another client can not connect VPN after connecting the hotspot of iphone. In order to facilitate office work, we need to build l2tp/ipsec vpn.
Realization
I. Installation of software packages
yum install xl2tpd openswan pppConfiguration of ipsec
1. Configuring ipsec
openswan is to achieve ipsec, to maximize the security of data transmission, complete line.
vim /etc/ipsec.conf
config setup
protostack=netkey
logfile=/var/log/pluto.log
nat_traversal=yes
oe=off
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=10.99.99.6
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes
include /etc/ipsec.d/*.confAmong them:
left=10.99.99.6, 10.99.99.6 is the ip address of your l2tp service.
2. Configuration key
L2TP has one more key item than PPTP, which is one of the reasons why it is safer than PPTP. This key is actually a password, unlike the user's login password, it is equivalent to a key for communication between devices. Its configuration file is / etc/ipsec.secrets
vim /etc/ipsec.secrets
10.99.99.6 %any: PSK "l2tp-test"The top 10.99.99.6 is the IP of the server, and the next "l2tp-test" is the key.
3. Verify ipsec
[test@vpn /]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-431.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]4. Start up the service
chkconfig ipsec on
service ipsec startConfiguration of ppp
PPP is a dialing software, used to provide user login username and password authentication. Prior to Remote access of pptp server in vpn PPP, PPTP and L2TP can coexist on one server, and they can share user login account information, because they use PPP as user login connection.
1. Configuration password file
vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test * test *The first asterisk indicates that this username and password can be used for all future services using PPP as user authentication, including PPTP and L2TP. The second asterisk indicates that the user can log in from any IP.
IV. Configuring xl2tp
1. installation
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/xl2tpd-1.3.8-1.el6.x86_64.rpm
yum install xl2tpd-1.3.8-1.el6.x86_64.rpm2. configuration
vim /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 10.99.99.6
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 10.10.8.3-10.10.8.254
local ip = 10.10.8.2
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yesAmong them:
listen-addr = 10.99.99.6, 10.99.99.6 is the vpn server ip
ip range = 10.10.8.3-10.10.8.254, which is the address pool in which vpn dial-up connections come in
Localip = 10.10.8.2 is the virtual ip of the vpn server
Pppoptfile =/etc/ppp/options.xl2tpd, which is the configuration file for xl2tp dialing
3. Configure xl2tp dialing
vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
#ms-dns 223.5.5.5
#ms-dns 223.6.6.6
# ms-dns 192.168.1.1
# ms-dns 192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 50004. Start up the service
service xl2tpd start
chkconfig xl2tpd onSetting sysctl
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
#Configuration effective
sysctl -p6. Setting up Firewall
Since our servers are built on the intranet, we need network devices to map ports. The ports to map are udp:500, 4500 and 1701. The server firewall needs to add the following:
iptables -A INPUT -i eth0 -p udp -m multiport –dports 500,4500,1701 -m comment –comment "ipsec" -j ACCEPT
iptables -A FORWARD -i ppp+ -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS –set-mss 1356
Client Connection Configuration
Clients such as mobile phones and notebooks need the following settings after adding vpn configuration files:
1. Server address
External network ip of network devices that have port mapping for l2tp needs to be set
2. User name and password
/ Account information in etc/ppp/chap-secrets
3.IPSec pre-shared key
/ psk password in etc/ipsec.secrets, in this case "l2tp-test"
Note: The "L2TP" in the vpn configuration file and other settings need not be set. Leave it blank.
Once the configuration is complete, we can connect. We can view the logs of ipsec through / var/log/pluto.log and xl2tp through / var/log/messages.
summary
1.l2tp vpn involves several kinds of software, which seems more complex than pptp. In fact, it is very simple to understand the function of each software:
openswan: Provide ipsec services and set up pre-shared keys
ppp: Dialing software that provides user names and passwords for dialing
xl2tpd: Providing l2tp services
2. Through testing, we found that:
a. After the client connects the hotspot of the iphone, it can connect vpn with l2tp
b. Some android models can not use l2tp to connect vpn, such as Millet 5s, Lexus 1s, etc., but Huawei can.