Ubuntu 15.10搭建IPSec L2TP服务器
以下步骤完全使用于Ubuntu 14.04版本
首先安装以下所需包
sudo apt-get install openswan xl2tpd ppp lsof
!注意!Ubuntu 15.10会提示无法找到openswan包,解决办法是用喜欢的编辑器编辑以下文件,实例用vim
sudo vim /etc/apt/sources.list
在文件最后添加一行
deb http://us.archive.ubuntu.com/ubuntu precise main universe
保存后,执行下面命令
sudo apt-get update
sudo apt-get install openswan
防火墙和转发
设置允许转发数据包
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
将上面的%SERVERIP%替换成服务器IP,eth+换成服务器的网卡名。!注意!不一定所有的网卡都是eth开头的
执行下列命令允许内核转发,并且禁用ICP重定向
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
如果有其他网络接口,执行同样的设置
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
应用以上设置
sysctl -p
保证每次开机这些设置生效
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
配置OpenSwan(IPSEC)
用编辑器打开以下文件
/etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf. version 2.0 # conforms to second version of ipsec.conf specification # basic configuration
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/,%v4:192.168.0.0/,%v4:172.16.0.0/,%v6:fd00::/,%v6:fe80::/
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
oe=off
protostack=netkey
#decide which protocol stack is going to be used. conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
rekey=no
dpddelay=
dpdtimeout=
dpdaction=clear
auto=add
#start at boot
keyingtries=
#Only negotiate a conn. times.
ikelifetime=8h
keylife=1h
type=transport
#because we use l2tp as tunnel protocol
left=%SERVERIP%
leftprotoport=/%any
right=%any
rightprotoport=/%any
forceencaps=yes
#force all to be nat'ed. because of iOS
将上述%SERVERIP%换成服务器IP
共享密钥
用编辑器打开以下文件
/etc/ipsec.secrets
添加以下格式的内容
%SERVERIP% %any: PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"
%SERVERIP%为服务器IP地址。PSK为共享密钥,可以用以下命令生成随机密钥
openssl rand -hex
验证OpenSwan(IPSEC)设置
ipsec verify
我的机器示例输出如下
Linux Openswan U2.6.37/K4.2.0--generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Hardware RNG detected, testing if used properly [FAILED] Hardware RNG is present but 'rngd' or 'clrngd' is not running.
No harware random used! Checking that pluto is running [OK]
Pluto listening for IKE on udp [OK]
Pluto listening for NAT-T on udp [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
配置xl2tpd
用编辑器编辑下述文件
/etc/xl2tpd/xl2tpd.conf
将内容替换为以下内容
[global]
ipsec saref = yes
saref refinfo = [lns default]
ip range = 172.16.1.2-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
配置PPP
编辑以下文件
/etc/ppp/options.xl2tpd
将文件内容替换为以下内容
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu
mru
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval
lcp-echo-failure
添加用户(用户认证)
编辑以下文件添加用户
/etc/ppp/chap-secrets
格式内容如下
# Secrets for authentication using CHAP
# client server secret IP addresses
alice l2tpd 0F92E5FC2414101EA *
bob l2tpd DF98F09F74C06A2F *
可以使用以下脚本自动添加用户名和密码。复制内容到本地文件。重命名为addvpnuser.sh
#this script add vpn user to /etc/ppp/chap-secret
#you must be root to run this script if [ $EUID -ne ]
then
echo "You must be root to run this script."
exit -
fi if ! getopts ":a:d:q:" opt
then
echo "Usage: ./addvpnuser.sh -a username | -d username | -q username"
echo "-a for add, -d for delete and -q for query user's password ."
exit -
fi OPTIND= while getopts ":a:d:q:" opt
do
case $opt in
a)
#add user switch is triggered. #check the username parameter is correct.
if [[ $OPTARG = -* ]]
then
echo "Option -a needs an username as a parameter."
((OPTIND--))
continue
fi #check whether the user to be added is existed.
if grep -qP "^$OPTARG\t" /etc/ppp/chap-secrets
then
echo "cannot add user '$OPTARG' because the user has already existed."
continue
fi
#get a random number less than .
n=$RANDOM
n=$(( n % )) #VPN Server Type.
TYPE="l2tpd" #get the server external IP.
IP=`wget http://ipinfo.io/ip -qO -` #get the PRE PSK key of the VPN.
PREKEY=`cat /etc/ipsec.secrets | tail - | awk '{print $4}' | cut -d\" -f2` #calculate user's password using the following algorithm.
PW=`echo -n $OPTARG$RANDOM | md5sum | cut -c$n-$(( n+ ))`
echo -e "$OPTARG\t$TYPE\t$PW\t*" >> /etc/ppp/chap-secrets #successfully added user to configure file.
#print out user information. copy and send to him.
if [ $? -eq ]
then
echo "Type: $TYPE"
#IP=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut -d: -f2`
echo "VPN Server IP: $IP"
echo "User: $OPTARG Password: $PW"
echo "PRE PSK KEY: $PREKEY"
echo "Done."
else
#failed to write the file.
echo "cannot write to configure file."
fi
;;
d)
#echo "-d was triggered. Parameter: $OPTARG"
#check the username parameter is correct.
if [[ $OPTARG = -* ]]
then
echo "Option -d requires an username as a parameter."
((OPTIND--))
continue
fi #check whether the user to be deleted is exist.
if ! grep -qP "^$OPTARG\t" /etc/ppp/chap-secrets
then
echo "user '$OPTARG' does not exist."
continue
fi #maybe can use $$(pid) instead
RANDOM1=$RANDOM
RANDOM2=$RANDOM #delete and overwrite file.
grep -vP "^$OPTARG\t" /etc/ppp/chap-secrets > /etc/ppp/chap-secrets$RANDOM1$RANDOM2
mv /etc/ppp/chap-secrets$RANDOM1$RANDOM2 /etc/ppp/chap-secrets #check result.
if [ $? -eq ]
then
echo "user '$OPTARG' has been successfully deleted."
else
echo "cannot write to file. Please check it."
fi
;;
q)
#check the username parameter is correct.
if [[ $OPTARG = -* ]]
then
echo "Option -q requires an username as a parameter."
((OPTIND--))
continue
fi
grep -P "^$OPTARG\t" /etc/ppp/chap-secrets | awk '{print $1, $3}' >/dev/null
;; \?)
echo "Invalid option -$OPTARG"
;;
:)
echo "Option -$OPTARG requires an username as a parameter."
;;
esac
done
保存后为文件添加可执行权限
chmod addvpnuser.sh
执行示例
#添加VPN用户
./addvpnuser.sh -a [username]
#删除VPN用户
./addvpnuser.sh -d [username]
#查询VPN用户密码
./addvpnuser.sh -q [username]
测试
执行下列命令重启IPsec和xl2tpd服务
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
防火墙
如果开启了ufw防火墙的话,则需要开放udp 500, udp 4500, udp 1701三个端口
ufw allow /udp
ufw allow /udp
ufw allow /udp
注意
配置过程中发现按照上述步骤操作,通过Android或者iOS设备可以连接到VPN服务器,但是不能连接到互联网。经过调试发现是由于Ubuntu开启了ufw(防火墙),数据包被防火墙屏蔽掉了。解决办法如下
打开以下文件
/etc/default/ufw
将下列行中的DROP替换成ACCEPT
DEFAULT_FORWARD_POLICY="DROP"
替换成
DEFAULT_FORWARD_POLICY="ACCEPT"
调试
出现无法连接或者无法联网的情况,下列命令可以帮助调试
sudo tcpdump -i ppp0
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/syslog
Ubuntu 15.10搭建IPSec L2TP服务器的更多相关文章
- 在Ubuntu 15下搭建V/P/N服务器pptpd安装和配置
在Ubuntu 15下搭建VPN服务器pptpd安装和配置 在ubuntu下配置vpn的方式有很多种,其中比较常见的是pptpd,它配置简单,但是安全性不高,不过对于一般使用来说足够了,我按照程搭建了 ...
- OpenWrt上搭建纯L2TP服务器[ZT]
转自:http://www.openwrt.pro/post-389.html 纯L2TP(l2tp + ppp,无IPSec) 首先安装xl2tpd软件包 opkg update opkg inst ...
- ubuntu 15.10 安装swift开发环境 2016/4/17
ubuntu 15.10 64位 下载地址 https://swift.org/download/#using-downloads 1.首先在ubuntu终端上 (ctl+alt+t打开) 下载cla ...
- Ubuntu 15.10 x64 安装 Android SDK
操作系统:Ubuntu 15.10 x64 目标:安装 Android SDK 本文最后更新时间:2015-11-3 安装32位库文件 2013年9月的iPhone 5s是第一款64位手机,而Andr ...
- 将Ubuntu 15.10升级到Ubuntu 16.04
Ubuntu 16.04 LTS 代号为 Xenial Xerus,其最终版将于 2016 年 4 月 21 日正式发布,Ubuntu16.04 将是非常受欢迎的开源操作系统 Ubuntu 的第 6 ...
- Ubuntu 15.10安装elementary desktop
elementaryOS的风格类似于macos,基于Ubuntu改造,个人比较喜欢其界面理念,简单清晰.因此下载了elementaryOS Freya使用,使用过程中,各个软件版本的升级比较落后,比如 ...
- 安装Ubuntu 15.10后要做的事
Ubuntu 15.10发布了,带来了很多新特性,同样也依然带着很多不习惯的东西,所以装完系统后还要进行一系列的优化. 1.删除libreoffice libreoffice虽然是开源的,但是Java ...
- Ubuntu 14.04搭建简单git服务器
/****************************************************************************** * Ubuntu 14.04搭建简单gi ...
- 【转】安装Ubuntu 15.10后要做的事
Ubuntu 15.10发布了,带来了很多新特性,同样也依然带着很多不习惯的东西,所以装完系统后还要进行一系列的优化. 1.删除libreoffice libreoffice虽然是开源的,但是Java ...
随机推荐
- sed字符串替换
把drivers目录下的所有pr_log替换成:pr_snd sed -i "s/pr_log/pr_snd/g" `grep pr_log -rl drivers/` 把driv ...
- 64位.net调用32位com服务(c++)
说明: 因64位.net无法调用32位dll,才采用调用进程外com形式. 该项目必须为release时编译才不会报错. 项目调用时,添加引用->com中找到该com服务,添加即可. 部署: 启 ...
- flume整合kafka
# Please paste flume.conf here. Example: # Sources, channels, and sinks are defined per # agent name ...
- LeetCode 169. Majority Element
Given an array of size n, find the majority element. The majority element is the element that appear ...
- 十五、polygon API
How polygons are handled internally The five basic polygonal API classes Construction History and Tw ...
- QTP处理各类鼠标事件fireEvent
在做web测试时,页面上的HTML标签会包含各类事件:单击(onclick).双击(onDblClick).光标聚集(OnBlur).onchange.onfocus.onmousedown.onmo ...
- iOS项目中安装和使用 Cocoapods
1.首先我们要打开我们的终端: 2.在终端输入 这条命令 gem sources -l 2.1如果是和我是一样的显示,则镜像已添加,无需更改,如果不一样,则需要进行更改 这里输出的如果是 https ...
- 15,SFDC 管理员篇 - 变更和部署
Setup | Deploy | Sandbox 通过在Production上建立Dev .Test 两套环境来 Sandbox 有四种类型 Developer Sandbox & Dev ...
- AIDL小结
AIDL : Android Interface Define Language(接口定义语言) Service中跨进程间通信利器.... 一般都会有Client端和Server端(Server端提供 ...
- The C Programming Language Exercise
1-9 : Write a program to copy its input to its output, replacing each string of one or more blanks b ...