; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces.
[global] ; listen-addr = 172.16.0.12 # 这里我使用了默认配置, 也就是绑定端口到0.0.0.0 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes auth file = /etc/ppp/chap-secrets port = 1701
[lns default] ip range = 192.168.100.128-192.168.100.254 # 设置的vpn客户端IP地址段 local ip = 192.168.100.1 # 本机分配的vpn IP地址, 保持同一个段 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 8.8.4.4 # ms-dns 192.168.1.1 # ms-dns 192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 name l2tpd noccp auth #obsolete: crtscts crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug #obsolete: lock lock proxyarp connect-delay 5000 # To allow authentication against a Windows domain EXAMPLE, and require the # user to be in a group "VPN Users". Requires the samba-winbind package # require-mschap-v2 # plugin winbind.so # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"' # You need to join the domain on the server, for example using samba: # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
# /etc/ipsec.conf - Libreswan IPsec configuration file # # see 'man ipsec.conf' and 'man pluto' for more information # # For example configurations and documentation, see https://libreswan.org/wiki/
config setup protostack=netkey dumpdir=/var/run/pluto/ # Normally, pluto logs via syslog. #logfile=/var/log/pluto.log # # Do not enable debug options to debug configuration issues! # # plutodebug="control parsing" # plutodebug="all crypt" # plutodebug=none # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their wireless networks. # This range has never been announced via BGP (at least up to 2015) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# if it exists, include system wide crypto-policy defaults # include /etc/crypto-policies/back-ends/libreswan.config
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/ include /etc/ipsec.d/*.conf
:::info
第一行config setup必须左对齐,即前面不能有空格,否则会报错
其他每一行都必须以Tab开头,否则会报错
如果安装的是 openswan,可能需要在 config setup 之前添加 version 2.0 :::
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # # Use '/sbin/sysctl -a' to list all possible parameters.
# Controls IP packet forwarding net.ipv4.ip_forward = 1 #此处的值改为1,开启内核转发
# Controls source route verification
# Do not accept source routing net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
# Controls the default maxmimum size of a mesage queue kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296
mkdir -p /var/run/xl2tpd touch /var/run/xl2tpd/l2tp-control service strongswan restart service xl2tpd restart
## 连接VPN strongswan up myvpn echo"c myvpn" > /var/run/xl2tpd/l2tp-control
## 断开VPN echo"d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn
扩展知识
比较一下现在主流VPN协议的优缺点
PPTP
点对点隧道协议(英语:Point to Point Tunneling Protocol,缩写为PPTP)是实现虚拟专用网(VPN)的方式之一。PPTP使用传输控制协议(TCP)创建控制通道来发送控制命令,以及利用通用路由封装(GRE)通道来封装点对点协议(PPP)数据包以发送资料。这个协议最早由微软等厂商主导开发,但因为它的加密方式容易被破解,微软已经不再建议使用这个协议。