CentOSにL2TP/IPSECサーバを構築する

CentOSL2TP/IPSECサーバを立てて、PCやスマートフォンを接続する

IPSECにはOpenswan(https://www.openswan.org)を使う
L2TPにはxl2tpd(https://www.xelerance.com/services/software/xl2tpd/)を使う

Openswanインストール

# yum install gcc.x86_64 nss.x86_64 nss-devel.x86_64 nss-tools.x86_64 ppp.x86_64 gmp-devel.x86_64 flex.x86_64 bison.x86_64 libpcap-devel.x86_64
# wget --no-check-certificate https://download.openswan.org/openswan/openswan-2.6.38.tar.gz
# tar xf openswan-2.6.38.tar.gz
# cd openswan-2.6.38/
# cp -ip Makefile.inc Makefile.inc.org
# vi Makefile.inc
# diff Makefile.inc.org Makefile.inc
372c372< USE_LIBNSS?=false

    • -

> USE_LIBNSS?=true
# make programs
# make install

ipsecの設定

# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
: PSK "xxxxxxxxxxxxxxxx"

# vi /etc/ipsec.conf
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=auto
include /etc/ipsec.d/*.conf

# vi /etc/ipsec.d/l2tp.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
# ↓ iOS機器用の設定
dpddelay=10
dpdtimeout=20
dpdaction=clear
# 終わり
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
ikelifetime=8h
keylife=h
type=transport
left=#ここに鯖のIP.各自置換すること#
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

xl2tpdインストール

# wget --no-check-certificate https://download.openswan.org/xl2tpd/xl2tpd-1.3.1.tar.gz
# tar xf xl2tpd-1.3.1.tar.gz
# cd xl2tpd-1.3.1
# make
# make install
# cp packaging/fedora/xl2tpd.init /etc/init.d/xl2tpd
# chmod +x /etc/init.d/xl2tpd
# ln -s /usr/local/sbin/xl2tpd /usr/sbin/xl2tpd

l2tpの設定

# /etc/xl2tpd/xl2tpd.conf

[global]
listen-addr #鯖のIP.#

[lns default]
ip range = 192.168.100.2-192.168.100.254
local ip = 192.168.100.1
require authentication = yes
refuse pap = yes
name = linux-vpn
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tp.lns
length bit = yes

# vi /etc/ppp/options.l2tp.lns

name linux-vpn
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idel 1800
mtu 1454
mru 1454
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
logfile /var/log/xl2tpd.log

# vi /etc/ppp/chap-secret

# name server-name password(secret) IP address
hoge * huga *

iptables設定

# vi iptables