CentOSにL2TP/IPSECサーバを構築する
CentOSにL2TP/IPSECサーバを立てて、PCやスマートフォンを接続する
IPSECにはOpenswan(https://www.openswan.org)を使う
L2TPにはxl2tpd(https://www.xelerance.com/services/software/xl2tpd/)を使う
Openswanインストール
# yum install gcc.x86_64 nss.x86_64 nss-devel.x86_64 nss-tools.x86_64 ppp.x86_64 gmp-devel.x86_64 flex.x86_64 bison.x86_64 libpcap-devel.x86_64
# wget --no-check-certificate https://download.openswan.org/openswan/openswan-2.6.38.tar.gz
# tar xf openswan-2.6.38.tar.gz
# cd openswan-2.6.38/
# cp -ip Makefile.inc Makefile.inc.org
# vi Makefile.inc
# diff Makefile.inc.org Makefile.inc
372c372< USE_LIBNSS?=false
- -
> USE_LIBNSS?=true
# make programs
# make install
ipsecの設定
# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
: PSK "xxxxxxxxxxxxxxxx"# vi /etc/ipsec.conf
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=auto
include /etc/ipsec.d/*.conf# vi /etc/ipsec.d/l2tp.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
# ↓ iOS機器用の設定
dpddelay=10
dpdtimeout=20
dpdaction=clear
# 終わり
also=L2TP-PSK-noNATconn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
ikelifetime=8h
keylife=h
type=transport
left=#ここに鯖のIP.各自置換すること#
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
xl2tpdインストール
# wget --no-check-certificate https://download.openswan.org/xl2tpd/xl2tpd-1.3.1.tar.gz
# tar xf xl2tpd-1.3.1.tar.gz
# cd xl2tpd-1.3.1
# make
# make install
# cp packaging/fedora/xl2tpd.init /etc/init.d/xl2tpd
# chmod +x /etc/init.d/xl2tpd
# ln -s /usr/local/sbin/xl2tpd /usr/sbin/xl2tpd
l2tpの設定
# /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr #鯖のIP.#[lns default]
ip range = 192.168.100.2-192.168.100.254
local ip = 192.168.100.1
require authentication = yes
refuse pap = yes
name = linux-vpn
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tp.lns
length bit = yes# vi /etc/ppp/options.l2tp.lns
name linux-vpn
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idel 1800
mtu 1454
mru 1454
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
logfile /var/log/xl2tpd.log# vi /etc/ppp/chap-secret
# name server-name password(secret) IP address
hoge * huga *
iptables設定
# vi iptables