Ubuntu 16.04 l2tp ipsec

Submitted by lepton on Wed, 05/23/2018 - 08:38

sudo apt-get install strongswan xl2tpd ppp

/etc/ipsec.conf

conn L2TP-PSK

type=transport

authby=psk

keyexchange=ikev1

keyingtries=3

rekey=no

left=192.168.5.105 use local ip

right=%any

auto=add

/etc/ipsec.secrets

: PSK "12345678"

/etc/xl2tpd/xl2tpd.conf

[lns default] ; Our fallthrough LNS definition

ip range = 192.168.2.2-192.168.2.20 ; * Allocate from this IP range

local ip = 192.168.2.1 ; * Our local IP to use

length bit = yes ; * Use length bit in payload?

name = l2tpd ; * Report this as our hostname

ppp debug = yes ; * Turn on PPP debugging

pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file

 

/etc/ppp/options.l2tpd

require-mschap-v2

ms-dns 8.8.4.4

lcp-echo-interval 10

lcp-echo-failure 3

noauth

refuse-pap

refuse-eap

refuse-chap

refuse-mschap

debug

logfile /var/log/xl2tpd.log

 

 

xl2tpd iptables

root #iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT

root #iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable

root #iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT

root #iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable

 

 

echo 1 > /proc/sys/net/ipv4/ip_forward

#修改/etc/sysctl.conf文件让包转发功能在系统启动时自动生效:

# Controls IP packet forwarding

net.ipv4.ip_forward = 1

iptables -t nat -A POSTROUTING -s 192.168.19.1/24 -o eth0 -j MASQUERADE

 

Comments

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.