Set up L2TP/IPsec VPN on Debian

Set up IPsec
Set up networking

cat <>/etc/sysctl.conf
 net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0

EOF

NOTE: On DigitalOcean, also:
cat <>/etc/sysctl.conf

net.ipv4.conf.ip_vti0.rp_filter=0

EOF
Reload config:

sysctl -p

Install Libreswan

Install dependencies:

apt-get install -y libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools

Build and install Libreswan:

wget https://download.libreswan.org/libreswan-3.12.tar.gz
tar zxvf libreswan-3.12.tar.gz
cd libreswan-3.12
make programs
make install

Set up Libreswan

Set up pre-shared key authentication:

cat </etc/ipsec.d/l2tp-psk.conf

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
# Use a Preshared Key. Disable Perfect Forward Secrecy.
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
type=transport
#
# left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
left=%defaultroute
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
# Using the magic port of "%any" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port.
rightprotoport=17/%any

EOF

cat <>/etc/ipsec.conf

include /etc/ipsec.d/l2tp-psk.conf

EOF

cat </etc/ipsec.secrets

%any: PSK "__PRE_SHARED_KEY__"

EOF
chmod 600 /etc/ipsec.secrets

NOTE: On Ubuntu 14.04, also:

ipsec initnss

Start IPSec

NOTE: On Debian jessie, first:

systemctl enable xl2tpd.service

ipsec setup start
ipsec verify

Set up PPP
Install PPP

apt-get install -y xl2tpd

Set up PPP

cat </etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
access control = no

[lns default]
ip range = 10.1.10.2-10.1.10.255
local ip = 10.1.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes

EOF

cp /etc/ppp/options /etc/ppp/xl2tpd-options
cat <>/etc/ppp/xl2tpd-options
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4

EOF

cat </etc/ppp/chap-secrets
__USERNAME__ * __PASSWORD__ *

EOF
chmod 600 /etc/ppp/chap-secrets

NOTE: May have to use local DNS servers.
Start PPP

On Ubuntu 14.04:

/etc/init.d/xl2tpd start

On Debian jessie:

systemctl enable xl2tpd.service
systemctl start xl2tpd.service

Set up firewall

For now:

iptables --table nat --append POSTROUTING --jump MASQUERADE

For later:

cat <>/etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE

EOF

 

Источник

Запись опубликована в рубрике *Unix,*Linux, *Сети. Добавьте в закладки постоянную ссылку.

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

Я не спамер This plugin created by Alexei91