1. 部署简介

1.1 系统环境

• 部署主机: 192.168.1.72
• 操作系统: centos 7
• ppp 2.4.5 (系统自带，不需要安装)
• libreswan 3.25
• xl2tpd 1.3.15

2. 部署步骤

2.1 安装依赖环境

安装epel源,及libreswan,xl2tpd

yum install -y epel-release 
yum remove -y libreswan 
yum install -y libreswan 
yum remove -y xl2tpd 
yum install -y xl2tpd 

2.2 配置

2.2.1 xl2tpd配置

• 修改文件/etc/xl2tpd/xl2tpd.conf

[global]

[lns default]
# 网段范围
ip range = 192.168.18.128-192.168.18.254
local ip = 192.168.18.99
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

• 修改文件/etc/ppp/options.xl2tpd

+mschap-v2
ipcp-accept-local
ipcp-accept-remote
noccp
auth
mtu 1280
mru 1280
proxyarp
lcp-echo-failure 4
lcp-echo-interval 30
connect-delay 5000
ms-dns 8.8.8.8
ms-dns 8.8.4.4

• 配置v/p/n的用户名和密码,修改文件/etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# username  server  password   IP addresses
"admin"     l2tpd   "test123"  *

server可指定为*

2.2.2 ipsec配置

• 修改ipsec配置文件/etc/ipsec.conf,内容如下:

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  interfaces=%defaultroute
  uniqueids=no

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.19.10-192.168.19.250
  modecfgdns="8.8.8.8 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  fragmentation=yes
  cisco-unity=yes
  also=shared

include /etc/ipsec.d/*.conf

• 设置ipsec预共享密钥PSK，创建文件/etc/ipsec.d/default.secrets，内容如下:

%any  %any  : PSK "psk123"

以上配置预共享密钥PSK为psk123

2.2.3 防火墙配置

执行以下命令开放端口和服务

firewall-cmd --permanent --add-service=ipsec      # 放行ipsec服务，安装时会自定生成此服务
firewall-cmd --permanent --add-port=1701/udp      # xl2tp 的端口，默认1701. 
firewall-cmd --permanent --add-port=4500/udp 	  # 4500/udp端口
firewall-cmd --permanent --add-port=500/udp 	  # 500/udp端口
firewall-cmd --permanent --add-masquerade         # 启用NAT转发

# 重载防火墙配置
firewall-cmd --reload

2.2.4 内核转发配置

编辑文件/etc/sysctl.conf添加如下内容

net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.eth1.rp_filter=0
net.ipv4.ip_forward=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

执行命令sysctl -p加载内核参数命令

2.3 启动服务

2.3.1 启动ipsec

开机启动 及 启动服务

systemctl enable ipsec && systemctl start ipsec

使用命令ipsec verify检查ipsec配置，输出以下内容无[NOT DISABLED]项即可

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.25 (netkey) on 3.10.0-1160.15.2.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/br-6759599cc678/rp_filter      [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/docker0/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/ens160/rp_filter               [ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/veth15604e6/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/veth18777df/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/veth36cb8fa/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/veth622b943/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/veth6ac2c32/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/veth9225618/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/vetha4ec649/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/vethca4325e/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/vethd3bf2c9/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/vethf74223d/rp_filter          [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OBSOLETE]
  003 WARNING: using a weak secret (PSK)
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OBSOLETE KEYWORD]
warning: could not open include filename: '/etc/ipsec.d/*.conf'

ipsec verify: encountered 31 errors - see 'man ipsec_verify' for help

2.3.2 启动xl2tpd

开机启动 及 启动服务

systemctl enable xl2tpd && systemctl start xl2tpd

3. 客户端连接

• 配置 IPsec/L2TP V/P/N客户端参考：github.com/hwdsl2/setu…
• 配置 IPsec/XAuth V/P/N 客户端参考：github.com/hwdsl2/setu…
• 配置 IKEv2 V/P/N 客户端参考：github.com/hwdsl2/setu…

4. FAQ

4.1 L2TP-V/P/N服务器没有响应

MAC连接时显示L2TP-V/P/N服务器没有响应。请尝试重新连接。如果仍然有问题，请验证您的设置并与管理员联系。 解决方案：编辑“/etc/ppp/options”文件,将l2tpnoipsec添加到文件中：

plugin L2TP.ppp
l2tpnoipsec