Debian下配置l2tp vpn客户端
2014-06-21 22:06:17 
阿炯
xl2tpd是linux下的l2tp客户端,配置比较简单,配置可以参考此链接。
xl2tpd - Layer 2 Tunnelling Protocol Daemon
A Layer 2 Tunneling Protocol VPN client/daemon for Linux and other POSIX-based OSs. Based off of L2TPd.
需要得到本机的ip地址(ifconfig)和默认路由(ip ro)。
网络选项
IPsec user configuration interface
PF_KEY sockets
TCP/IP networking
IP: AH transformation
IP: ESP transformation
IP: IPComp transformation
IP: tunnel transformation
Cryptographic options
HAMC support
MD5 digest algorithm
SHA1 digest algorithm
DES and Triple DES EDE cipher algorithms
vpn服务器的ip地址,配置需要在root用户下。
安装必须
apt-get -y install openswan xl2tpd
修改'/etc/ipsec.conf‘配置文件
config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nat_traversal=yes
protostack=netkey
oe=no
# Replace wlan0 with your network interface
plutoopts="--interface=wlan0"
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
# Replace IP address with your local IP
left=172.16.17.3
leftnexthop=%defaultroute
leftprotoport=17/1701
# Replace IP address with your VPN server's IP
right=68.68.132.45
rightprotoport=17/1701
修改 /etc/ipsec.secrets - you need to add there one line replacing 1st IP with your local IP, 2nd - with your VPN server's IP and using appropriate pre-shared key between quotes (listed in customer area):
实际就一行,第一列为本机ip地址,第二列为vpn服务器地址,然后是":",后跟psk(pre_shared_key)。
172.16.17.3 68.68.132.45 : PSK "your_pre_shared_key"
修改'/etc/xl2tpd/xl2tpd.conf'配置文件,添加一个服务器的定义。
[lac freeoa]
lns = 68.68.132.45
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
修改配置文件的第一件事,备份原有文件,原始的xl2tpd.conf里面有[lns default],这个好像是用来将xl2tpd当做l2tpd服务器的关键语句。下面的方式也是可以的。
要将xl2tpd作为l2tp的client话,也可以可把xl2tpd.conf里面的所有东西都删掉了,加入了下面几行
[lac freeoa]
name = l2tp_user_name ; l2tp帐号
lns = 192.168.11.1 ; l2tp server的IP
pppoptfile = /etc/ppp/peers/freeoa.l2tpd ; pppd拨号时使用的配置文件(自己猜测是这个解释,不知道对不对)
ppp debug = yes
pppoptfile文件是到具体的vpn服务器的连接信息,它的内容如下:
创建'/etc/ppp/options.l2tpd.client'文件,在其中主要是定义登录的用户名及密码。
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
replacedefaultroute
usepeerdns
debug
lock
connect-delay 5000
name your_vpn_username
password your_password
重启 openswan and xl2tpd:
invoke-rc.d ipsec restart
invoke-rc.d xl2tpd restart
下面就可以开始进行vpn拨号了,这种启动方式会自动去找/etc/xl2tpd/xl2tpd.conf这个配置文件,如果配置文件为另外的命名,则要手动运行了。
# xl2tpd -c "/path/config_file",如果使用这个方法,要确保存在/var/run/xl2tpd/这个目录,其实看看/etc/init.d/xl2tpd这个文件也可以看出来,如果不存在,脚本会创建这个目录,这样就可以调试配置文件。
ipsec auto --up L2TP-PSK
echo "c freeoa" > /var/run/xl2tpd/l2tp-control
关闭连接
echo "d freeoa" > /var/run/xl2tpd/l2tp-control
ipsec auto --down L2TP-PSK
Note that 'freeoa' and 'L2TP-PSK' are identifiers used in appropriate config files.
可以上述指令加入到'/etc/rc.local'中,这样开机可自动启动。
启动xl2tpd到拨号,整个过程可查看日志
tail -f /var/log/message ## 这里有可能会是/var/log/syslog
下面是log信息:
Jun 28 09:32:18 localhost xl2tpd[10578]: setsockopt recvref[22]: Protocol not available
Jun 28 09:32:18 localhost xl2tpd[10578]: This binary does not support kernel L2TP.
Jun 28 09:32:18 localhost xl2tpd[10579]: xl2tpd version xl2tpd-1.2.6 started on localhost.localdomain PID:10579
Jun 28 09:32:18 localhost xl2tpd[10579]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jun 28 09:32:18 localhost xl2tpd[10579]: Forked by Scott Balmos and David Stipp, (C) 2001
Jun 28 09:32:18 localhost xl2tpd[10579]: Inherited by Jeff McAdams, (C) 2002
Jun 28 09:32:18 localhost xl2tpd[10579]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Jun 28 09:32:18 localhost xl2tpd[10579]: Listening on IP address 0.0.0.0, port 1701
Jun 28 09:32:41 localhost xl2tpd[10579]: Connecting to host 192.168.11.2, port 1701
Jun 28 09:32:41 localhost xl2tpd[10579]: Connection established to 192.168.11.2, 1701. Local: 6187, Remote: 3 (ref=0/0).
Jun 28 09:32:41 localhost xl2tpd[10579]: Calling on tunnel 6187
Jun 28 09:32:41 localhost xl2tpd[10579]: Call established with 192.168.11.2, Local: 63360, Remote: 3, Serial: 1 (ref=0/0)
########### 上面是启动xl2tpd ###################
Jun 28 09:32:41 localhost pppd[10580]: pppd 2.4.4 started by root, uid 0
Jun 28 09:32:41 localhost pppd[10580]: Using interface ppp0
Jun 28 09:32:41 localhost pppd[10580]: Connect: ppp0 <--> /dev/pts/5
Jun 28 09:32:45 localhost pppd[10580]: CHAP authentication succeeded: Login OK, welcom!
Jun 28 09:32:45 localhost pppd[10580]: CHAP authentication succeeded
Jun 28 09:32:45 localhost pppd[10580]: local IP address 172.16.101.100
Jun 28 09:32:45 localhost pppd[10580]: remote IP address 172.16.101.1
########### 上面是拨号,得到server给的IP #################
Jun 28 09:34:14 localhost xl2tpd[10579]: Disconnecting from 192.168.11.2, Local: 6187, Remote: 3
Jun 28 09:34:14 localhost pppd[10580]: Modem hangup
Jun 28 09:34:14 localhost pppd[10580]: Connect time 1.5 minutes.
Jun 28 09:34:14 localhost pppd[10580]: Sent 0 bytes, received 0 bytes.
Jun 28 09:34:14 localhost xl2tpd[10579]: Connection 3 closed to 192.168.11.2, port 1701 (Goodbye!)
Jun 28 09:34:14 localhost xl2tpd[10579]: Can not find tunnel 6187 (refhim=0)
Jun 28 09:34:39 localhost xl2tpd[10579]: death_handler: Fatal signal 15 received
[问题集]
The problem was with my ipsec.conf file (not shown) in which I had the lines:
left=10.0.50.20 # my local IP address
leftnexthop=%defaultroute
The problem appeared to be after I set my VPN to the default route it would attempt to send packets destined for the VPN server through the vpn causing a nice feedback loop. Modifying these lines to read
left=10.0.50.20 # my local IP address
leftnexthop=10.0.50.1 # my local gateway
and adding static routes to the routing table pointing traffic to the VPN server through eth0 instead of ppp0 appears to have solved the problem.
l2tp连接上后,需要数据通过此ppp0接口出去的话,就需要配置路由了
route add -net default dev ppp0
下面是VPN连接上后,ping包tcpdump出来的信息:
09:26:14.567688 IP 192.168.11.1.1701 > 192.168.11.2.1701: l2tp:[](2/2) {IP 172.16.101.100 > 172.16.1.1: ICMP echo request, id 10537, seq 1, length 64}
09:26:14.568528 IP 192.168.11.2.1701 > 192.168.11.1.1701: l2tp:[L](47469/37211) {IP 172.16.1.1 > 172.16.101.100: ICMP echo reply, id 10537, seq 1, length 64}
参考链接
linux l2tp客户端简单使用 --- xl2tpd
xl2tpd - Layer 2 Tunnelling Protocol Daemon
A Layer 2 Tunneling Protocol VPN client/daemon for Linux and other POSIX-based OSs. Based off of L2TPd.
需要得到本机的ip地址(ifconfig)和默认路由(ip ro)。
网络选项
IPsec user configuration interface
PF_KEY sockets
TCP/IP networking
IP: AH transformation
IP: ESP transformation
IP: IPComp transformation
IP: tunnel transformation
Cryptographic options
HAMC support
MD5 digest algorithm
SHA1 digest algorithm
DES and Triple DES EDE cipher algorithms
vpn服务器的ip地址,配置需要在root用户下。
安装必须
apt-get -y install openswan xl2tpd
修改'/etc/ipsec.conf‘配置文件
config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nat_traversal=yes
protostack=netkey
oe=no
# Replace wlan0 with your network interface
plutoopts="--interface=wlan0"
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
# Replace IP address with your local IP
left=172.16.17.3
leftnexthop=%defaultroute
leftprotoport=17/1701
# Replace IP address with your VPN server's IP
right=68.68.132.45
rightprotoport=17/1701
修改 /etc/ipsec.secrets - you need to add there one line replacing 1st IP with your local IP, 2nd - with your VPN server's IP and using appropriate pre-shared key between quotes (listed in customer area):
实际就一行,第一列为本机ip地址,第二列为vpn服务器地址,然后是":",后跟psk(pre_shared_key)。
172.16.17.3 68.68.132.45 : PSK "your_pre_shared_key"
修改'/etc/xl2tpd/xl2tpd.conf'配置文件,添加一个服务器的定义。
[lac freeoa]
lns = 68.68.132.45
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
修改配置文件的第一件事,备份原有文件,原始的xl2tpd.conf里面有[lns default],这个好像是用来将xl2tpd当做l2tpd服务器的关键语句。下面的方式也是可以的。
要将xl2tpd作为l2tp的client话,也可以可把xl2tpd.conf里面的所有东西都删掉了,加入了下面几行
[lac freeoa]
name = l2tp_user_name ; l2tp帐号
lns = 192.168.11.1 ; l2tp server的IP
pppoptfile = /etc/ppp/peers/freeoa.l2tpd ; pppd拨号时使用的配置文件(自己猜测是这个解释,不知道对不对)
ppp debug = yes
pppoptfile文件是到具体的vpn服务器的连接信息,它的内容如下:
创建'/etc/ppp/options.l2tpd.client'文件,在其中主要是定义登录的用户名及密码。
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
replacedefaultroute
usepeerdns
debug
lock
connect-delay 5000
name your_vpn_username
password your_password
重启 openswan and xl2tpd:
invoke-rc.d ipsec restart
invoke-rc.d xl2tpd restart
下面就可以开始进行vpn拨号了,这种启动方式会自动去找/etc/xl2tpd/xl2tpd.conf这个配置文件,如果配置文件为另外的命名,则要手动运行了。
# xl2tpd -c "/path/config_file",如果使用这个方法,要确保存在/var/run/xl2tpd/这个目录,其实看看/etc/init.d/xl2tpd这个文件也可以看出来,如果不存在,脚本会创建这个目录,这样就可以调试配置文件。
ipsec auto --up L2TP-PSK
echo "c freeoa" > /var/run/xl2tpd/l2tp-control
关闭连接
echo "d freeoa" > /var/run/xl2tpd/l2tp-control
ipsec auto --down L2TP-PSK
Note that 'freeoa' and 'L2TP-PSK' are identifiers used in appropriate config files.
可以上述指令加入到'/etc/rc.local'中,这样开机可自动启动。
启动xl2tpd到拨号,整个过程可查看日志
tail -f /var/log/message ## 这里有可能会是/var/log/syslog
下面是log信息:
Jun 28 09:32:18 localhost xl2tpd[10578]: setsockopt recvref[22]: Protocol not available
Jun 28 09:32:18 localhost xl2tpd[10578]: This binary does not support kernel L2TP.
Jun 28 09:32:18 localhost xl2tpd[10579]: xl2tpd version xl2tpd-1.2.6 started on localhost.localdomain PID:10579
Jun 28 09:32:18 localhost xl2tpd[10579]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jun 28 09:32:18 localhost xl2tpd[10579]: Forked by Scott Balmos and David Stipp, (C) 2001
Jun 28 09:32:18 localhost xl2tpd[10579]: Inherited by Jeff McAdams, (C) 2002
Jun 28 09:32:18 localhost xl2tpd[10579]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Jun 28 09:32:18 localhost xl2tpd[10579]: Listening on IP address 0.0.0.0, port 1701
Jun 28 09:32:41 localhost xl2tpd[10579]: Connecting to host 192.168.11.2, port 1701
Jun 28 09:32:41 localhost xl2tpd[10579]: Connection established to 192.168.11.2, 1701. Local: 6187, Remote: 3 (ref=0/0).
Jun 28 09:32:41 localhost xl2tpd[10579]: Calling on tunnel 6187
Jun 28 09:32:41 localhost xl2tpd[10579]: Call established with 192.168.11.2, Local: 63360, Remote: 3, Serial: 1 (ref=0/0)
########### 上面是启动xl2tpd ###################
Jun 28 09:32:41 localhost pppd[10580]: pppd 2.4.4 started by root, uid 0
Jun 28 09:32:41 localhost pppd[10580]: Using interface ppp0
Jun 28 09:32:41 localhost pppd[10580]: Connect: ppp0 <--> /dev/pts/5
Jun 28 09:32:45 localhost pppd[10580]: CHAP authentication succeeded: Login OK, welcom!
Jun 28 09:32:45 localhost pppd[10580]: CHAP authentication succeeded
Jun 28 09:32:45 localhost pppd[10580]: local IP address 172.16.101.100
Jun 28 09:32:45 localhost pppd[10580]: remote IP address 172.16.101.1
########### 上面是拨号,得到server给的IP #################
Jun 28 09:34:14 localhost xl2tpd[10579]: Disconnecting from 192.168.11.2, Local: 6187, Remote: 3
Jun 28 09:34:14 localhost pppd[10580]: Modem hangup
Jun 28 09:34:14 localhost pppd[10580]: Connect time 1.5 minutes.
Jun 28 09:34:14 localhost pppd[10580]: Sent 0 bytes, received 0 bytes.
Jun 28 09:34:14 localhost xl2tpd[10579]: Connection 3 closed to 192.168.11.2, port 1701 (Goodbye!)
Jun 28 09:34:14 localhost xl2tpd[10579]: Can not find tunnel 6187 (refhim=0)
Jun 28 09:34:39 localhost xl2tpd[10579]: death_handler: Fatal signal 15 received
[问题集]
The problem was with my ipsec.conf file (not shown) in which I had the lines:
left=10.0.50.20 # my local IP address
leftnexthop=%defaultroute
The problem appeared to be after I set my VPN to the default route it would attempt to send packets destined for the VPN server through the vpn causing a nice feedback loop. Modifying these lines to read
left=10.0.50.20 # my local IP address
leftnexthop=10.0.50.1 # my local gateway
and adding static routes to the routing table pointing traffic to the VPN server through eth0 instead of ppp0 appears to have solved the problem.
l2tp连接上后,需要数据通过此ppp0接口出去的话,就需要配置路由了
route add -net default dev ppp0
下面是VPN连接上后,ping包tcpdump出来的信息:
09:26:14.567688 IP 192.168.11.1.1701 > 192.168.11.2.1701: l2tp:[](2/2) {IP 172.16.101.100 > 172.16.1.1: ICMP echo request, id 10537, seq 1, length 64}
09:26:14.568528 IP 192.168.11.2.1701 > 192.168.11.1.1701: l2tp:[L](47469/37211) {IP 172.16.1.1 > 172.16.101.100: ICMP echo reply, id 10537, seq 1, length 64}
参考链接
linux l2tp客户端简单使用 --- xl2tpd