Deploy L2TP in VPN (Part 1)

One . brief introduction

L2TP（Layer 2 Tunneling Protocol） VPN It is used to carry PPP Message tunneling technology , This technology is mainly used in the remote office scenario to provide access services for travel employees to remotely access enterprise intranet resources .

Software required

openswan(ipsec) :  Provide a key 
ppp ： Provide user name and password 
xl2tpd ：  Provide L2TP service 
sysctl ：  Provide server internal forwarding 
iptables ：  Provide requests from inside the server to outside , The external response turns to the internal dependent environment of the server 

Two . Deploy

ipsec

1. Installation dependency yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man

2.openswan（ipsec） install OpenSWan,Linux Next IPsec The best way to implement , It's powerful , It ensures the security of data transmission to the greatest extent 、 Integrity issues . yum install openswan

3. Next configure ipsec.ipsec The configuration file is /etc/ipsec.conf, Install well openswan after , The configuration file is the default . Make a backup before changing the file . mkdir ~/~etcmv /etc/ipsec.conf ~/~etc/ipsec.conf

vim ~/~etc/ipsec.conf

version 2.0
config setup
    protostack=netkey
    nhelpers=0
    uniqueids=no
    interfaces=%defaultroute
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24
conn l2tp-psk
    rightsubnet=vhost:%priv
    also=l2tp-psk-nonat
conn l2tp-psk-nonat
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=%defaultroute
    leftid=xxx.xx.xx.xx
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=40
    dpdtimeout=130
    dpdaction=clear
    sha2-truncbug=yes

There is a line on it leftid=xxx.xx.xx.xx, Here we have to put leftid The value of is changed to that of the server ip Address , Internet accessible IP Address .

4. Next, configure the key .L2TP Than PPTP One more key entry , It's also better than that PPTP One of the safer reasons . This key is actually a password , Different from the user's login password , It is equivalent to a key for communication between devices . Its configuration file is /etc/ipsec.secrets, In the same way , Let's back it up first , Then create a new one of our own ： mv /etc/ipsec.secrets ~/~etc/ipsec.secretsvim /etc/ipsec.secrets

%any %any : PSK "RZSJ.COM"

Empathy ,%any Is all addresses , It can also be specified individually , And then there's ”YourPsk” Medium YourPsk Is the content of the key . You can change it to any string of your own . Anyway, when you connect to log in VPN When , I need this PSK Of .

5. function ipsec： systemctl restart ipsecsystemctl enable ipsec