CENTOS 7RHEL 7 LINUX IPSEC XL2TPD VPN CENTOS 7 IPSEC XL2TPD VPN VPNLINUXLINUXVPNPPTPL2TPOPENVPNlinuxcentos7/rhel7l2tpd xl2tpdl2tplibreswanipseccentos7 ipsec libreswanopenswan[root@linuxcc.com]#yum install xl2tpd[root@linuxcc.com]#yum install libreswanhttp://linuxcc.com linuxlinuxipseccentos71ipsec [root@linuxcc.com]#vi /etc/ipsec.conf# /etc/ipsec.conf - Libreswan IPsec configuration file # This file: /etc/ipsec.conf## Enable when using this configuration file with openswan instead of libreswan#version 2## Manual: ipsec.conf.5http://www.linuxcc.com # basic configurationconfig setup # which IPsec stack to use, \"netkey\" (the default), \"klips\" or \"mast\". # For MacOSX use \"bsd\" protostack=netkey # # Normally, pluto logs via syslog. If you want to log to a file, # specify below or to disable logging, eg for embedded systems, use # the file name /dev/null # Note: SElinux policies might prevent pluto writing to a log file at # an unusual location. #logfile=/var/log/pluto.log # # The interfaces= line is only required for the klips/mast stack #interfaces=\"%defaultroute\" #interfaces=\"ipsec0=eth0 ipsec1=ppp0\" # # If you want to limit listening on a single IP - not required for # normal operation #listen=127.0.0.1 # # Do not set debug options to debug configuration issues! # # plutodebug / klipsdebug = \"all\ # \"raw crypt parsing emitting control kernel pfkey natt x509 dpd # private\". # Note: \"crypt\" is not included with \"all\ # information. It must be specifically specified # examples: # plutodebug=\"control parsing\" # plutodebug=\"all crypt\" # Again: only enable plutodebug or klipsdebug when asked by a developer #plutodebug=none #klipsdebug=none # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: SElinux policies might prevent pluto writing the core at # unusual locations dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as \"private\" address space on their wireless networks. # This range has never been announced via BGP (at least upto 2015) #natl2tphttp://www.linuxcc.com nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100..0.0/10,%v6:fd00::/8,%v6:fe80::/10 # For example connections, see your distribution's documentation directory,# or https://libreswan.org/wiki/## There is also a lot of information in the manual page, \"man ipsec.conf\"## It is best to add your IPsec connections as separate files in /etc/ipsec.d/include /etc/ipsec.d/*.conf2ipsec l2tp [root@linuxcc.com]#cd /etc/ipsec.d/[root@linuxcc.com]#vi l2tp_psk.conf conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8hhttp://www.linuxcc.com keylife=1h type=transport left=123.57.255.228 #123.57.255.228ip leftprotoport=17/1701 right=%any rightprotoport=17/%any3l2tp[root@linuxcc.com]# vi /etc/ipsec.secrets include /etc/ipsec.d/*.secrets #[root@linuxcc.com]#cd /etc/ipsec.d/[root@linuxcc.com]#touch linuxcc_l2tp.secrets[root@linuxcc.com]#vi linuxcc_l2tp.secrets123.57.255.228 %any: PSK \"l2tppass\"#123.57.255.228 l2tp4sysctl -p http://www.linuxcc.com[root@linuxcc.com]#vi /etc/sysctl.conf # System default settings live in /usr/lib/sysctl.d/00-system.conf.# To override those settings, enter new settings here, or in an /etc/sysctl.d/.conf file## For more information, see sysctl.conf(5) and sysctl.d(5). vm.swappiness = 0net.ipv4.neigh.default.gc_stale_time=120net.ipv4.conf.all.rp_filter=0net.ipv4.conf.default.rp_filter=0net.ipv4.conf.default.arp_announce = 2net.ipv4.conf.all.arp_announce=2net.ipv4.tcp_max_tw_buckets = 5000net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 1024net.ipv4.tcp_synack_retries = 2net.ipv4.conf.lo.arp_announce=2net.ipv4.ip_forward = 1net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.default.accept_source_route = 0#ipv6ipv6net.ipv6.conf.all.disable_ipv6 = 1http://www.linuxcc.comnet.ipv6.conf.default.disable_ipv6 =5ipsec[root@linuxcc.com]# ipsec setup start[root@linuxcc.com]# ipsec verifyVerifying installed system and configuration files Version check and ipsec on-path [OK]Libreswan 3.15 (netkey) on 3.10.0-123.9.3.el7.x86_Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK]Pluto ipsec.conf syntax [OK]Hardware random device [N/A]Two or more interfaces found, checking IP forwarding [OK]Checking rp_filter [OK]Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK]http://www.linuxcc.comChecking 'ip' command [OK]Checking 'iptables' command [OK]Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]Opportunistic Encryption [DISABLED]#ipsec6 [root@linuxcc.com]# ipsec verifyVerifying installed system and configuration filesVersion check and ipsec on-path [OK]Libreswan 3.15 (netkey) on 3.10.0-229.el7.x86_Checking for IPsec support in kernel [OK]NETKEY: Testing XFRM related proc valuesICMP default/send_redirects [OK]ICMP default/accept_redirects [OK]XFRM larval drop [OK]Pluto ipsec.conf syntax [OK]Hardware random device [N/A]Two or more interfaces found, checking IP forwarding [OK]Checking rp_filter [ENABLED]/proc/sys/net/ipv4/conf/enp2s0/rp_filter [ENABLED]/proc/sys/net/ipv4/conf/enp3s7/rp_filter [ENABLED]rp_filter is not fully aware of IPsec and should be disabledChecking that pluto is running [OK]Pluto listening for IKE on udp 500 [OK]Pluto listening for IKE/NAT-T on udp 4500 [OK]Pluto ipsec.secret syntax [OK]Checking ‘ip’ command [OK]http://www.linuxcc.comChecking ‘iptables’ command [OK]Checking ‘prelink’ command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]Opportunistic Encryption [DISABLED]ipsec verify: encountered 5 errors – see ‘man ipsec_verify’ for help6ipsec[root@linuxcc.com]# systemctl start ipsec[root@linuxcc.com]# systemctl enable ipsecln -s '/usr/lib/systemd/system/ipsec.service' '/etc/systemd/system/multi-user.target.wants/ipsec.service'#xl2tpd1xl2tpd#l2tp[root@linuxcc.com]#yum install xl2tpd#xl2tpd[root@linuxcc.com]#vi /etc/xl2tpd/xl2tpd.conf;http://www.linuxcc.com; This is a minimal sample xl2tpd configuration file for use; with L2TP over IPsec.;; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved; for the remote clients: 192.168.1.128/25; (i.e. 192.168.1.128 ... 192.168.1.254);; The listen-addr parameter can be used if you want to bind the L2TP daemon; to a specific IP address instead of to all interfaces. For instance,; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99); will be used by xl2tpd as its address on pppX interfaces. [global]#xl2tpdipsecipsec saref = yes#123.57.255.228listen-addr = 123.57.255.228;listen-addr = 192.168.1.98;; requires openswan-2.5.18 or higher - Also does not yet work in combination; with kernel mode l2tp as present in linux 2.6.23+; ipsec saref = yes; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or; when using any of the SAref kernel patches for kernels up to 2.6.35.; saref refinfo = 30;; force userspace = yes;; debug tunnel = yes [lns default]#ipip range = 192.168.1.128-192.168.1.254local ip = 192.168.1.99require chap = yesrefuse pap = yesrequire authentication = yesname = linuxcc_l2tp_serverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes2xl2tpdhttp://www.linuxcc.com[root@linuxcc.com]# vi /etc/ppp/options.xl2tpdrequire-mschap-v2#require-mschap-v2 windows 7windows8 ipcp-accept-localipcp-accept-remote#8.8.8.8dnsms-dns 8.8.8.8# ms-dns 192.168.1.1# ms-dns 192.168.1.3# ms-wins 192.168.1.2# ms-wins 192.168.1.4noauthcrtsctsidle 1800mtu 1410mru 1410nodefaultroutedebuglockproxyarpconnect-delay 5000# To allow authentication against a Windows domain EXAMPLE, and require the# user to be in a group \"VPN Users\". Requires the samba-winbind package# require-mschap-v2# plugin winbind.so# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=\"EXAMPLE\\\\VPN Users\"' # You need to join the domain on the server, for example using samba:# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html3xl2tpdl2tp[root@linuxcc.com]# vi /etc/ppp/chap-secrets# Secrets for authentication using CHAP# client server secret IP addresses#linuxcc_l2tpduserlinuxcc_l2tp123tablinuxcc_l2tpuser * linuxcc_l2tp123 *4xl2tpdhttp://www.linuxcc.com[root@linuxcc.com]# systemctl start xl2tpd[root@linuxcc.com]# systemctl status xl2tpdxl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP) Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; disabled) Active: active (running) since Thu 2015-12-31 23:36:24 CST; 9s ago Process: 1322 ExecStartPre=/sbin/modprobe -q l2tp_ppp (code=exited, status=0/SUCCESS) Main PID: 1324 (xl2tpd) CGroup: /system.slice/xl2tpd.service 1324 /usr/sbin/xl2tpd -D Dec 31 23:36:24 Linuxdc_USA systemd[1]: Starting Level 2 Tunnel Protocol Daemon (L2TP)...Dec 31 23:36:24 Linuxdc_USA systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Not looking for kernel SAref support.Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Using l2tp kernel support.Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: xl2tpd version xl2tpd-1.3.6 started on Linuxdc_USA PID:1324Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Forked by Scott Balmos and David Stipp, (C) 2001Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Inherited by Jeff McAdams, (C) 2002Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Forked again by Xelerance (www.xelerance.com) (C) 2006Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Listening on IP address 0.0.0.0, port 1701centos7 rhel7l2tpd http://www.linuxcc.com/archives/56.html linuxcc.comhttp://www.linuxcc.com
