L2TP on ipsec (with xl2tpd, openswan)

설치

yum install make gcc gmp-devel bison flex lsof rpm -ivH http://repo.nikoforge.org/redhat/el6/nikoforge-release-latest yum -y install http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm yum install xl2tpd ppp yum install openswan -y

vim /etc/sysctl.conf

net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1

vim /etc/rc.d/rc.local 아래 라인 추가

# AGIX IPSEC VPN for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done

vim /etc/ipsec.secrets

include /etc/ipsec.d/*.secrets "VPN서버아이피" %any: PSK "1234"

vim /etc/ppp/options.xl2tpd

ipcp-accept-local ipcp-accept-remote noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 ms-dns 168.126.63.1 ms-dns 8.8.8.8 require-mschap-v2 asyncmap 0 crtscts hide-password modem name l2tpd proxyarp lcp-echo-interval 10 lcp-echo-failure 100

vim /etc/ipsec.conf

version 2.0 config setup         dumpdir=/var/run/pluto/         nat_traversal=yes         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:25.0.0.0/8,!%v4:10.0.1.0/24,%v6:fd00::/8,%v6:fe80::/10         oe=off         protostack=netkey conn L2TP-PSK-NAT     rightsubnet=vhost:%priv     also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT         authby=secret         pfs=no         auto=add         keyingtries=3         rekey=no         dpddelay=10         dpdtimeout=90         dpdaction=clear         ikelifetime=8h         keylife=1h         type=transport         left="VPN 서버 아이피"         leftprotoport=17/1701         right=%any         rightprotoport=17/%any

[root@localhost etc]# ipsec verify

Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path                                 [OK] Linux Openswan U2.6.32/K2.6.32-504.3.3.el6.x86_64 (netkey) Checking for IPsec support in kernel                            [OK]  SAref kernel support                                           [N/A]  NETKEY:  Testing for disabled ICMP send_redirects              [OK] NETKEY detected, testing for disabled ICMP accept_redirects     [OK] Checking that pluto is running                                  [OK]  Pluto listening for IKE on udp 500                             [OK]  Pluto listening for NAT-T on udp 4500                          [OK] Checking for 'ip' command                                       [OK] Checking /bin/sh is not /bin/dash                               [OK] Checking for 'iptables' command                                 [OK] Opportunistic Encryption Support                                [DISABLED]

서비스 시작

chkconfig ipsec on chkconfig xl2tpd on service xl2tpd restart service ipsec restart

마찬가지로 pptp 와 동일하게 계정은 /etc/ppp/chap-secrets 이용함

보다 자세한 셋팅을 하자면 man ipsec.conf 참고

아이폰에서 접속 안되는 증상

"L2TP-PSK-NAT"[1] "클라이언트아이피" #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level "L2TP-PSK-NAT"[1] "클라이언트아이피" #1: sending notification INVALID_PAYLOAD_TYPE to "클라이언트아이피":500 ERROR: asynchronous network error report on eth0 (sport=500) for message to "클라이언트아이피" port 500, complainant "클라이언트아이피": Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Centos6 64비트 기준 아이폰 VPN 접근

openswan-2.6.32-37.el6.x86_64.rpm : 아이폰 (IOS) 접근 안됨 openswan-2.6.32-27.4.el6_5.x86_64.rpm : 아이폰 (IOS) 접근 안됨 openswan-2.6.32-27.2.el6_5.x86_64 : 아이폰 (IOS) 접근 가능되는 최신 RPM  버젼

참고자료

https://help.ubuntu.com/community/L2TPServer

http://louwrentius.com/setting-up-a-vpn-with-your-iphone-using-l2tp-ipsec-and-linux.html