转载自：https://blog.imdst.com/centosan-zhuang-l2tp-ipsecwan-zheng-jiao-cheng/

一、苹果升级IOS10后无法使用pptp

L2TP相比PPTP是另外一种隧道协议方式，部分网络下PPTP无法连接，可以尝试L2TP，一般而言在PC上，两者使用体验没什么不同，技术原理上的不同请参照这里.建议PC电脑上优先使用PPTP，无法使用可以尝试L2TP，移动端推荐使用L2TP；

二、部署IPSec

安装必备依赖包

yum install make gcc gmp-devel bison flex lsof  

安装Openswan

wget https://download.openswan.org/openswan/old/openswan-2.6/openswan-2.6.38.tar.gz  
tar -zxvf openswan-2.6.38.tar.gz  
cd openswan-2.6.38  
make programs install  

编辑配置文件/etc/ipsec.conf,将protostack=auto，修改为：protostack=netkey，并在最后追加以下内容

conn L2TP-PSK-NAT  
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT  
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=10.144.67.116(修改为你的内网IP)
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=40
    dpdtimeout=130
    dpdaction=clear
    leftnexthop=%defaultroute
    rightnexthop=%defaultroute

设置共享密钥PSK 编辑配置文件/etc/ipsec.secrets

10.144.67.116 %any: PSK "redhat"

修改包转发设置(shell下运行)

for a in /proc/sys/net/ipv4/conf/*; do  
   echo 0 > $a/accept_redirects; 
   echo 0 > $a/send_redirects; 
done

sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf  
sysctl -p  

重启IPSec

service ipsec restart

查看系统IPSec安装和启动的正确性

ipsec verify

Checking your system to see if IPsec got installed and started correctly:  
Version check and ipsec on-path                                 [OK]  
Linux Openswan U2.6.38/K2.6.32-504.30.3.el6.x86_64 (netkey)  
Checking for IPsec support in kernel                            [OK]  
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]  
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]  
Checking /bin/sh is not /bin/dash                               [OK]  
Checking for 'iptables' command                                 [OK]  
Opportunistic Encryption Support                                [DISABLED]  
一般情况下没有报[FAILED]就可以了。但是如果转发已经确认配置了.

三、部署L2TP(使用xl2tpd和rp-l2tp) xl2tpd最新版已经包含了l2tp-control，rp-l2tp可不需要安装。

安装依赖软件

yum install libpcap-devel ppp policycoreutils

安装xl2tpd和rp-l2tp

wget http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz  
tar -zxvf rp-l2tp-0.4.tar.gz  
cd rp-l2tp-0.4  
./configure
make  
cp handlers/l2tp-control /usr/local/sbin/  
mkdir /var/run/xl2tpd/  
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control  

安装xl2tpd

wget https://download.openswan.org/xl2tpd/xl2tpd-1.3.0.tar.gz  
tar zxf xl2tpd-1.3.0.tar.gz  
cd xl2tpd-1.3.0  
make && make install  

建立xl2tpd配置文件

mkdir /etc/xl2tpd  
cat >  /etc/xl2tpd/xl2tpd.conf <<EOF  
[global]
ipsec saref = yes

[lns default]
ip range = 10.82.88.2-10.82.88.254（修改为你的内网IP段）
local ip = 10.82.88.1(修改为你的内网IP)
refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes EOF

配置ppp 建立options.xl2tpd文件

cat > /etc/ppp/options.xl2tpd <<EOF  
ms-dns 8.8.8.8  
ms-dns 8.8.4.4  
asyncmap 0  
auth  
crtscts  
lock  
hide-password  
modem  
debug  
name l2tpd  
proxyarp  
lcp-echo-interval 30  
lcp-echo-failure 4  
EOF  

设置拨号用户名和密码

echo "yourusername * yourpassword *" > /etc/ppp/chap-secrets  

最后添加iptables转发规则并保存重启

iptables --table nat --append POSTROUTING --jump MASQUERADE  
service iptabls save (centos7如果没有则yum -y install iptables-services) 

以debug方式启动l2tp，查看有无错误

xl2tpd -D  
如果可以正常连接请ctrl+c退出，再直接后台启动
xl2tpd  

默认不支持service启动和重启,需要的话，我们添加一个启动脚本  /etc/init.d/xl2tpd

#!/bin/sh
#
# xl2tpd This shell script takes care of starting and stopping l2tpd.
#
# chkconfig: - 80 30
# de script ion: Layer 2 Tunnelling Protocol Daemon (RFC 2661)
#
# processname: xl2tpd
# config: /etc/xl2tpd/xl2tpd.conf
# pidfile: /var/run/xl2tpd.pid
#Servicename
SERVICE=xl2tpd  
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
if [ ${NETWORKING} = "no" ]  
then  
exit 0  
fi  
[ -x /usr/local/sbin/$SERVICE ] || exit 0
RETVAL=0  
start() {  
echo -n "Starting $SERVICE: "  
if [ ! -d /var/run/xl2tpd ]  
then  
mkdir /var/run/xl2tpd  
fi  
daemon /usr/local/sbin/$SERVICE  
RETVAL=$?  
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SERVICE
echo ""  
return $RETVAL  
}
stop() {  
echo -n "Stopping $SERVICE: "  
killproc $SERVICE  
RETVAL=$?  
echo  
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$SERVICE
return $RETVAL  
}
restart() {  
stop  
start  
}
# See how we were called.
case "$1" in  
start)  
start  
;;
stop)  
stop  
;;
status)  
status $SERVICE  
RETVAL=$?  
;;
restart|reload)  
restart  
;;
condrestart)  
[ -f /var/lock/subsys/$SERVICE ] && restart || :
;;
*)
echo "Usage: $SERVICE {start|stop|status|restart|reload|condrestart}"  
exit 1  
esac  

添加到系统并设置开机启动

chmod +x /etc/init.d/xl2tpd  
chkconfig --add /etc/init.d/xl2tpd  
chkconfig xl2tpd on  
service xl2tpd start|stop|restart|status  

检查端口是否正常启动

netstat -an|grep 1701  
udp        0      0 0.0.0.0:1701                0.0.0.0:*

转载请注明：MitNick » Centos7 安装 L2TP+IPSec 完整教程