Created
December 6, 2016 08:28
-
-
Save jonathanablanida/3ec35e6c6985985c7ac7f998b4059bfe to your computer and use it in GitHub Desktop.
L2tp over IPsec VPN On Debian
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## --- Install Openswan --- | |
| apt-get install openswan=1:2.6.37-3 | |
| ## --- If you ever see in your syslog --- | |
| ipsec__plutorun: 003 "/var/lib/openswan/ipsec.secrets.inc" line 1: error loading RSA private key file | |
| root@:/etc/ipsec.d/private# openssl rsa -in vpn.example.com.key -outform pem -out vpn.example.com.key.new | |
| ## --- Modify the /etc/ipsec.conf --- | |
| ## --- Change SERVER.IP --- | |
| vi /etc/ipsec.conf | |
| version 2.0 | |
| config setup | |
| nat_traversal=yes | |
| virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 | |
| oe=off | |
| protostack=netkey | |
| conn %default | |
| forceencaps=yes | |
| conn L2TP-PSK-NAT | |
| rightsubnet=vhost:%priv | |
| also=L2TP-PSK-noNAT | |
| conn L2TP-PSK-noNAT | |
| authby=secret | |
| pfs=no | |
| auto=add | |
| keyingtries=3 | |
| rekey=no | |
| ikelifetime=8h | |
| keylife=1h | |
| type=transport | |
| left=SERVER.IP | |
| leftprotoport=17/1701 | |
| right=%any | |
| rightprotoport=17/%any | |
| ## --- then enter the following content --- | |
| vi /etc/ipsec.secrets | |
| YOUR.VPS.IP.ADDRESS %any: PSK "YourSharedSecret" | |
| ## --- Enter the following commands one by one --- | |
| for each in /proc/sys/net/ipv4/conf/* | |
| do | |
| echo 0 > $each/accept_redirects | |
| echo 0 > $each/send_redirects | |
| done | |
| ## --- Restart the ipsec and Verify the ipsec --- | |
| service ipsec restart | |
| ipsec verify | |
| ## --- install xl2tpd --- | |
| apt-get install xl2tpd | |
| ## --- Modify the xl2tpd.conf --- | |
| vi /etc/xl2tpd/xl2tpd.conf | |
| [global] | |
| ; listen-addr = 192.168.1.98 | |
| [lns default] | |
| ip range = 10.1.170.2-10.1.170.255 | |
| local ip = 10.1.170.1 | |
| require chap = yes | |
| refuse pap = yes | |
| require authentication = yes | |
| name = L2TPVPNserver | |
| ppp debug = yes | |
| pppoptfile = /etc/ppp/options.xl2tpd | |
| length bit = yes | |
| ## --- Modify /etc/ppp/options.xl2tpd --- | |
| vi /etc/ppp/options.xl2tpd | |
| require-mschap-v2 | |
| ms-dns 8.8.8.8 | |
| ms-dns 8.8.4.4 | |
| asyncmap 0 | |
| auth | |
| crtscts | |
| lock | |
| hide-password | |
| modem | |
| debug | |
| name l2tpd | |
| proxyarp | |
| lcp-echo-interval 30 | |
| lcp-echo-failure 4 | |
| ## --- Modify the chap-secrets file at /etc/ppp/chap-secrets --- | |
| vi /etc/ppp/chap-secrets | |
| test l2tpd 1234 * | |
| ## --- restart the xl2tpd service --- | |
| service xl2tpd restart | |
| ## --- Nat --- | |
| ## --- eth0 interface is ethernet --- | |
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| ## EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment