目次

01 Linux ipsec Server

IPsec Server側

環境

CentOS release 6.8
libreswan-3.15-7.3
xl2tpd-1.3.8-1

インストール

# yum -y --enablerepo=epel install openswan xl2tpd

xl2tpd

一番下に下記を追加

/etc/xl2tpd/xl2tpd.conf

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

ppp

一番下に下記を追加

/etc/ppp/options.xl2tpd

netmask 255.255.255.0
persist
require-mschap-v2
logfile /var/log/xl2tpd.log

/etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
"[username]" * "[password]" *

IPsec用の事前共有鍵

/etc/ipsec.d/default.secrets

: PSK "[共有鍵]"

iptables使っている場合開放

# L2TP/IPsec
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT

sysctl.conf

一番下に下記を追加

/etc/sysctl.conf

net.core.xfrm_larval_drop = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0

起動

/sbin/service xl2tpd start
/sbin/service ipsec start
/sbin/chkconfig xl2tpd on
/sbin/chkconfig ipsec on
/sbin/sysctl -p