1. 是否支持 ppp

先看看你的主机是否支持ppp,返回结果为yes就表示通过。

modprobe ppp-compress-18 && echo yes

yes

 

2. 是否开启了TUN

有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state,就表示通过。

cat /dev/net/tun

cat: /dev/net/tun: File descriptor in bad state

 

3. 更新安装

yum install update 
yum update -y

需要注意:

有些主机的硬件并不支持最新内核,因此在不确定的情况下就不要升级内核了,用以下的命令:

yum --exclude=kernel* update -y

更新需要较长时间,请耐心等待。

 

4. 安装软件包

strongSwan,运行在Linux内核2.6、3.x、4.x的IPsec和IKEv1 的实现。它也完全支持新的IKEv2协议,结合IKEv1和IKEv2模式与大多数其他基于IPSec的VPN产品。

strongSwan是Linux/Unix上基于IPSec的VPN开源解决方案,支持iKEV1和iKEV2, 并且能完美地与Kernel space的NETKEY IPsec协议栈协同工作。strongSwan最大的优势是安全等级高,兼容性好。现在主流的OS,例如Android, iOS, Mac OS X和Windows 7/8, 其自带的IPsec的软件就能直接连接strongSwan VPN。

the OpenSource IPsec-based VPN Solution

  • runs on Linux 2.6, 3.x and 4.x kernels, Android, FreeBSD, OS X and Windows
  • implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols
  • Fully tested support of IPv6 IPsec tunnel and transport connections
  • Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
  • Automatic insertion and deletion of IPsec-policy-based firewall rules
  • NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
  • Support of IKEv2 message fragmentation (RFC 7383) to avoid issues with IP fragmentation
  • Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
  • Static virtual IPs and IKEv1 ModeConfig pull and push modes
  • XAUTH server and client functionality on top of IKEv1 Main Mode authentication
  • Virtual IP address pool managed by IKE daemon or SQL database
  • Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-TLS, EAP-MSCHAPv2, etc.)
  • Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
  • Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
  • Authentication based on X.509 certificates or preshared keys
  • Use of strong signature algorithms with Signature Authentication in IKEv2 (RFC 7427)
  • Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
  • Full support of the Online Certificate Status Protocol (OCSP, RFC 2560).
  • CA management (OCSP and CRL URIs, default LDAP server)
  • Powerful IPsec policies based on wildcards or intermediate CAs
  • Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
  • Modular plugins for crypto algorithms and relational database interfaces
  • Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
  • Optional built-in integrity and crypto tests for plugins and libraries
  • Smooth Linux desktop integration via the strongSwan NetworkManager applet
  • Trusted Network Connect compliant to PB-TNC (RFC 5793) and PA-TNC (RFC 5792)

CentOS 服务器系统版本(用于搭建VPN的服务器)

# uname -a          
Linux mimvp_hk 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
#
# cat /etc/issue
\S
Kernel \r on an \m

# cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core)    // 查看系统名称和版本
#
# cat /proc/version
Linux version 3.10.0-514.16.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Wed Apr 12 15:04:24 UTC 2017
#
# getconf LONG_BIT
64    // 32bit or 64bit

1)安装软件包

yum -y install epel-release​ wget
yum -y install strongswan ppp xl2tpd lsof openssl

安装的版本信息

Package strongswan-5.4.0-2.el7.x86_64 already installed and latest version
Package ppp-2.4.5-33.el7.x86_64 already installed and latest version
Package xl2tpd-1.3.8-2.el7.x86_64 already installed and latest version
Package lsof-4.87-4.el7.x86_64 already installed and latest version
Package 1:openssl-1.0.1e-60.el7_3.1.x86_64 already installed and latest version

 

2)strongswan 创建证书

方式 1推荐

每一个完整的 ssl 证书都有一个公钥和一个私钥。公钥是在网络上传输的,而私钥是藏好用来和接收到的公钥配对的(因此私钥里也有整个公钥,用来配对)。

a)生成客户端CA证书的私钥,并使用私钥,签名CA证书

首先,进入 /etc/strongswan/ 目录,创建新目录 key.pem,用于专门存储密钥文件,如下:

cd /etc/strongswan/
mkdir key.pem
cd key.pem/
strongswan pki --gen --outform pem > ca.key.pem
strongswan pki --self --in ca.key.pem --dn "C=CN, O=VPN, CN=StrongSwan CA" --ca --lifetime 3650 --outform pem > ca.cert.pem

如上,C 表示国家名,同样还有 ST 州/省名,L 地区名,STREET(全大写) 街道名;O 表示组织名,如VPN;CN 为通用名;CA表示证书

 

b)生成服务器证书所需的私钥,并用CA证书签发服务器证书

strongswan pki --gen --outform pem > server.key.pem
strongswan pki --pub --in server.key.pem | strongswan pki --issue --lifetime 1200 --cacert ca.cert.pem \
    			--cakey ca.key.pem --dn "C=CN, O=VPN, CN=vpn.linsir.org" \
    			--san="1.2.3.4" --san="vpn.linsir.org" --flag serverAuth --flag ikeIntermediate \
    			--outform pem > server.cert.pem

如上,第二句是从刚生成的私钥里把公钥提取出来,然后用公钥去参与后面的服务器证书签发。

- iOS 客户端要求 CN 也就是通用名必须是你的服务器的 URL 或 IP 地址;
- Windows 7 不但要求了上面,还要求必须显式说明这个服务器证书的用途(用于与服务器进行认证),–flag serverAuth;
- 非 iOS 的 Mac OS X 要求了“IP 安全网络密钥互换居间(IP Security IKE Intermediate)”这种增强型密钥用法(EKU),–flag ikdeIntermediate;
- Android 和 iOS 都要求服务器别名(serverAltName)就是服务器的 URL 或 IP 地址,–san。

所以这里C、O的值要跟第一步的一致,CN值及--san值是服务器公网地址或url,另外这里可以设置多个--san值,否则会出现错误 13801:IKE身份验证凭证不可接受.

 

c)生成客户端证书

strongswan pki --gen --outform pem > client.pem
strongswan pki --pub --in client.pem | strongswan pki --issue --cacert ca.cert.pem \
				--cakey ca.key.pem --dn "C=CN, O=VPN, CN=VPN Client" \
				--outform pem > client.cert.pem

查看生成的全部证书:

# ll
-rw-r--r-- 1 homer mimvp 1159 May 20 20:58 ca.cert.pem
-rw-r--r-- 1 homer mimvp 1675 May 20 20:57 ca.key.pem
-rw-r--r-- 1 homer mimvp 1111 May 20 21:23 client.cert.pem
-rw-r--r-- 1 homer mimvp 1679 May 20 21:13 client.pem
-rw-r--r-- 1 homer mimvp 1204 May 20 21:12 server.cert.pem
-rw-r--r-- 1 homer mimvp 1671 May 20 21:04 server.key.pem

 

d)安装证书,把证书复制到strongswan目录下

cp ca.cert.pem /etc/strongswan/ipsec.d/cacerts/
cp server.cert.pem /etc/strongswan/ipsec.d/certs/
cp server.key.pem /etc/strongswan/ipsec.d/private/

 

e)配置StrongSwan,设备/操作系统使用的 ike 版本

Linux: 命令行客户端就是 strongswan 本身,因此完美兼容,支持 ikev1/ikev2 和所有加密方法的连接。
Android: 只支持 ikev1(没有最新andriod手机,可能已经支持ikev2)。
iOS/Mac OS X: IPsec 客户端为自己修改的racoon。它只支持 ikev1,最新的IOS 9 Mac OS X 支持ikev2.
Windows: 只在 Windows 7 以后支持ikev2, Win XP需要用l2tp方式。

 

 

方式 2(不推荐,直接跳过

a)请将 YOUR_SERVER_IP 换成你的VPN服务器的外网IP

请将 yourname yourname@mimvp.com替换成你的用户名和你的邮件地址

cd /etc/strongswan/ipsec.d/
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/8c6721a4a49ac0382ee9d48ed99abce676bde1c0/server_key.sh
wget https://github.com/michael-loo/strongswan_config/raw/8c6721a4a49ac0382ee9d48ed99abce676bde1c0/client_key.sh

chmod a+x server_key.sh client_key.sh
./server_key.sh 147.190.159.125               # 147.190.159.125 is YOUR_SERVER_IP  
./client_key.sh yourname yourname@mimvp.com   # your_name  your_email

执行结果:

./client_key.sh yourname yourname@mimvp.com
generating keys for yourname yourname@mimvp.com ...
  subject:  "C=CH, O=Expats-in-China, CN=yourname@mimvp.com"
  issuer:   "C=CH, O=Expats-in-China, CN=147.190.159.125"
  validity:  not before May 13 08:44:37 2017, ok
             not after  May 13 08:44:37 2019, ok (expires in 730 days)
  serial:    04:0a:0d:86:21:d3:f6:ef
  altNames:  yourname@mimvp.com
  authkeyId: 0b:c0:9e:1c:a8:5c:bc:15:ba:2e:44:30:9e:ff:51:03:9e:dd:a4:78
  subjkeyId: 39:de:c8:22:ff:2c:61:79:fb:73:b7:85:ed:5e:17:57:1c:4c:35:30
  pubkey:    RSA 2048 bits
  keyid:     fc:cf:ec:9a:ed:89:8b:7c:91:69:42:ba:ea:b4:4d:98:d5:58:e8:74
  subjkey:   39:de:c8:22:ff:2c:61:79:fb:73:b7:85:ed:5e:17:57:1c:4c:35:30
\nEnter password to protect p12 cert for yourname
Enter Export Password:                # 任意输入密码
Verifying - Enter Export Password:    # 再次输入密码
cert for yourname at yourname.p12

b)下载证书文件

sz /etc/strongswan/ipsec.d/yourname.p12
sz /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem

c)安装证书

在客户端安装上述两个证书,如果你是使用iPhone, 可以通过邮件将这个两个证书发送到iPhone上然后安装。

iPhone, Android, Windows PC都可以通过证书加密码的方式登录VPN;

Mac OS X可以通过PSK key加密码的方式登录。

 

5. 开启IP转发

修改 /etc/sysctl.conf ,添加 net.ipv4.ip_forward=1 等配置项,如下:

sudo  vim /etc/sysctl.conf

# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
#
# sysctl -p /etc/sysctl.conf

vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.conf.lo.arp_announce=2

# pptp
net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

使之生效,需要执行 sysctl -p

sysctl -p /etc/sysctl.conf

 

6. 修改 ipsec.conf 文件

修改或添加如下内容:

vim /etc/strongswan/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    # 如果同一个用户在不同的设备上重复登录,
    # yes 断开旧连接,创建新连接;
    # no 保持旧连接,并发送通知; 
    # never 同 no, 但不发送通知.
    strictcrlpolicy=no
    uniqueids=never     # 允许多个客户端使用同一个证书,多设备同时在线

# 所有项目共用的配置项
conn %default
    keyexchange=ike             # ikev1 或 ikev2 都用这个
    left=%any                   # 服务器端标识, %any表示任意
    leftsubnet=0.0.0.0/0        # 服务器端虚拟ip, 0.0.0.0/0表示通配
    right=%any                  # 客户端标识, %any表示任意


conn IKE-BASE
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    leftcert=server.cert.pem     # 服务器端证书
    rightsourceip=10.0.0.0/24    # 分配给客户端的虚拟 ip 段

# for IOS9 and Win 7 or later
conn ike2-eap
    also=IKE-BASE       # include IKE-BASE
    keyexchange=ikev2
    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha256,aes256-sha1,3des-sha1!
    leftsendcert=always
    leftid=vpn.linsir.org
    leftauth=pubkey
    leftfirewall=yes
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    rekey=no
    dpdaction=clear
    fragmentation=yes
    auto=add

# for IOS, use PSK key
conn IPSec-IKEv1-PSK
    also=IKE-BASE       # include IKE-BASE
    keyexchange=ikev1
    fragmentation=yes
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add

# for andriod 
conn IPSec-xauth
    also=IKE-BASE       # include IKE-BASE
    leftauth=psk
    leftfirewall=yes
    right=%any
    rightauth=psk
    rightauth2=xauth
    auto=add


# IKEv2 for iOS
conn iOS-IKEV2
    auto=add
    dpdaction=clear
    keyexchange=ikev2
    #left
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=psk
    leftid=im.zorro.ipsec.server
    #right
    right=%any
    rightsourceip=10.0.0.0/24    # 分配给客户端的虚拟 ip 段
    rightauth=eap-mschapv2
    rightid=im.zorro.ipsec.client


conn L2TP-PSK
    keyexchange=ikev1
    authby=secret
    leftprotoport=17/1701       # 服务器端 l2tp端口
    leftfirewall=no
    rightprotoport=17/%any      # 客户端 l2tp端口
    type=transport
    auto=add

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT         # include L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=47.90.59.25
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

conn L2TP
    keyexchange=ikev1
    left=47.90.59.25
    leftsubnet=0.0.0.0/0
    leftprotoport=17/1701
    authby=secret
    leftfirewall=no
    right=%any
    rightprotoport=17/%any
    type=transport
    auto=add

 

7. 修改 ipsec.secrets 文件(没有此文件就新建一个):

vim /etc/strongswan/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA server.key.pem
: PSK "PSK-MIMVP"
: XAUTH "XAUTH-MIMVP"
mimvp-user1 %any : EAP "123456"
mimvp-user1 %any : XAUTH "123456"
mimvp-guest %any : EAP "123456"
mimvp-guest %any : XAUTH "123456"

至此,IPSec的部分就完成了,接下来安装配置 L2TP

启动 strongswan 服务:

systemctl start strongswan

 

8. 验证ipsec运行状态strongswan 包含有 ipsec,直接跳过

ipsec restart
ipsec verify

如果出现如下内容,说明已经成功

# ipsec verify                
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.16.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OBSOLETE KEYWORD]
 Warning: ignored obsolete keyword 'force_keepalive'
Opportunistic Encryption                                [DISABLED]

 

9. 修改 xl2tpd.conf 文件

/etc/xl2tpd/xl2tpd.conf 文件的 [lns default] 部分如下:

vim /etc/xl2tpd/xl2tpd.conf 

[lns default]
;ip range = 10.25.155.1-10.25.155.254
;local ip = 10.25.155.150
ip range = 192.168.31.2-192.168.31.254
local ip = 192.168.31.191
require chap = yes
refuse pap = yes
require authentication = yes
name = MIMVP-VPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
bps = 1000000

说明: 

ip range 写客户端的内网IP段,例如:ip range = 192.168.31.2-192.168.31.254

local ip 写客户端内网IP,例如:ip range = 192.168.31.155

 

10. 修改 options.xl2tpd 文件

PPP的部分,这里只设定了chap验证

vim /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
ms-dns  8.8.4.4
ms-wins 8.8.8.8
ms-wins 8.8.4.4
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
name xl2tpd
noccp
asyncmap 0
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
connect-delay 5000
logfile /var/log/xl2tpd.log

# crtscts and lock are removed by new CentOS
#crtscts
#lock

: 最新的CentOS 3.x 没有配置参数 crtscts 和 lock,需要剔除,否则会报错

 

11. 修改 chap-secrets 文件

修改配置密码文件 /etc/ppp/chap-secrets 

vim /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
#mimvp-proxy     pptpd  123456     *
mimvp-guest   *   123456    *
mimvp-vpn     *   123456    *

 

12. 配置防火墙 iptables

记得开放500、4500、1701端口,并配置iptables转发规则

iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
service iptables save
systemctl restart  iptables

由于阿里云是双网卡,内网eth0 + 外网eth1,所以这块特别容易误写为eth0,正确的对外网卡是 eth1

 

13. 开启查看服务

1)开启服务命令

systemctl restart pptpd strongswan xl2tpd

2)设置开机启动

systemctl enable pptpd strongswan xl2tpd

# systemctl list-unit-files | grep -E 'pptpd|strongswan|xl2tpd'
pptpd.service                                 enabled 
strongswan.service                            enabled 
xl2tpd.service                                enabled 

3)查看服务状态

systemctl status pptpd strongswan xl2tpd

# systemctl status pptpd strongswan xl2tpd ipsec 
● pptpd.service - PoPToP Point to Point Tunneling Server
   Loaded: loaded (/usr/lib/systemd/system/pptpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-05-13 00:49:01 CST; 6s ago
 Main PID: 5207 (pptpd)
   CGroup: /system.slice/pptpd.service
           └─5207 /usr/sbin/pptpd -f

May 13 00:49:01 mimvp-com systemd[1]: Stopping PoPToP Point to Point Tunneling Server...
May 13 00:49:01 mimvp-com systemd[1]: Started PoPToP Point to Point Tunneling Server.
May 13 00:49:01 mimvp-com systemd[1]: Starting PoPToP Point to Point Tunneling Server...
May 13 00:49:01 mimvp-com pptpd[5207]: MGR: Maximum of 100 connections reduced to 6, not enough IP addresses given
May 13 00:49:01 mimvp-com pptpd[5207]: MGR: Manager process started
May 13 00:49:01 mimvp-com pptpd[5207]: MGR: Maximum of 6 connections available

● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-05-13 00:49:01 CST; 8s ago
 Main PID: 5208 (starter)
   CGroup: /system.slice/strongswan.service
           ├─5208 /usr/libexec/strongswan/starter --daemon charon --nofork
           └─5237 /usr/libexec/strongswan/charon

May 13 00:49:02 mimvp-com charon[5237]: 00[JOB] spawning 16 worker threads
May 13 00:49:02 mimvp-com ipsec_starter[5208]: charon (5237) started after 140 ms
May 13 00:49:02 mimvp-com strongswan[5208]: charon (5237) started after 140 ms
May 13 00:49:02 mimvp-com charon[5237]: 05[CFG] received stroke: add connection 'L2TP-PSK-NAT'
May 13 00:49:02 mimvp-com charon[5237]: 05[CFG] invalid subnet: vhost:%priv, skipped
May 13 00:49:02 mimvp-com charon[5237]: 05[CFG] added configuration 'L2TP-PSK-NAT'
May 13 00:49:02 mimvp-com charon[5237]: 10[CFG] received stroke: add connection 'L2TP-PSK-noNAT'
May 13 00:49:02 mimvp-com charon[5237]: 10[CFG] added child to existing configuration 'L2TP-PSK-NAT'
May 13 00:49:02 mimvp-com charon[5237]: 14[CFG] received stroke: add connection 'l2tp'
May 13 00:49:02 mimvp-com charon[5237]: 14[CFG] added configuration 'l2tp'

● xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP)
   Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-05-13 00:49:02 CST; 10s ago
  Process: 5507 ExecStartPre=/sbin/modprobe -q l2tp_ppp (code=exited, status=0/SUCCESS)
 Main PID: 5510 (xl2tpd)
   CGroup: /system.slice/xl2tpd.service
           └─5510 /usr/sbin/xl2tpd -D

May 13 00:49:02 mimvp-com systemd[1]: Starting Level 2 Tunnel Protocol Daemon (L2TP)...
May 13 00:49:02 mimvp-com systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
May 13 00:49:02 mimvp-com xl2tpd[5510]: xl2tpd[5510]: Not looking for kernel SAref support.
May 13 00:49:02 mimvp-com xl2tpd[5510]: xl2tpd[5510]: Using l2tp kernel support.
May 13 00:49:02 mimvp-com xl2tpd[5510]: xl2tpd[5510]: xl2tpd version xl2tpd-1.3.8 started on mimvp-com PID:5510
May 13 00:49:02 mimvp-com xl2tpd[5510]: xl2tpd[5510]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
May 13 00:49:02 mimvp-com xl2tpd[5510]: xl2tpd[5510]: Forked by Scott Balmos and David Stipp, (C) 2001
May 13 00:49:02 mimvp-com xl2tpd[5510]: xl2tpd[5510]: Inherited by Jeff McAdams, (C) 2002
May 13 00:49:02 mimvp-com xl2tpd[5510]: xl2tpd[5510]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
May 13 00:49:02 mimvp-com xl2tpd[5510]: xl2tpd[5510]: Listening on IP address 0.0.0.0, port 1701

4) 日志调试

查看服务器端的日志,来分析VPN使用中出现的各种问题

Ubuntu / Debian 服务器日志:

tail -f /var/log/strongswan-charon.log
or
tail -f /var/log/syslog

CentOS / RedHat 服务器日志(推荐):

tail -f /var/log/messages

 

14. 连接 VPN

客户端配置及连接及测试

1)win7 导入证书

新建一个内容如下的bat批处理文件,然后把ca.cert.pem放在同一目录下,然后右键管理员运行。

@echo off
@setlocal enableextensions
@set current_dir="%~dp0"
@cd /d "%current_dir%"
@echo %current_dir%
@certutil -addstore root ca.cert.pem
if %ERRORLEVEL% EQU 0 @echo not ok
pause

然后新建vpn即可。

注意:win8 win10 Ikev2有bug tcp/ip协议不能设置属性,关闭远程网关,我的连接上之后,需要自己手动添加路由表。 Win10系统VPN连接IPV4属性无法打开,需要关闭远程网关解决方法

经测试,win8+使用证书登录的穿透性很差,而使用ca证书+EAP账号密码认证,连接速度很快,而且稳定。

 

2)iOS/Mac

把 CA 证书发邮件给自己,。在 iOS 上收邮件,导入两者注意是两个证书,一定要导入CA,或者后者不能使用,然后新建 IPSec VPN

在这里可以使用四种方式建立VPN:

  1. IPSec+EAP(成功)

    • 服务器是 IP 或都是 URL
    • 账户和密码填 /etc/strongswan/ipsec.secrets 里 EAP 前后的那两个
    • 密钥输入 /etc/strongswan/ipsec.secrets 里设置的 PSK 密码。
  2. IPSec+证书

    • 服务器是 IP 或都是 URL
    • 账户和密码填 /etc/strongswan/ipsec.secrets 里 EAP 前后的那两个(XAUTH的那个密码也行)
    • 勾选使用证书并选择之
  3. L2TP(成功)

    • 服务器是 IP 或都是 URL
    • 账户和密码填 /etc/ppp/chap-secrets 里的
    • 密钥输入 /etc/strongswan/ipsec.secrets 里设置的 PSK 密码。
  4. IEKV2(IOS9)

    • 首先是导入服务器 ca.cert.pem 证书,在设置-通用-描述文件中可以查看
    • 类型 IKEv2
    • 服务器是 IP 或都是 URL
    • 远程ID是 IP 或都是 URL
    • 账户和密码填 /etc/strongswan/ipsec.secrets 里 EAP 前后的那两个

 

3)Android

IPSec Xauth PSK

IPSec 预共享密钥:写 ipsec.secrets 里 PSK 后面的那个密码.

 

 

15. VPN 访问国外网站

连接VPN

aliyun-centos7-deploying-l2tp-ipsec-vpn-11

 

VPN 访问 Google Play

https://play.google.com/store?hl=en

aliyun-centos7-deploying-l2tp-ipsec-vpn-12

 

16. VPN 扩展知识

strongSwan IKEV2 免导入证书配置

FreeRadius:账户认证和计费

daloRadius:用户账单管理

FreeRADIUS+DaloRADIUS实现PPTP VPN高级用户控制+流量控制

 

 

参考推荐

阿里云CentOS7 搭建 VPN

VPN协议PPTP/L2TP/OpenVPN/IKEv2及SSH 区别与详解

Centos7 搭建IPSEC上的L2TP服务器 (百度文库)

CentOS 7中搭建PPTP、L2TP、IPSec服务

PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7(GitHub)

CentOS 7上使用strongSwan搭建IPsec VPN

CentOS Linux 5.9 32bit搭建L2TP ipsec VPN服务器

CentOS7下Strongswan架设IPSec-IKEv1, IKEv2, L2TP VPN,适用于 IOS9,OSX, Windows, Linux

CentOS 7 配置 IPSec-IKEv2 VPN, 适用于 ios, mac os, windows, linux