VPN(L2TP/IPsec)

 インストール rpm
# wget http://mirror.nl.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
# yum install openswan xl2tpd ppp lsof
# yum install wget bind-utils ←いらないかも


 インストール
# wget http://www.cpan.org/src/5.0/perl-5.20.0.tar.gz
# ./configure.gnu
# make
# make install

# wget http://downloads.sourceforge.net/project/flex/flex-2.5.39.tar.gz
# tar zxvf flex-2.5.39.tar.gz
# cd flex-2.5.39
# ./configure
# make
# make install

# wget http://ftp.gnu.org/pub/gnu/bison/bison-3.0.2.tar.gz
# ./configure
# make
# make install

# wget http://www.tcpdump.org/release/libpcap-1.6.1.tar.gz
# ./configure
# make
# make install

# wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.7.tar.gz
# tar zxvf ppp-2.4.6.tar.gz
# cd /ppp-2.4.6
# ./configure
# make
# make install

# wget ftp://ftp.gnu.org/gnu/gmp/gmp-5.1.3.tar.gz
# wget ftp://ftp.gnu.org/gnu/gmp/gmp-6.0.0a.tar.bz2
# tar jxvf gmp-6.0.0a.tar.bz2
# ./configure
# make
# make install

# wget xl2tpd-1.3.6.tar.gz
# tar zxvf xl2tpd-1.3.6.tar.gz
# cd xl2tpd-1.3.6
# make
# make install

# wget https://download.openswan.org/openswan/openswan-latest.tar.gz
# tar zxvf openswan-latest.tar.gz
# cd openswan
# make programs
# make install
Perl flex Bison libpcap ppp GMP xl2tpd Openswan

 /etc/xl2tpd/xl2tpd.conf
[global]
auth file = /etc/ppp/chap-secrets

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.100
require chap = yes
refuse pap = yes
require authentication = yes
name = xl2tpd
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


 /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist


 /etc/ipsec.conf
version 2.0

config setup
    nat_traversal=yes
    protostack=netkey
    virtual_private=%v4:192.168.1.0/24
    oe=off
    nhelpers=0

include /etc/ipsec.d/*.conf


 /etc/ipsec.d/l2tp-ipsec.conf
conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    forceencaps=yes
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no

    ikelifetime=8h
    keylife=1h

    type=transport

    left=%defaultroute
    leftnexthop=%defaultroute
    leftprotoport=17/1701

    right=%any
    rightprotoport=17/%any
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear


 /etc/ipsec.secrets
#include /etc/ipsec.d/*.secrets
192.168.1.100 %any : PSK "dddddddd"


 /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 * pass1 *


 /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0

# sysctl -p


 /etc/selinux/config
-SELINUX=enforcing
+SELINUX=disabled


 /etc/sysconfig/iptables
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT

# L2TP/IPsec -A FORWARD -i ppp+ -j ACCEPT
-A FORWARD -o ppp+ -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT


 起動
/etc/init.d/xl2tpd start
/etc/init.d/ipsec start


 確認
# ipsec verify

Pluto listening for IKE on udp 500
Pluto listening for NAT-T on udp 4500 [FAILED]
これは
# yum install lsof


更新 2014.11.09