IPsec(L2TPD)ã§VPNサーãƒã‚’ç«‹ã¦ã¦ã¿ãŸ
IPsec(L2TPD)ã§VPNサーãƒã‚’ç«‹ã¦ã¦ã¿ãŸã€‚
OpenVPNã§è¨€ã†æ‰€ã®ã€ãƒ–リッジモード。
クライアントã¯ã‚µãƒ¼ãƒã¨åŒã˜ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«è¿½åŠ ã•ã‚Œã‚‹ã€‚
 
å¿…è¦ãªãƒ•ã‚¡ã‚¤ãƒ«å…¨éƒ¨è¨˜è¼‰ã€‚
詳ã—ãã¯å‚考URLを。
サーãƒã¯CentOS。
 
XL2TPD
インストール
yum -y install --enablerepo=epel xl2tpd
 
/etc/xl2tpd/xl2tpd.conf
[global] auth file = /etc/ppp/chap-secrets [lns default] ip range = 192.168.0.240-192.168.0.254 local ip = 192.168.0.50 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
 
/etc/ppp/options.xl2tpd
ipcp-accept-local ipcp-accept-remote ms-dns 192.168.0.40 ms-wins 192.168.0.40 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 logfile /var/log/xl2tpd.l2tp-ipsec.log
 
/etc/ppp/chap-secrets
åŒã˜ãƒ¦ãƒ¼ã‚¶ã§åŒæ™‚接続出æ¥ãŸã€‚
# Secrets for authentication using CHAP # client server secret IP addresses user1 * "password1" * user2 * "password2" *
 
Openswan
インストール
yum -y install openswan
 
/etc/ipsec.conf
version 2.0
config setup
protostack=netkey
nat_traversal=yes
#oe=off
nhelpers=0
include /etc/ipsec.d/*.conf 
/etc/ipsec.d/l2tp-psk.conf
rightsubnetã‚’0.0.0.0/0ã«ã—ãªã„ã¨ç¹‹ãŒã‚‰ãªã‹ã£ãŸã€‚
カンマã§ã¯æŒ‡å®šå‡ºæ¥ãªã„らã—ãã€æŽ¥ç¶šå…ˆã‚’絞り込ã¿ãŸã„å ´åˆã¯connを増やã™å¿…è¦ãŒã‚るらã—ã„。
rightprotoportã®ãƒãƒ¼ãƒˆã«anyを指定ã—ãªã„ã¨ã€1ã¤ã®ã‚°ãƒãƒ¼ãƒãƒ«IPã«å¯¾ã—ã¦1ã¤ã—ã‹ãƒˆãƒ³ãƒãƒ«ã‚’貼れãªã„。
conn L2TP-PSK-NAT
#rightsubnet=vhost:%priv
#rightsubnet=192.168.0.0/24
#rightsubnet=vhost:%no,%priv
rightsubnet=0.0.0.0/0
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a Preshared Key. Disable Perfect Forward Secrecy.
#
# PreSharedSecret needs to be specified in /etc/ipsec.secrets as
# YourIPAddress %any: "sharedsecret"
left=192.168.0.50
#leftnexthop=192.168.0.1
leftnexthop=%any
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
type=transport
#
#left=%defaultroute
# or you can use: left=YourIPAddress
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
#rightprotoport=17/1701
rightprotoport=17/%any 
/etc/ipsec.d/no_oe.conf
CentOSã®ãƒªãƒã‚¸ãƒˆãƒªã®RPMã«ã¯ã“ã®ãƒ•ã‚¡ã‚¤ãƒ«ãŒã¤ã„ã¦ãªãã¦ã€æŽ¢ã—回ã£ãŸã€‚
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore 
iptables
ベースã¯ã“れ。
 
ファイアウォール構築(iptables) - CentOSã§è‡ªå®…サーãƒãƒ¼æ§‹ç¯‰
http://centossrv.com/iptables.shtml
 
# FORWARDè¨å®š iptables -A FORWARD -s $LOCALNET -j ACCEPT iptables -A FORWARD -d $LOCALNET -j ACCEPT # L2TP/IPSec iptables -A INPUT -p tcp --dport 1701 -j ACCEPT_COUNTRY iptables -A INPUT -p udp --dport 1701 -j ACCEPT_COUNTRY iptables -A INPUT -p udp --dport 500 -j ACCEPT_COUNTRY iptables -A INPUT -p tcp --dport 500 -j ACCEPT_COUNTRY iptables -A INPUT -p tcp --dport 4500 -j ACCEPT_COUNTRY iptables -A INPUT -p udp --dport 4500 -j ACCEPT_COUNTRY iptables -A INPUT -p esp -j ACCEPT_COUNTRY
 
確èª
ã“れをã—ã¦FAILEDãŒã‚ã£ãŸã‚‰ã€ãã®é …目を解決ã—ã¦OKã«ã™ã‚‹ã€‚
ipsec verify
 
ã“れをã—ã¦æœ€å¾Œã®æ–¹ã«connã®åå‰ãŒè¡¨ç¤ºã•ã‚Œã¦ãªã‹ã£ãŸã‚‰ã€ãã®è¨å®šã§ä½•ã‹ãƒŸã‚¹ãŒã‚る。
ipsec auto --status
 
å‚考URL
Memo - VPN Server for Fedora (L2TP/IPsec,PPTP)
http://www.ln-lab.net/lunar-night.lab/page2-memo_vpn/design-white/lang-ja
 
Kung Noi:OpenSwanã§l2tp IPsec VPN環境
http://nai.homelinux.net/l2tp_ipsec.html
 
L2TPã§VPN接続 | Kirie.net Blog
http://blog.kirie.net/linux/62.html
 
suz-lab - blog: Openswanã§IPsec(ãŸã¶ã‚“一番簡å˜ãªæ–¹æ³•)
http://blog.suz-lab.com/2010/06/openswanipsec.html
