2017-07-30

[筆記]使用Ubuntu 16.04架設L2TP Over IPSec VPN

Ubuntu在16.04版本之後的套件庫,拿掉了openswan,所以要改用strongswan來設定IPSec,跟之前openswan有些許的不同,參考了這篇之後架設成功,所以趕緊筆記一下~

注意,底下所有指令都用root身分執行,所以就不再打sudo了!

1.系統部分

首先安裝必要套件:
apt-get install strongswan xl2tpd ppp lsof



再來設定轉發相關(打指令,可全部複製貼上):
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf

sysctl -p



2.IPSec部分

接著要來設定strongswan,編輯 /etc/ipsec.conf:
config setup

conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.
 
    auto=add
    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
 
    keyingtries=3
    #Only negotiate a conn. 3 times.
 
    ikelifetime=8h
    keylife=1h
 
    ike=aes256-sha1,aes128-sha1,3des-sha1
 
    type=transport
    #because we use l2tp as tunnel protocol
 
    left=1.2.3.4 #別忘了要改成VPN Server的真實IP喔
    #fill in server IP above
 
    leftprotoport=17/1701

    right=%any
    rightprotoport=17/%any
 
    dpddelay=10
    # Dead Peer Dectection (RFC 3706) keepalives delay

    dpdtimeout=20
    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.

    dpdaction=clear
    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.


再來修改預先共用金鑰,編輯 /etc/ipsec.secrets,將PASSWORD改成你要的密碼:
# This file holds shared secrets or RSA private keys for authentication.
 
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# 將底下PASSWORD改成你要的密碼,別忘了""不可刪除
%any : PSK "PASSWORD"


3.L2TP部分

編輯 /etc/xl2tpd/xl2tpd.conf:
[global]
ipsec saref = yes
saref refinfo = 30
 
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
 
[lns default]
ip range = 192.168.1.x-192.168.1.y ;這裡是要配發給client的內部IP區段
local ip = 192.168.1.z ;這裡是VPN Server的內部IP
require chap = yes
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


再來編輯 /etc/ppp/options.xl2tpd:
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4


增加使用者,編輯 /etc/ppp/chap-secrets:
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
username        l2tpd   PASSWORD                *

別忘了server要填l2tp才行

到這邊就設定完成了,可重啟服務:
ipsec update
ipsec reload
ipsec restart
service xl2tpd restart


設定防火牆,並開放NAT功能,讓連進來的client也可連上網路,請參考底下(來源:鳥哥):
mkdir -p /usr/local/virus/iptables
vim /usr/local/virus/iptables/iptables.rule
 
################## 增加底下 ###################
#!/bin/bash
 
# 請先輸入您的相關參數,不要輸入錯誤了!
EXTIF="eth0"             # 這個是可以連上 Public IP 的網路介面
INIF="eth1"              # 內部 LAN 的連接介面;若無則寫成 INIF=""
INNET="192.168.1.0/24" # 若無內部網域介面,請填寫成 INNET=""
export EXTIF INIF INNET
 
# 第一部份,針對本機的防火牆設定!##########################################
# 1. 先設定好核心的網路功能:
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; do
        echo "1" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; do
        echo "0" > $i
  done
 
# 2. 清除規則、設定預設政策及開放 lo 與相關的設定值
  PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
  iptables -F
  iptables -X
  iptables -Z
  iptables -P INPUT   DROP
  iptables -P OUTPUT  ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# 3. 啟動額外的防火牆 script 模組
  if [ -f /usr/local/virus/iptables/iptables.deny ]; then
        sh /usr/local/virus/iptables/iptables.deny
  fi
 
  if [ -f /usr/local/virus/iptables/iptables.allow ]; then
        sh /usr/local/virus/iptables/iptables.allow
  fi
 
  if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
        sh /usr/local/virus/httpd-err/iptables.http
  fi
 
# 4. 允許某些類型的 ICMP 封包進入
  AICMP="0 3 3/4 4 11 12 14 16 18"
  for tyicmp in $AICMP
  do
    iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
  done
 
# 5. 載入允許進入的service表,用額外檔案以方便單獨設定,就不用每次都要下拉編輯
 if [ -f /usr/local/virus/iptables/iptables.services ]; then
   sh /usr/local/virus/iptables/iptables.services
 fi
 
# 第二部份,針對後端主機的防火牆設定!###############################
# 1. 先載入一些有用的模組
  modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack ip_conntrack_ftp ip_conntrack_irc"
  for mod in $modules
  do
      testmod=`lsmod | grep "^${mod} " | awk '{print $1}'`
      if [ "$testmod" == "" ]; then
            modprobe $mod
      fi
  done
 
# 2. 清除 NAT table 的規則吧!
  iptables -F -t nat
  iptables -X -t nat
  iptables -Z -t nat
  iptables -t nat -P PREROUTING  ACCEPT
  iptables -t nat -P POSTROUTING ACCEPT
  iptables -t nat -P OUTPUT      ACCEPT
 
# 3. 若有內部介面的存在 (雙網卡) 開放成為路由器,且為 IP 分享器!
  if [ "$INIF" != "" ]; then
    iptables -A INPUT -i $INIF -j ACCEPT
    echo "1" > /proc/sys/net/ipv4/ip_forward
    if [ "$INNET" != "" ]; then
        for innet in $INNET
        do
            iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
        done
    fi
  fi
 
  # 如果你的 MSN 一直無法連線,或者是某些網站 OK 某些網站不 OK,
  # 可能是 MTU 的問題,那你可以將底下這一行給他取消註解來啟動 MTU 限制範圍
  # iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
  #          --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
 
# 4. NAT 伺服器後端的 LAN 內對外之伺服器設定
# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \
#          -j DNAT --to-destination 192.168.1.210:80 # WWW
 
# 5. 特殊的功能,包括 Windows 遠端桌面所產生的規則,假設桌面主機為 1.2.3.4
# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4  --dport 6000 \
#          -j DNAT --to-destination 192.168.100.10
# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4  --sport 3389 \
#          -j DNAT --to-destination 192.168.100.20
 
# 6. 最終將這些功能儲存下來吧!
#  /etc/init.d/iptables save
# 在Ubuntu不一定有用就是了,就不用啦,反正每次開機都會執行一次
# iptables-save
########################### END OF iptables.rule #####################
 

vim /usr/local/virus/iptables/iptables.allow
################### 新增底下 #####################
#!/bin/bash
 
# 底下則填寫你允許進入本機的其他網域或主機啊!
#iptables -A INPUT -i $EXTIF -s 1.2.3.4 -j ACCEPT
########################## END OF iptables.allow #####################
 
vim /usr/local/virus/iptables/iptables.services
################### 新增底下 ####################
#!/bin/bash
 
# 將妳要對外開啟的服務設定在此
 
# iptables -A INPUT -p TCP -i $EXTIF --dport  21 --sport 1024:65534 -j ACCEPT # FTP
# iptables -A INPUT -p TCP -i $EXTIF --dport  22 --sport 1024:65534 -j ACCEPT # SSH
# iptables -A INPUT -p TCP -i $EXTIF --dport  25 --sport 1024:65534 -j ACCEPT # SMTP
# iptables -A INPUT -p UDP -i $EXTIF --dport  53 --sport 1024:65534 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport  53 --sport 1024:65534 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport  80 --sport 1024:65534 -j ACCEPT # WWW
# iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT # POP3
# iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT # HTTPS

## !!!!!!這裡是 L2TP Over IPSec VPN 務必開放的Port!!!!!!!! ##
iptables -A INPUT -p UDP -i $EXTIF --dport  500 -j ACCEPT
iptables -A INPUT -p UDP -i $EXTIF --dport  4500 -j ACCEPT
iptables -A INPUT -p UDP -i $EXTIF --dport  1701 -j ACCEPT
########################## END OF iptables.services #####################
 
chmod 700 /usr/local/virus/iptables/iptables.*


好了之後,編輯/etc/rc.local,增加一行
/usr/local/virus/iptables/iptables.rule
重新開機就可以囉~