<<目次](https://qiita.com/mykysyk@github/items/17da126f7b0c08df475c) | [unbound構築の記事>>
L2TP/IPsec VPNサーバの構築
パッケージインストール
yum install epel-release
yum install xl2tpd libreswan
L2TPの設定
■VPSのIP■
■ドメイン名■
■事前共有鍵■
/etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = ■VPSのIP■
[lns default]
# 提供するローカルIP範囲
ip range = 192.168.0.101-192.168.0.105
# 使用するローカルIP
local ip = 192.168.0.100
# CHAP認証
require chap = yes
# PAP認証拒否
refuse pap = yes
# 認証が必要
require authentication = yes
# Report this as our hostname
name = ■ドメイン名■
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
#
ms-dns ■VPSのIP■
#
auth
# IPパケットの無通信時間(秒)を過ぎた時に切断
idle 1800
# MTU(最大転送単位)値
mtu 1200
# MRU(最大受信単位)値
mru 1200
# リモート側接続をデフォルトゲートウェイとして経路追加しない
nodefaultroute
# デバッグ情報を出力
debug
# 代理ARPを有効にする(リモート接続のIPがローカルネットワークにあるように見える)
proxyarp
#
connect-delay 5000
# 認証のために使用するローカルシステム名
name xl2tpd
# 認証でのPAPは拒否する
refuse-pap
# 認証でのCHAPは拒否する
refuse-chap
# 認証でのMS-CHAPは拒否する
refuse-mschap
# 認証でのMS-CHAPv2を許可する
require-mschap-v2
#
persist
# ログファイルを指定
logfile /var/log/xl2tpd.log
/etc/ppp/chap-secrets
# client server secret IP addresses
"user" "■ドメイン名■" "password" *
IPSecの設定
IPSec全体の設定
/etc/ipsec.conf
config setup
plutodebug=none
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf
L2TP/IPsecの設定
/etc/ipsec.d/l2tp-ipsec.conf
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=■VPSのIP■
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
事前共有鍵
/etc/ipsec.d/default.secrets
: PSK "■事前共有鍵■"
chmod 200 /etc/ipsec.d/default.secrets
firewalld の設定
# VPN用の設定
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
--add-service=ipsecが指定している詳細なポート
/usr/lib/firewalld/services/ipsec.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPsec</short>
<description>Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a vpnc server or FreeS/WAN, do not disable this option.</description>
<port protocol="ah" port=""/>
<port protocol="esp" port=""/>
<port protocol="udp" port="500"/>
<port protocol="udp" port="4500"/>
</service>
sysctl の設定
/etc/sysctl.d/60-ipsec.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
設定内容の反映
sysctl --system
サービスの起動
systemctl start ipsec
systemctl start xl2tpd
systemctl enable ipsec
systemctl enable xl2tpd
ipsec verify
c verify
Verifying installed system and configuration files
>
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-957.1.3.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]