之前在Linode上部署的openVPN服务在我把instance迁移到东京之后就歇菜了。之后特地花了时间重新配置了一把，但是还是出现了连接没问题，仍然无法访问外网的问题（编者按，L2TP配置完之后触类旁通的基本可以肯定是路由问题，也有把握修复了，这是后话）。考虑到ipad只能支持L2TP，所以特地花了时间搞了一把，特地记录一下。

不得不说运气不错，找到一篇很赞的总结文在Linode上搭建L2TP / IPSec VPN，不仅总结了自己的问题，而且还提供了其他详细教程的链接，相当方便。

1）安装IPSec

没啥好说的，Ubuntu就是方便阿方便。

apt-get update && apt-get dist-upgrade

apt-get install openswan

2) 配置IPSec Connection

修改/etc/ipsec.conf,注意把%YOUR.SERVER.IP.ADDRESS%替换成你的服务器地址。

vi /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file: /usr/share/doc/openswan/ipsec.conf-sample

#

# Manual: ipsec.conf.5

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

# Do not set debug options to debug configuration issues!

# plutodebug / klipsdebug = "all", "none" or a combation from below:

# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"

# eg:

# plutodebug="control parsing"

# Again: only enable plutodebug or klipsdebug when asked by a developer

#

# enable to get logs per-peer

# plutoopts="--perpeerlog"

#

# Enable core dumps (might require system changes, like ulimit -C)

# This is required for abrtd to work properly

# Note: incorrect SElinux policies might prevent pluto writing the core

dumpdir=/var/run/pluto/

#

# NAT-TRAVERSAL support, see README.NAT-Traversal

nat_traversal=yes

# exclude networks used on server side by adding %v4:!a.b.c.0/24

# It seems that T-Mobile in the US and Rogers/Fido in Canada are

# using 25/8 as "private" address space on their 3G network.

# This range has not been announced via BGP (at least upto 2010-12-21)

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

# OE is now off by default. Uncomment and change to on, to enable.

oe=off

# which IPsec stack to use. auto will try netkey, then klips then mast

protostack=netkey

# Use this to log to a file, or disable logging on embedded systems (like openwrt)

#plutostderrlog=/dev/null

conn L2TP-PSK-NAT

rightsubnet=vhost:%priv

also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret

pfs=no

auto=add

keyingtries=3

rekey=no

ikelifetime=8h

keylife=1h

type=transport

left=209.141.56.138

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

3) 配置IPSec共享密钥

修改/etc/ipsec.secrets,注意把%YOUR.SERVER.IP.ADDRESS%替换成你的服务器地址。另外国外论坛也有提到第二种写法可以避免一些不必要的问题。

vi /etc/ipsec.secrets

%YOUR.SERVER.IP.ADDRESS% %any: PSK “YourSharedSecret”

: PSK “YourSharedSecret”

209.141.56.138 %any: PSK "TestSecret"

4)修改包转发设置

执行下列命令

for each in /proc/sys/net/ipv4/conf/*

do

echo 0 > $each/accept_redirects

echo 0 > $each/send_redirects

done

echo 1 > /proc/sys/net/ipv4/ip_forward

sysctl -p

ipsec verify #用来验证配置

最后重启一下ipsec服务器。

/etc/init.d/ipsec restart

5)安装配置xl2tpd

apt-get install xl2tpd

修改/etc/xl2tpd/xl2tpd.conf.

vi /etc/xl2tpd/xl2tpd.conf

[global]

ipsec saref = yes

[lns default]

ip range = 10.1.2.2-10.1.2.255

local ip = 10.1.2.1

;require chap = yes

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

6)安装配置ppp

apt-get install ppp

修改或者创建/etc/ppp/options.xl2tpd,注意我这里用的是Google的Public DNS。

vi /etc/ppp/options.xl2tpd

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

asyncmap 0

auth

crtscts

lock

hide-password

modem

debug

name l2tpd

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

添加VPN用户，修改/etc/ppp/chap-secrets

vi /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client server secret IP addresses

test * test *

重启xl2tpd

/etc/init.d/xl2tpd restart

7)设置 iptables 的数据包转发

执行下列程序。

iptables -t nat -A POSTROUTING -j SNAT --to-source 209.141.56.138

8)设置启动脚本

关于IP路由和转发的配置在服务器重启后会消失，所以需要在启动脚本中添加相关内容.修改/etc/rc.local

vi /etc/rc.local

iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.200

echo 1 > /proc/sys/net/ipv4/ip_forward

for each in /proc/sys/net/ipv4/conf/*

do

echo 0 > $each/accept_redirects

echo 0 > $each/send_redirects

done

/etc/init.d/ipsec restart

问题汇总

Ubuntu openswan errno 111, origin ICMP type 3 code 3 (not authenticated)

这是我自己遇到的问题，郁闷了半天，结果是最新的openswan for ubuntu有bug，与最新的Linux Kernel有冲突。去openswan的官网下载较老的版本openswan_2.6.32-1xelerance1_i386.deb就可以了。

ERROR: asynchronous network error report on eth0 (sport=4500) for message to your.client.ip.address port 4500, complainant your.server,ip.address: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

在 ipsec.conf 中加上 leftnexthop=your.server.gateway.ip 应该可以解决。

The remote system is required to authenticate itself

pppd[4407]: but I couldn’t find any suitable secret (password) for it to use to do so.

这是由于验证过程中未使用 l2tp-secrets 中的密码（至于为何如此我不懂，另请高人解释），而是使用 pptp（L2TP/IPsec 也是要走 pptp 的）的密码，所以需要在 /etc/ppp/chap-secrets 中设置密码（具体请见上面如何搭建 PPTP VPN）。

xl2tpd[4062]: Maximum retries exceeded for tunnel 44651. Closing.

在/etc/ipsec.conf里的L2TP-PSK-noNAT中加上

dpddelay=40

dpdtimeout=130

dpdaction=clear