记得开放允许访问 UDP 500、1701、4500共3个端口

1. 服务器安装软件:

yum -y install openswan xl2tpd ppp

2. 服务器配置文件 /etc/ipsec.conf 修改内容如下，云服务器一般网卡地址填私网地址:

config setupprotostack=netkeylogfile=/var/log/ipsec.logvirtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10conn L2TP-PSKauthby=secretpfs=noauto=addkeyingtries=3dpddelay=30dpdtimeout=120dpdaction=clearrekey=noikelifetime=8hkeylife=1htype=transportleft=网卡地址leftprotoport=17/1701right=%anyrightprotoport=17/%anyrightsubnet=vhost:%priv

3. 设置 VPN 共享密钥，服务器配置文件 /etc/ipsec.secrets 修改内容如下，密钥自定义:

%any: PSK "密钥"

4. 修改服务器内核参数，服务器配置文件 /etc/sysctl.conf 修改或者添加内容如下:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.core.xfrm_larval_drop = 1

5. 服务器执行命令，修改内核参数立即生效:

sysctl -p

6. 执行脚本

for each in /proc/sys/net/ipv4/conf/*
doecho 0 > $each/accept_redirectsecho 0 > $each/send_redirectsecho 0 > $each/rp_filter
done

7. 防火墙添加规则:

iptables -t nat -A POSTROUTING ! -s 127.0.0.1/8 -j MASQUERADE
iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

8. 服务器启动 ipsec 服务:

• RHEL/CentOS 6系列:

service ipsec start

• RHEL/CentOS 7系列:

systemctl start ipsec

9. 服务器检查 ipsec 服务:

ipsec verify

运行结果显示类似如下，除两行不是 [OK] 表明正常：

Verifying installed system and configuration filesVersion check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-123.9.3.el7.x86_64
Checking for IPsec support in kernel                    [OK]NETKEY: Testing XFRM related proc valuesICMP default/send_redirects                    [OK]ICMP default/accept_redirects                  [OK]XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]Pluto listening for IKE on udp 500                     [OK]Pluto listening for IKE/NAT-T on udp 4500              [OK]Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

10. 服务器配置文件 /etc/xl2tpd/xl2tpd.conf 修改内容如下：

[global]
ipsec saref = yes[lns default]
ip range = VPN客户端内网起始IP地址-VPN客户端内网结束IP地址
local ip = VPN服务器内网IP地址
require chap = yes
refuse pap = yes
require authentication = yes
name = VPN Server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

11. 服务器配置文件 /etc/ppp/options.xl2tpd 修改内容如下：

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns DNS服务器地址1
ms-dns DNS服务器地址2
noccp
noipv6
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
noproxyarp
connect-delay 5000
lcp-echo-interval 0
lcp-echo-failure 0
logfile /var/log/xl2tpd.log

12.服务器启动 xl2tpd 服务

• RHEL/CentOS 6系列：

service xl2tpd start

• RHEL/CentOS 7系列：

systemctl start xl2tpd

13. 服务器配置文件 /etc/ppp/chap-secrets 添加账号，格式如下：

账号 * 密码 *

Windows 7及以上系统连接 L2TP over IPSec VPN 不稳定解决方法：

• 新建 .reg 后缀名的文件，将下列内容添加至该文件并双击运行，之后重启电脑：

Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002