l2tp是一种工业标准的Internet隧道协议，功能大致和PPTP协议类似，比如同样可以对网络数据流进行加密。为众多公司所接受，已经成为IETF有关2层通道协议的工业标准，此协议基于微软的点对点隧道协议(PPTP)和思科2层转发协议(L2F)之上，这种虚拟私有网络可以被因特网服务提供商和公司通过因特网使用。

modprobeppp-compress-18&&echoyes2.是否开启了TUN

有的虚拟机主机需要开启，返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过。

cat/dev/net/tun3.更新一下再安装

yuminstallupdateyumupdate-y4.安装EPEL源

yuminstall-yepel-release5.安装xl2tpd和libreswan

yuminstall-yxl2tpdlibreswanlsof6.编辑xl2tpd配置文件

vim/etc/xl2tpd/xl2tpd.conf

修改内容如下：

[global][lnsdefault]iprange=172.100.1.100-172.100.1.150#分配给客户端的地址池localip=172.100.1.1requirechap=yesrefusepap=yesrequireauthentication=yesname=LinuxVPNserverpppdebug=yespppoptfile=/etc/ppp/options.xl2tpdlengthbit=yes7.编辑pppoptfile文件

vim/etc/ppp/options.xl2tpd

修改内容如下：

ipcp-accept-localipcp-accept-remotems-dns8.8.8.8ms-dns209.244.0.3ms-dns208.67.222.222namexl2tpd#noccpauthcrtsctsidle1800mtu1410#第一次配置不建议设置mtu，mru，否则可能789错误mru1410nodefaultroutedebuglockproxyarpconnect-delay5000refuse-paprefuse-chaprefuse-mschaprequire-mschap-v2persistlogfile/var/log/xl2tpd.log8.编辑ipsec配置文件

vim/etc/ipsec.confconfigsetupprotostack=netkeydumpdir=/var/run/pluto/virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10include/etc/ipsec.d/*.conf9.编辑include的conn文件

vim/etc/ipsec.d/l2tp-ipsec.conf

修改内容如下：

connL2TP-PSK-NATrightsubnet=0.0.0.0/0dpddelay=10dpdtimeout=20dpdaction=clearforceencaps=yesalso=L2TP-PSK-noNATconnL2TP-PSK-noNATauthby=secretpfs=noauto=addkeyingtries=3rekey=noikelifetime=8hkeylife=1htype=transportleft=192.168.0.17#service/VPS的外网地址，某些vps只有eth0一块网卡的，#就填内网地址，内核开启nat转发就可以了，#CentOS7以下的用iptables定义转发规则leftprotoport=17/1701right=%anyrightprotoport=17/%any10.设置用户名密码

vim/etc/ppp/chap-secrets

修改内容：

vpnuser*pass*说明：用户名[空格]service[空格]密码[空格]指定IP11.设置PSK

vim/etc/ipsec.d/default.secrets:PSK"testvpn"12.CentOS7防火墙设置

firewall-cmd--permanent--add-service=ipsecfirewall-cmd--permanent--add-port=1701/udpfirewall-cmd--permanent--add-port=4500/udpfirewall-cmd--permanent--add-masqueradefirewall-cmd--reload13.IP_FORWARD 设置

vim/etc/sysctl.d/60-sysctl_ipsec.confnet.ipv4.ip_forward=1net.ipv4.conf.all.accept_redirects=0net.ipv4.conf.all.rp_filter=0net.ipv4.conf.all.send_redirects=0net.ipv4.conf.default.accept_redirects=0net.ipv4.conf.default.rp_filter=0net.ipv4.conf.default.send_redirects=0net.ipv4.conf.eth0.accept_redirects=0net.ipv4.conf.eth0.rp_filter=0net.ipv4.conf.eth0.send_redirects=0net.ipv4.conf.eth2.accept_redirects=0net.ipv4.conf.eth2.rp_filter=0net.ipv4.conf.eth2.send_redirects=0net.ipv4.conf.eth3.accept_redirects=0net.ipv4.conf.eth3.rp_filter=0net.ipv4.conf.eth3.send_redirects=0net.ipv4.conf.ip_vti0.accept_redirects=0net.ipv4.conf.ip_vti0.rp_filter=0net.ipv4.conf.ip_vti0.send_redirects=0net.ipv4.conf.lo.accept_redirects=0net.ipv4.conf.lo.rp_filter=0net.ipv4.conf.lo.send_redirects=0net.ipv4.conf.ppp0.accept_redirects=0net.ipv4.conf.ppp0.rp_filter=0net.ipv4.conf.ppp0.send_redirects=0

重启生效

systemctlrestartnetwork13.ipsec启动&检查

systemctlenableipsecsystemctlrestartipsec

检查：ipsec verify

正常输出：

VerifyinginstalledsystemandconfigurationfilesVersioncheckandipsecon-path[OK]Libreswan3.15(netkey)on3.10.0-123.13.2.el7.x86_64CheckingforIPsecsupportinkernel[OK]NETKEY:TestingXFRMrelatedprocvaluesICMPdefault/send_redirects[OK]ICMPdefault/accept_redirects[OK]XFRMlarvaldrop[OK]Plutoipsec.confsyntax[OK]Hardwarerandomdevice[N/A]Twoormoreinterfacesfound,checkingIPforwarding[OK]Checkingrp_filter[OK]Checkingthatplutoisrunning[OK]PlutolisteningforIKEonudp500[OK]PlutolisteningforIKE/NAT-Tonudp4500[OK]Plutoipsec.secretsyntax[OK]Checking'ip'command[OK]Checking'iptables'command[OK]Checking'prelink'commanddoesnotinterferewithFIPSCheckingforobsoleteipsec.confoptions[OK]OpportunisticEncryption[DISABLED]14.xl2tpd启动

systemctlenablexl2tpdsystemctlrestartxl2tpd15.Windows连接

Windows连接，需要修改注册表键值（据说可以不用修改，但是我的不修改的话，一直789，log无显示）