{"id":8104,"date":"2011-11-06T21:00:41","date_gmt":"2011-11-06T12:00:41","guid":{"rendered":"http:\/\/www.sssg.org\/blogs\/hiro345\/?p=8104"},"modified":"2011-11-29T19:36:32","modified_gmt":"2011-11-29T10:36:32","slug":"centos5-vpn%e3%82%b5%e3%83%bc%e3%83%90%e6%a7%8b%e7%af%89","status":"publish","type":"post","link":"https:\/\/www.hiro345.net\/blogs\/hiro345\/archives\/8104.html","title":{"rendered":"CentOS5 VPN\u30b5\u30fc\u30d0\u69cb\u7bc9"},"content":{"rendered":"

CentOS5 VPN\u30b5\u30fc\u30d0\u6574\u7406\u306b\u3064\u3044\u3066\u3001\u7d50\u5c40\u3053\u3093\u306a\u611f\u3058\u306b\u306a\u308a\u307e\u3057\u305f\u3002SELinux, iptables\u306b\u3088\u308b\u30d1\u30b1\u30c3\u30c8\u30d5\u30a3\u30eb\u30bf\u306b\u3064\u3044\u3066\u306f\u8003\u616e\u3057\u3066\u307e\u305b\u3093\u3002\u305d\u308c\u3089\u3092\u8003\u616e\u3057\u305f\u5834\u5408\u306f\u3001\u3055\u3089\u306b\u8a2d\u5b9a\u304c\u5fc5\u8981\u3067\u3059\u3002
\n<\/p>\n

\u30b5\u30fc\u30d0\u306f\u30b0\u30ed\u30fc\u30d0\u30ebIP\u3092\u6301\u3063\u3066\u3044\u308b\u3068\u3057\u307e\u3059\u3002VPN\u7528\u306b192.168.5.0\/24\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u4f7f\u3046\u3068\u3057\u307e\u3059\u3002<\/p>\n

\n$ sudo yum install make gcc gmp-devel bison flex
\n$ sudo yum install libpcap-devel ppp
\n$ wget http://www.openswan.org/download/openswan-2.6.37.tar.gz
\n$ tar xzf openswan-2.6.37.tar.gz 
\n$ mkdir src
\n$ mv openswan-2.6.37 openswan-2.6.37.tar.gz src/
\n$ cd openswan-2.6.37
\n$ cat INSTALL 
\n$ sudo make programs install
\n$ ls /usr/local/sbin/
\n$ cd ~/src
\n$ wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz
\n$ tar xzf xl2tpd-1.3.0.tar.gz 
\n$ cd xl2tpd-1.3.0
\n$ less README.xl2tpd 
\n$ sudo make install
\n$ ls /usr/local/sbin/
\n$ cd ~/src/xl2tpd-1.3.0
\n$ cat packaging/fedora/xl2tpd.init | \
\n  sed 's%/usr/sbin/xl2tpd%/usr/local/sbin/xl2tpd%' - | \
\n  sed 's%/usr/sbin/$SERVICE%/usr/local/sbin/$SERVICE%' - | \
\n  sed 's%daemon $SERVICE%daemon /usr/local/sbin/$SERVICE%' - > packaging/fedora/xl2tpd
\n$ sudo cp packaging/fedora/xl2tpd /etc/init.d/
\n$ sudo chmod 755 /etc/init.d/xl2tpd 
\n$ sudo vi /etc/ipsec.conf 
\n$ sudo vi /etc/init.d/xl2tpd 
\n$ sudo vi /etc/ipsec.conf 
\n$ sudo vi /etc/ipsec.secrets
\n$ sudo cp -a /etc/ipsec.d/examples/l2tp-psk.conf  /etc/ipsec.d/
\n$ sudo chmod 600 /etc/ipsec.secrets 
\n$ sudo mkdir /etc/xl2tpd
\n$ sudo vi /etc/ipsec.d/l2tp-psk.conf 
\n$ sudo vi /etc/xl2tpd/xl2tpd.conf
\n$ cat /etc/resolv.conf 
\n$ sudo vi /etc/ppp/options.xl2tpd
\n$ sudo vi /etc/ppp/chap-secrets
\n$ sudo chmod 600 /etc/ppp/chap-secrets
\n$ sudo touch /var/log/xl2tpd.log
\n$ sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -j MASQUERADE
\n$ sudo /sbin/iptables -t nat -L
\n$ sudo vi /etc/sysctl.conf 
\n$ sudo /sbin/sysctl -p\n<\/div>\n

\u3044\u304f\u3064\u304b\u30b3\u30e1\u30f3\u30c8\u304c\u6b8b\u3063\u3066\u3044\u305f\u308a\u3057\u307e\u3059\u304c\u3001\u30d5\u30a1\u30a4\u30eb\u306f\u3053\u3093\u306a\u611f\u3058\u3002<\/p>\n

\n$ sudo cat /etc/ipsec.secrets 
\n: PSK "abcd1234"
\n$ cat /etc/ipsec.d/l2tp-psk.conf 
\nconn L2TP-PSK-NAT
\n#    rightsubnet=vhost:%priv
\n    rightsubnet=0.0.0.0/0
\n        forceencaps=yes
\n    also=L2TP-PSK-noNAT
\nconn L2TP-PSK-noNAT
\n    authby=secret
\n    pfs=no
\n    auto=add
\n    keyingtries=3
\n    rekey=no
\n    ikelifetime=8h
\n    keylife=1h
\n    type=transport
\n    left=%defaultroute
\n#    left=192.168.5.10
\n#    leftnexthop=%defaultroute
\n    leftprotoport=17/1701
\n    right=%any
\n    rightprotoport=17/%any
\n#    dpddelay=5
\n#    dpdtimeout=30
\n#    dpdaction=clear<\/p>\n

$ cat /etc/ipsec.conf |grep -v "#"
\nconfig setup
\n    nat_traversal=yes
\n    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
\n    oe=off
\n    protostack=netkey
\ninclude /etc/ipsec.d/*.conf<\/p>\n

$ cat /etc/xl2tpd/xl2tpd.conf 
\n[global]
\nauth file = /etc/ppp/chap-secrets<\/p>\n

[lns default]
\nip range = 192.168.5.128-192.168.5.254
\nlocal ip = 192.168.5.1
\nrequire chap = yes
\nrefuse pap = yes
\nrequire authentication = yes
\nname = VPNServer
\nppp debug = yes
\npppoptfile = /etc/ppp/options.xl2tpd
\nlength bit = yes<\/p>\n

$ cat /etc/ppp/options.xl2tpd 
\nipcp-accept-local
\nipcp-accept-remote
\nms-dns VPN\u30b5\u30fc\u30d0\u304c\u53c2\u7167\u3057\u3066\u3044\u308bDNS1\u306eIP\u30a2\u30c9\u30ec\u30b9
\nms-dns VPN\u30b5\u30fc\u30d0\u304c\u53c2\u7167\u3057\u3066\u3044\u308bDNS2\u306eIP\u30a2\u30c9\u30ec\u30b9
\nnoccp
\nauth
\ncrtscts
\nidle 1800
\nmtu 1410
\nmru 1410
\nnodefaultroute
\ndebug
\nlock
\nconnect-delay 5000
\nrefuse-pap
\nrefuse-chap
\nrefuse-mschap
\nrequire-mschap-v2
\nlogfile /var/log/xl2tpd.log<\/p>\n

$ sudo cat /etc/ppp/chap-secrets 
\n"username" * "abc123" *<\/p>\n

$ sudo cat /etc/sysctl.conf 
\n#\u7565
\nnet.ipv4.ip_forward = 1
\n#\u7565
\nnet.core.xfrm_larval_drop = 1
\nnet.ipv4.conf.all.send_redirects = 0
\nnet.ipv4.conf.all.accept_redirects = 0
\nnet.ipv4.conf.default.send_redirects = 0
\nnet.ipv4.conf.default.accept_redirects = 0
\nnet.ipv4.conf.eth0.send_redirects = 0
\nnet.ipv4.conf.eth0.accept_redirects = 0
\nnet.ipv4.conf.lo.send_redirects = 0
\nnet.ipv4.conf.lo.accept_redirects = 0\n<\/p><\/div>\n

Android\u7aef\u672b\u304b\u3089VPN\u30b5\u30fc\u30d0\u3078\u63a5\u7d9a\u3059\u308b\u3068\u3053\u308d\u307e\u3067\u306f\u78ba\u8a8d\u3067\u304d\u307e\u3057\u305f\u3002\u7c21\u5358\u3068\u8a00\u3048\u3070\u7c21\u5358\u3067\u3059\u3051\u3069\u3001\u305d\u308c\u306a\u308a\u306b\u8a2d\u5b9a\u306b\u306f\u6642\u9593\u304c\u304b\u304b\u308a\u307e\u3059\u306d…<\/p>\n","protected":false},"excerpt":{"rendered":"

CentOS5 VPN\u30b5\u30fc\u30d0\u6574\u7406\u306b\u3064\u3044\u3066\u3001\u7d50\u5c40\u3053\u3093\u306a\u611f\u3058\u306b\u306a\u308a\u307e\u3057\u305f\u3002SELinux, iptables\u306b\u3088\u308b\u30d1\u30b1\u30c3\u30c8\u30d5\u30a3\u30eb\u30bf\u306b\u3064\u3044\u3066\u306f\u8003\u616e\u3057\u3066\u307e\u305b\u3093\u3002\u305d\u308c\u3089\u3092\u8003\u616e\u3057\u305f\u5834\u5408\u306f\u3001\u3055\u3089\u306b\u8a2d\u5b9a\u304c\u5fc5\u8981\u3067\u3059\u3002<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[26,603,602,601],"class_list":["post-8104","post","type-post","status-publish","format-standard","hentry","category-linux","tag-centos","tag-ipsec","tag-l2tp","tag-vpn"],"_links":{"self":[{"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/posts\/8104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/comments?post=8104"}],"version-history":[{"count":3,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/posts\/8104\/revisions"}],"predecessor-version":[{"id":8153,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/posts\/8104\/revisions\/8153"}],"wp:attachment":[{"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/media?parent=8104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/categories?post=8104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/tags?post=8104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}