Ubuntu Server 18.04 で L2TP/IPsec の VPN 接続
Environment
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.2 LTS Release: 18.04 Codename: bionic
IPsec, L2TP Client の Install
$ apt update $ apt install -y strongswan xl2tpd
環境変数の設定
$ export VPN_SERVER_IP='xxx.xxx.xxx.xxx' $ export VPN_IPSEC_PSK='xxx' $ export VPN_USER='xxx' $ export VPN_PASSWORD='xxx'
ike-scan でプロトコルを決定する
$ apt install -y ike-scan $ service strongswan stop $ service xl2tpd stop $ ike-scan $VPN_SERVER_IP ... SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) ...
この場合、 ike=3des-sha1-modp1024
, esp=3des-sha1
である。
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
などと表示が出た場合は、ike=aes-sha1-modp1024
, esp=aes-sha1
である。
Configure StrongSwan
/etc/ipsec.conf
の ike
, esp
の部分は上で調べたプロトコルに変更する。
$ export IKE='3des-sha1-modp1024' $ export ESP='3des-sha1'
$ cat << EOF > /etc/ipsec.conf config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn myvpn ike=${IKE}! esp=${ESP}! keyexchange=ikev1 auto=add authby=secret type=transport left=%defaultroute leftprotoport=17/1701 rightprotoport=17/1701 right=$VPN_SERVER_IP EOF $ cat << EOF > /etc/ipsec.secrets : PSK "$VPN_IPSEC_PSK" EOF $ chmod 600 /etc/ipsec.secrets
Configure xl2tpd
$ cat << EOF > /etc/xl2tpd/xl2tpd.conf [lac myvpn] lns = $VPN_SERVER_IP ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes EOF $ cat << EOF > /etc/ppp/options.l2tpd.client ipcp-accept-local ipcp-accept-remote refuse-eap require-chap noccp noauth mtu 1280 mru 1280 noipdefault defaultroute usepeerdns connect-delay 5000 name $VPN_USER password $VPN_PASSWORD EOF $ chmod 600 /etc/ppp/options.l2tpd.client $ mkdir -p /var/run/xl2tpd $ touch /var/run/xl2tpd/l2tp-control
起動
Service 起動
$ service strongswan start $ service strongswan status ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2019-06-28 07:28:40 UTC; 3s ago Main PID: 32397 (starter) Tasks: 18 (limit: 4915) CGroup: /system.slice/strongswan.service ├─32397 /usr/lib/ipsec/starter --daemon charon --nofork └─32423 /usr/lib/ipsec/charon $ service xl2tpd start $ service xl2tpd status ● xl2tpd.service - LSB: layer 2 tunelling protocol daemon Loaded: loaded (/etc/init.d/xl2tpd; generated) Active: active (running) since Fri 2019-06-28 07:30:00 UTC; 3s ago Docs: man:systemd-sysv-generator(8) Process: 32455 ExecStop=/etc/init.d/xl2tpd stop (code=exited, status=0/SUCCESS) Process: 32460 ExecStart=/etc/init.d/xl2tpd start (code=exited, status=0/SUCCESS) Tasks: 1 (limit: 4915) CGroup: /system.slice/xl2tpd.service └─32474 /usr/sbin/xl2tpd
接続
$ ipsec up myvpn ... connection 'myvpn' established successfully $ echo "c myvpn" > /var/run/xl2tpd/l2tp-control $ route add $VPN_SERVER_IP gw `ip route | grep default | cut -f 3 -d " "` $ route add default dev ppp0
接続できたかは以下で確認する
$ wget -qO- http://ipv4.icanhazip.com
名前解決が出来ない場合は、内部 DNS server を更新する
$ systemctl restart systemd-resolved
切断
$ route del default dev ppp0 $ route del $VPN_SERVER_IP gw `ip route | grep default | cut -f 3 -d " "` $ echo "d myvpn" > /var/run/xl2tpd/l2tp-control $ ipsec down myvpn
スクリプト化
$ cat << 'EOF' > start-vpn.sh #!/bin/bash VPN_SERVER_IP='xxx.xxx.xxx.xxx' ipsec up myvpn echo "c myvpn" > /var/run/xl2tpd/l2tp-control route add $VPN_SERVER_IP gw `ip route | grep default | cut -f 3 -d " "` route add default dev ppp0 EOF $ cat << 'EOF' > down-vpn.sh #!/bin/bash VPN_SERVER_IP='xxx.xxx.xxx.xxx' route del default dev ppp0 route del $VPN_SERVER_IP gw `ip route | grep default | cut -f 3 -d " "` echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn EOF $ chmod +x start-vpn.sh $ chmod +x down-vpn.sh