Ubuntu Server 18.04 で L2TP/IPsec の VPN 接続
Environment
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.2 LTS Release: 18.04 Codename: bionic
IPsec, L2TP Client の Install
$ apt update $ apt install -y strongswan xl2tpd
環境変数の設定
$ export VPN_SERVER_IP='xxx.xxx.xxx.xxx' $ export VPN_IPSEC_PSK='xxx' $ export VPN_USER='xxx' $ export VPN_PASSWORD='xxx'
ike-scan でプロトコルを決定する
$ apt install -y ike-scan $ service strongswan stop $ service xl2tpd stop $ ike-scan $VPN_SERVER_IP ... SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) ...
この場合、 ike=3des-sha1-modp1024, esp=3des-sha1 である。
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) などと表示が出た場合は、ike=aes-sha1-modp1024, esp=aes-sha1 である。
Configure StrongSwan
/etc/ipsec.conf の ike, esp の部分は上で調べたプロトコルに変更する。
$ export IKE='3des-sha1-modp1024' $ export ESP='3des-sha1'
$ cat << EOF > /etc/ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn myvpn
ike=${IKE}!
esp=${ESP}!
keyexchange=ikev1
auto=add
authby=secret
type=transport
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701
right=$VPN_SERVER_IP
EOF
$ cat << EOF > /etc/ipsec.secrets
: PSK "$VPN_IPSEC_PSK"
EOF
$ chmod 600 /etc/ipsec.secrets
Configure xl2tpd
$ cat << EOF > /etc/xl2tpd/xl2tpd.conf [lac myvpn] lns = $VPN_SERVER_IP ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes EOF $ cat << EOF > /etc/ppp/options.l2tpd.client ipcp-accept-local ipcp-accept-remote refuse-eap require-chap noccp noauth mtu 1280 mru 1280 noipdefault defaultroute usepeerdns connect-delay 5000 name $VPN_USER password $VPN_PASSWORD EOF $ chmod 600 /etc/ppp/options.l2tpd.client $ mkdir -p /var/run/xl2tpd $ touch /var/run/xl2tpd/l2tp-control
起動
Service 起動
$ service strongswan start
$ service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-06-28 07:28:40 UTC; 3s ago
Main PID: 32397 (starter)
Tasks: 18 (limit: 4915)
CGroup: /system.slice/strongswan.service
├─32397 /usr/lib/ipsec/starter --daemon charon --nofork
└─32423 /usr/lib/ipsec/charon
$ service xl2tpd start
$ service xl2tpd status
● xl2tpd.service - LSB: layer 2 tunelling protocol daemon
Loaded: loaded (/etc/init.d/xl2tpd; generated)
Active: active (running) since Fri 2019-06-28 07:30:00 UTC; 3s ago
Docs: man:systemd-sysv-generator(8)
Process: 32455 ExecStop=/etc/init.d/xl2tpd stop (code=exited, status=0/SUCCESS)
Process: 32460 ExecStart=/etc/init.d/xl2tpd start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/xl2tpd.service
└─32474 /usr/sbin/xl2tpd
接続
$ ipsec up myvpn ... connection 'myvpn' established successfully $ echo "c myvpn" > /var/run/xl2tpd/l2tp-control $ route add $VPN_SERVER_IP gw `ip route | grep default | cut -f 3 -d " "` $ route add default dev ppp0
接続できたかは以下で確認する
$ wget -qO- http://ipv4.icanhazip.com
名前解決が出来ない場合は、内部 DNS server を更新する
$ systemctl restart systemd-resolved
切断
$ route del default dev ppp0 $ route del $VPN_SERVER_IP gw `ip route | grep default | cut -f 3 -d " "` $ echo "d myvpn" > /var/run/xl2tpd/l2tp-control $ ipsec down myvpn
スクリプト化
$ cat << 'EOF' > start-vpn.sh #!/bin/bash VPN_SERVER_IP='xxx.xxx.xxx.xxx' ipsec up myvpn echo "c myvpn" > /var/run/xl2tpd/l2tp-control route add $VPN_SERVER_IP gw `ip route | grep default | cut -f 3 -d " "` route add default dev ppp0 EOF $ cat << 'EOF' > down-vpn.sh #!/bin/bash VPN_SERVER_IP='xxx.xxx.xxx.xxx' route del default dev ppp0 route del $VPN_SERVER_IP gw `ip route | grep default | cut -f 3 -d " "` echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn EOF $ chmod +x start-vpn.sh $ chmod +x down-vpn.sh
