配置文件 vi /etc/ipsec.d/vpn.conf

conn L2TP-PSK-NAT

rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=x.x.x.x
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

                 配置文件 vi /etc/xl2tpd/xl2tpd.conf
                

; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

                       
                
                      配置文件vi /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 114.114.114.114

ms-dns 192.168.1.1

ms-dns 192.168.1.3

ms-wins 192.168.1.2

ms-wins 192.168.1.4

noccp
auth

obsolete: crtscts

idle 1800
mtu 1410
mru 1410
nodefaultroute
debug

obsolete: lock

proxyarp
connect-delay 5000
require-mschap-v2

To allow authentication against a Windows domain EXAMPLE, and require the

user to be in a group "VPN Users". Requires the samba-winbind package

require-mschap-v2

plugin winbind.so

ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\VPN Users"'

You need to join the domain on the server, for example using samba:

http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html

                
                配置文件vi /etc/ppp/chap-secrets

Secrets for authentication using CHAP

client server secret IP addresses

vpnuser passwd

              
                
                vi /etc/ipsec.d/vpn.secrets
                

x.x.x.x %any: PSK "passwd"

UDP 500,4500,1701防火墙已开