cat /etc/redhat-release

CentOS release 6.5 (Final)

vim /etc/yum.repos.d/epel.repo

[epel]

name=epel

baseurl=http://mirrors.sohu.com/fedora-epel/6/$basearch

enabled=

gpgcheck=

yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof

wget https://download.openswan.org/openswan/openswan-2.6.49.tar.gz --no-check-certificate

tar vxf openswan-2.6..tar.gz

make programs install

yum install -y xl2tpd

vim /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file: /usr/local/share/doc/openswan/ipsec.conf-sample

#

# Manual: ipsec.conf.

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

# Do not set debug options to debug configuration issues!

# plutodebug / klipsdebug = "all", "none" or a combation from below:

# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"

# eg:

# plutodebug="control parsing"

# Again: only enable plutodebug or klipsdebug when asked by a developer

#

# enable to get logs per-peer

# plutoopts="--perpeerlog"

#

# Enable core dumps (might require system changes, like ulimit -C)

# This is required for abrtd to work properly

# Note: incorrect SElinux policies might prevent pluto writing the core

dumpdir=/var/run/pluto/

#

# NAT-TRAVERSAL support, see README.NAT-Traversal

nat_traversal=yes

# exclude networks used on server side by adding %v4:!a.b.c./

# It seems that T-Mobile in the US and Rogers/Fido in Canada are

# using / as "private" address space on their 3G network.

# This range has not been announced via BGP (at least upto --)

virtual_private=%v4:10.0.0.0/,%v4:192.168.0.0/,%v4:172.16.0.0/,%v4:25.0.0.0/,%v6:fd00::/,%v6:fe80::/

# OE is now off by default. Uncomment and change to on, to enable.

oe=off

# which IPsec stack to use. auto will try netkey, then klips then mast

protostack=netkey

#protostack=auto

# Use this to log to a file, or disable logging on embedded systems (like openwrt)

#plutostderrlog=/dev/null

# Add connections here

# sample VPN connection

# for more examples, see /etc/ipsec.d/examples/

#conn sample

# # Left security gateway, subnet behind it, nexthop toward right.

# left=10.0.0.1

# leftsubnet=172.16.0.0/

# leftnexthop=10.22.33.44

# # Right security gateway, subnet behind it, nexthop toward left.

# right=10.12.12.1

# rightsubnet=192.168.0.0/

# rightnexthop=10.101.102.103

# # To authorize this connection, but not actually start it,

# # at startup, uncomment this.

# #auto=add

conn L2TP-PSK-NAT

  rightsubnet=vhost:%priv

  also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

  authby=secret

  pfs=no

  auto=add

  keyingtries=

  rekey=no

  ikelifetime=8h

  keylife=1h

  type=transport

  left=10.215.92.31 #AWS EC2 Internal IP

  leftprotoport=/

  right=%any

  rightprotoport=/%any

  dpddelay=

  dpdtimeout=

  dpdaction=clear

vim /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for inter-Pluto

# authentication. See ipsec_pluto() manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host

# which knows the public part. Suitable public keys, for ipsec.conf, DNS,

# or configuration of other implementations, can be extracted conveniently

# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys

#include /var/lib/openswan/ipsec.secrets.inc

%any %any: PSK "azure"

vim /etc/sysctl.conf

net.ipv4.ip_forward =

net.ipv4.conf.default.rp_filter =

net.ipv4.conf.all.send_redirects =

net.ipv4.conf.default.send_redirects =

net.ipv4.conf.all.log_martians =

net.ipv4.conf.default.log_martians =

net.ipv4.conf.default.accept_source_route =

net.ipv4.conf.all.accept_redirects =

net.ipv4.conf.default.accept_redirects =

net.ipv4.icmp_ignore_bogus_error_responses = 

sysctl -p

service ipsec start

ipsec verify

vim /etc/xl2tpd/xl2tpd.conf

;

; This is a minimal sample xl2tpd configuration file for use

; with L2TP over IPsec.

;

; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec

; clients connect. In this example, the internal (protected) network

; is 192.168.1.0/. A special IP range within this network is reserved

; for the remote clients: 192.168.1.128/

; (i.e. 192.168.1.128 ... 192.168.1.254)

;

; The listen-addr parameter can be used if you want to bind the L2TP daemon

; to a specific IP address instead of to all interfaces. For instance,

; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98

; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)

; will be used by xl2tpd as its address on pppX interfaces.

[global]

; listen-addr = 192.168.1.98

;

; requires openswan-2.5. or higher - Also does not yet work in combination

; with kernel mode l2tp as present in linux 2.6.+

; ipsec saref = yes

; Use refinfo of  if using an SAref kernel patch based on openswan 2.6. or

; when using any of the SAref kernel patches for kernels up to 2.6..

; saref refinfo =

;

; force userspace = yes

;

; debug tunnel = yes

ipsec saref = no

[lns default]

ip range = 192.168.1.128-192.168.1.254

local ip = 192.168.1.99

require chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPNserver

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

vim /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client server secret IP addresses

user * azure *

iptables -t nat -A POSTROUTING -s 192.168.1.0/ -o eth0 -j MASQUERADE

iptables -I FORWARD -s 192.168.1.0/ -j ACCEPT

iptables -I FORWARD -d 192.168.1.0/ -j ACCEPT

service iptables save

service ipsec restart

service xl2tpd restart

service iptables restart

chkconfig xl2tpd on

chkconfig iptables on

chkconfig ipsec on