{"id":167,"date":"2014-07-10T13:12:06","date_gmt":"2014-07-10T04:12:06","guid":{"rendered":"http:\/\/fsck.jp\/?p=167"},"modified":"2018-04-16T10:03:49","modified_gmt":"2018-04-16T01:03:49","slug":"%e5%a4%96%e9%83%a8%e3%81%8b%e3%82%89vps%e3%81%b8%e3%81%ael2tpipsec%e3%81%a8vps-%e8%87%aa%e5%ae%85%e9%96%93ipsec%e3%81%ae%e7%b5%84%e3%81%bf%e5%90%88%e3%82%8f%e3%81%9b","status":"publish","type":"post","link":"https:\/\/fsck.jp\/?p=167","title":{"rendered":"\u5916\u90e8\u304b\u3089VPS\u3078\u306eL2TP\/IPsec\u3068VPS-\u81ea\u5b85\u9593IPsec\u306e\u7d44\u307f\u5408\u308f\u305b"},"content":{"rendered":"<p><a href=\"https:\/\/fsck.jp\/?p=132\">\u524d\u56de\u8a18\u4e8b<\/a>\u306e\u30ea\u30e2\u30fc\u30c8\u30a2\u30af\u30bb\u30b9VPN (L2TP\/IPsec) \u3068\u3001<a href=\"https:\/\/fsck.jp\/?p=120\">\u3055\u3089\u306b\u305d\u306e\u524d\u306e\u8a18\u4e8b<\/a>\u3067\u69cb\u7bc9\u6e08\u307f\u306eVPS-\u81ea\u5b85\u9593VPN (IPsec) \u3092\u7d44\u307f\u5408\u308f\u305b\u3066\u5229\u7528\u3059\u308b\u3002<\/p>\n<p>\u3053\u308c\u306b\u3088\u308a\u3001\u52d5\u7684IP\u30a2\u30c9\u30ec\u30b9\u306e\u81ea\u5b85\u3078\u3001\u5916\u90e8\u304b\u3089\u3044\u3064\u3067\u3082\u30ed\u30b0\u30a4\u30f3\u53ef\u80fd\u3068\u306a\u308b\u3002<\/p>\n<p>\u524d\u63d0:<br \/>\n\u30fb\u30b5\u30fc\u30d0\u306f\u3059\u3079\u3066 Ubuntu 14.04 LTS \u3067\u3042\u308b\u3002<br \/>\n\u30fbIPsec\u5b9f\u88c5\u306f strongswan \u3092\u5229\u7528\u3057\u3001\u30b5\u30fc\u30d0\u9593\u306fRSA\u8a3c\u660e\u66f8\u8a8d\u8a3c\u3092\u884c\u3046\u3002<br \/>\n\u30fb\u5916\u90e8\u7aef\u672b-VPS\u9593\u306fL2TP\/IPsec\u3068\u3057\u3001\u8a8d\u8a3c\u306fIPsec\u4e8b\u524d\u5171\u6709\u9375+L2TP\u306eMSCHAPv2\u3068\u3059\u308b\u3002<\/p>\n<p>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u306f\u4ee5\u4e0b\u306e\u901a\u308a\u3002<br \/>\n<a href=\"https:\/\/fsck.jp\/wp-content\/uploads\/2014\/07\/06.png\"><img loading=\"lazy\" src=\"https:\/\/fsck.jp\/wp-content\/uploads\/2014\/07\/06-300x146.png\" alt=\"06\" width=\"300\" height=\"146\" class=\"alignnone size-medium wp-image-165\" srcset=\"https:\/\/fsck.jp\/wp-content\/uploads\/2014\/07\/06-300x146.png 300w, https:\/\/fsck.jp\/wp-content\/uploads\/2014\/07\/06-624x304.png 624w, https:\/\/fsck.jp\/wp-content\/uploads\/2014\/07\/06.png 860w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>\u3059\u3067\u306b\u8a18\u4e8b\u3068\u3057\u3066\u306f<a href=\"https:\/\/fsck.jp\/?p=132\">\u524d\u56de<\/a>\u30fb<a href=\"https:\/\/fsck.jp\/?p=120\">\u524d\u3005\u56de<\/a>\u3067\u8a18\u8ff0\u3057\u3066\u3044\u308b\u3002<br \/>\n\u4eca\u56de\u306e\u30dd\u30a4\u30f3\u30c8\u306f\u3001VPS \u3078\u306e L2TP \u30a2\u30af\u30bb\u30b9\u3067\u5272\u308a\u632f\u3089\u308c\u308b PPP IP\u30a2\u30c9\u30ec\u30b9\u3092\u3001VPS-\u81ea\u5b85\u9593IPsec\u306e\u30c8\u30f3\u30cd\u30eb\u306b\u5165\u308b\u3088\u3046\u8a2d\u5b9a\u3059\u308b\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n<h3>1. myvps1 \u3068 myserver1 \u306e \/etc\/sysctl.conf<\/h3>\n<p><code>$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n<pre>\r\nnet.ipv4.ip_forward=1\u3000\u3000#28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059\r\n# \u4ee5\u4e0b\u3001\u8ffd\u8a18\u3059\u308b\r\nnet.ipv4.conf.default.send_redirects=0\r\nnet.ipv4.conf.all.send_redirects=0\r\nnet.ipv4.conf.eth0.accept_redirects=0\r\nnet.ipv4.conf.eth0.send_redirects=0\r\nnet.ipv4.conf.lo.accept_redirects=0\r\nnet.ipv4.conf.lo.send_redirects=0\r\nnet.ipv6.conf.eth0.accept_redirects=0\r\nnet.ipv6.conf.lo.accept_redirects=0\r\nvpn1:~$ sudo sysctl -p \/etc\/sysctl.conf<\/pre>\n<h3>2. myserver1\u4e0a\u306bCA\u3092\u4f5c\u6210\u3057\u3001myserver1\u7528\u3068myvps1\u7528\u306e\u8a3c\u660e\u66f8\u30fb\u79d8\u5bc6\u9375\u306e\u7d44\u3092\u4f5c\u6210\u3059\u308b<\/h3>\n<p><a href=\"https:\/\/fsck.jp\/?p=120\">\u524d\u3005\u56de\u8a18\u4e8b\u3092\u53c2\u7167\u3002<\/a><\/p>\n<p>myserver1 \u306b\u306f<br \/>\n\/etc\/ipsec.d\/cacerts\/ca1.crt (CA\u8a3c\u660e\u66f8)<br \/>\n\/etc\/ipsec.d\/certs\/myserver1.crt (\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8)<br \/>\n\/etc\/ipsec.d\/private\/myserver1.key (\u30b5\u30fc\u30d0\u79d8\u5bc6\u9375)<\/p>\n<p>myvps1 \u306b\u306f<br \/>\n\/etc\/ipsec.d\/cacerts\/ca1.crt (CA\u8a3c\u660e\u66f8)<br \/>\n\/etc\/ipsec.d\/certs\/myvps1.crt (\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8)<br \/>\n\/etc\/ipsec.d\/private\/myvps1.key (\u30b5\u30fc\u30d0\u79d8\u5bc6\u9375)<\/p>\n<p>\u4ee5\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u914d\u7f6e\u3059\u308b\u3002<\/p>\n<h3>3. strongswan \u306e\u8a2d\u5b9a (myserver1\u5074)<\/h3>\n<p>\/etc\/ipsec.conf:<\/p>\n<p>config setup \u30bb\u30af\u30b7\u30e7\u30f3\u306e\u5f8c\u306b\u4ee5\u4e0b\u306e\u5185\u5bb9\u3092\u8ffd\u52a0\u3059\u308b\u3002rightsubnet \u306b L2TP \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306e IP \u30a2\u30c9\u30ec\u30b9\u9818\u57df\u3092\u8ffd\u52a0\u3057\u3066\u304a\u304f\u3002<\/p>\n<pre>\r\nconn myhome-to-vps\r\n\tauthby=rsasig\r\n\tauto=start\r\n\tcloseaction=restart\r\n\tdpdaction=restart\r\n\tleft=192.168.100.240\r\n\tleftsubnet=192.168.100.0\/24\r\n\tleftcert=myserver1.crt\r\n\tright=203.0.113.180\r\n\trightsubnet=203.0.113.180\/32,172.16.1.0\/24 # \u2190L2TP\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30a2\u30c9\u30ec\u30b9\u3092\u8ffd\u52a0\r\n\trightid=&quot;C=JP, ST=Aichi, O=Home, OU=Server, CN=myvps1.vpsnet.example.jp&quot;<\/pre>\n<p>\u203bstrongswan \u3060\u3068 leftsubnet \/ rightsubnet \u306b\u8907\u6570\u306e\u30b5\u30d6\u30cd\u30c3\u30c8\u304c\u8a18\u8ff0\u3067\u304d\u308b\u304c\u3001openswan \u3067\u8907\u6570\u30b5\u30d6\u30cd\u30c3\u30c8\u306e\u5834\u5408\u306f leftsubnets \/ rightsubnets \u3068\u66f8\u304f\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n<p>\/etc\/ipsec.secrets:<\/p>\n<pre>\r\n: RSA myserver1.key<\/pre>\n<h3>4. strongswan \u306e\u8a2d\u5b9a (myvps1\u5074)<\/h3>\n<p>\/etc\/ipsec.conf:<\/p>\n<p>config setup \u30bb\u30af\u30b7\u30e7\u30f3\u306e\u5f8c\u306b\u3001\u4ee5\u4e0b\u306e2\u3064\u306e\u8a18\u8ff0\u3092\u8ffd\u52a0\u3059\u308b\u3002<br \/>\nmyhome-to-vps \u306e\u65b9\u306e leftsubnet \u306b\u306f\u3001L2TP \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30a2\u30c9\u30ec\u30b9\u9818\u57df\u3092\u8ffd\u52a0\u3057\u3066\u304a\u304f\u3002<\/p>\n<pre>\r\nconn myhome-to-vps\r\n\tauthby=rsasig\r\n\tauto=add\r\n\tcloseaction=clear\r\n\tdpdaction=clear\r\n\tleft=203.0.113.180\r\n\tleftsubnet=203.0.113.180\/32,172.16.1.0\/24 # \u2190L2TP\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30a2\u30c9\u30ec\u30b9\u3092\u8ffd\u52a0\r\n\tleftcert=myvps1.crt\r\n\tright=%any\r\n\trightsubnet=192.168.100.0\/24\r\n\trightid=&quot;C=JP, ST=Aichi, O=Home, OU=Server, CN=myserver1.domain.local&quot;\r\n\r\nconn L2TP-PSK\r\n        authby=secret\r\n        auto=add\r\n        closeaction=clear\r\n        dpdaction=clear\r\n        type=transport\r\n        rekey=no\r\n        left=203.0.113.180\r\n        leftprotoport=17\/1701\r\n        right=%any\r\n        rightprotoport=17\/%any<\/pre>\n<p>\/etc\/ipsec.secrets:<br \/>\n\u81ea\u5b85IPsec\u7528\u306eRSA\u79d8\u5bc6\u9375\u3068\u3001L2TP\/IPsec\u7528\u306e\u4e8b\u524d\u5171\u6709\u9375\u6587\u5b57\u5217\u3092\u4e21\u65b9\u8a18\u8ff0\u3059\u308b\u3002<\/p>\n<pre>\r\n: RSA myvps1.key\r\n: PSK \"mypresharedkey\"<\/pre>\n<h3>5. xl2tpd \u306e\u8a2d\u5b9a (myvps1\u5074)<\/h3>\n<p>\/etc\/xl2tpd\/xl2tpd.conf:<\/p>\n<pre>\r\n[global]\r\nport = 1701\r\n\r\n[lns default]\r\nip range = 172.16.1.11-172.16.1.30\r\nlocal ip = 172.16.1.254\r\nlength bit = yes\r\nrequire chap = yes\r\nrefuse pap = yes\r\nrequire authentication = yes\r\nname = myvps1.vpsnet.example.jp\r\nppp debug = no\r\npppoptfile = \/etc\/ppp\/xl2tpd-options<\/pre>\n<p>\/etc\/ppp\/xl2tpd-options:<\/p>\n<pre>\r\nipcp-accept-local\r\nipcp-accept-remote\r\nms-dns 172.16.1.254  (myvps1\u306b\u30ad\u30e3\u30c3\u30b7\u30e5DNS\u30b5\u30fc\u30d0\u304c\u7acb\u3063\u3066\u3044\u308b\u524d\u63d0)\r\nnoccp\r\nauth\r\ncrtscts\r\nidle 1800\r\nmtu 1300\r\nmru 1300\r\nnodefaultroute\r\nlock\r\nconnect-delay 5000\r\nrefuse-pap\r\nrefuse-chap\r\nrefuse-mschap\r\nrequire-mschap-v2<\/pre>\n<p>\/etc\/ppp\/chap-secrets:<\/p>\n<pre>\r\nusername\t*\t\"l2tppassworddesu\"\t*<\/pre>\n<p>\u4e00\u822c\u30e6\u30fc\u30b6\u3067\u8aad\u3081\u306a\u3044\u6a29\u9650\u306b\u3057\u3066\u304a\u304f\u3053\u3068\u3002<\/p>\n<h3>6. \u30b5\u30fc\u30d3\u30b9\u8d77\u52d5\u3068\u78ba\u8a8d<\/h3>\n<p><code>myserver1:~$ sudo service strongswan restart<br \/>\nmyvps1:~$ sudo service strongswan restart<br \/>\nmyvps1:~$ sudo service xl2tpd restart<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u524d\u56de\u8a18\u4e8b\u306e\u30ea\u30e2\u30fc\u30c8\u30a2\u30af\u30bb\u30b9VPN (L2TP\/IPsec) \u3068\u3001\u3055\u3089\u306b\u305d\u306e\u524d\u306e\u8a18\u4e8b\u3067\u69cb\u7bc9\u6e08\u307f\u306eVPS-\u81ea\u5b85\u9593VPN (IPsec) \u3092\u7d44\u307f\u5408\u308f\u305b\u3066\u5229\u7528\u3059\u308b\u3002 \u3053\u308c\u306b\u3088\u308a\u3001\u52d5\u7684IP\u30a2\u30c9\u30ec\u30b9\u306e\u81ea\u5b85\u3078\u3001\u5916\u90e8\u304b\u3089\u3044\u3064\u3067\u3082\u30ed\u30b0\u30a4\u30f3 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,9,7],"tags":[],"_links":{"self":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/167"}],"collection":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=167"}],"version-history":[{"count":0,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/167\/revisions"}],"wp:attachment":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}