如何在Ubuntu 20.04上用命令行建立l2tp连接

本文介绍了在Ubuntu 20.04上如何全程使用命令行，安装l2tp客户端，并与远端的l2 tp server建立vpn连接。

正义之兔

7169人浏览 · 2022-12-21 15:56:16

正义之兔 · 2022-12-21 15:56:16 发布

我在如何在Ubuntu18.04上安装与配置l2tp server上介绍了如何安装与配置l2tp server。本篇介绍如何在Ubuntu 20.04上以客户端的方式和该l2tp server建立vpn连接。全部使用命令行，方便大家应用。

先添加repository。

$ sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp

可以看到在执行的过程中有这样一句话：

network-manager-l2tp is a VPN plugin for NetworkManager which provides support for L2TP and L2TP/IPsec (i.e. L2TP over IPsec) connections.

然后再安装network-manager-l2tp

$ sudo apt install network-manager-l2tp

安装成功后，查看l2tpd服务，应该是已经起来了

$sudo service xl2tpd status

输出如下：

● xl2tpd.service - LSB: layer 2 tunelling protocol daemon
Loaded: loaded (/etc/init.d/xl2tpd; generated)
Active: active (running) since Wed 2022-12-21 11:29:29 CST; 2h 30min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 1 (limit: 8506)
Memory: 268.0K
CGroup: /system.slice/xl2tpd.service
└─3664 /usr/sbin/xl2tpd

Dec 21 11:29:29 minipc-H81U xl2tpd[3630]: Not looking for kernel SAref support.
Dec 21 11:29:29 minipc-H81U xl2tpd[3630]: Using l2tp kernel support.
Dec 21 11:29:29 minipc-H81U xl2tpd[3624]: Starting xl2tpd: xl2tpd.
Dec 21 11:29:29 minipc-H81U xl2tpd[3664]: xl2tpd version xl2tpd-1.3.12 started on minipc-H81U PID:3664
Dec 21 11:29:29 minipc-H81U systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
Dec 21 11:29:29 minipc-H81U xl2tpd[3664]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Dec 21 11:29:29 minipc-H81U xl2tpd[3664]: Forked by Scott Balmos and David Stipp, (C) 2001
Dec 21 11:29:29 minipc-H81U xl2tpd[3664]: Inherited by Jeff McAdams, (C) 2002
Dec 21 11:29:29 minipc-H81U xl2tpd[3664]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Dec 21 11:29:29 minipc-H81U xl2tpd[3664]: Listening on IP address 0.0.0.0, port 1701

说明xl2tpd服务已经跑起来了。因为我们使用的是客户端，需要先把服务器部分关闭并禁掉。

$ sudo service xl2tpd stop
$ sudo systemctl disable xl2tpd

成功执行后，再运行$sudo service xl2tpd status可以看到该业务已经停止。

现在开始用nmcli命令来建立新的网络连接, nmcli的详细介绍请见nmcli — command-line tool for controlling NetworkManager

下面列出常用的nmcli命令：

$sudo nmcli con  //展示所有当前连接
$sudo nmcli c up connection-name   //建立连接
$sudo nmcli c down connection-name   //断开连接
$sudo nmcli connection add  xxx   //添加连接
$sudo nmcli connection delete connection-name //删除连接

第一步：添加连接

$ sudo nmcli connection add connection.id L2TP-IPSEC con-name L2TP-IPSEC type VPN vpn-type l2tp ifname -- connection.autoconnect no ipv4.method auto vpn.data "gateway = 192.168.10.162, ipsec-enabled = yes, mru = 1410, mtu = 1410, password-flags = 0, refuse-chap = yes, refuse-mschap = yes, refuse-pap = yes, require-mschap-v2 = yes, user = xpon" vpn.secrets "password=ubuntu18.04, ipsec-psk = anyk-xgpon-unicom"

参数说明：

（1）connection.id 后面和 con-name后面的L2TP-IPSEC都是要添加的连接的名称，也就是添加成功后用$sudo nmcli con可以查看到，后面up/down/delete跟的参数。

（2）gateway后面是l2tp server的ip地址

（3）mru, mtu的值和l2tp server的设置保值一致

（4）refuse-chap = yes, refuse-mschap = yes, refuse-pap = yes, require-mschap-v2 = yes这些也和l2tp server的设置保值一致

（5）user和password后面的值和l2tp server里的ppp secrets一致

（6）ipsec-psk后面的值和l2tp server里的ipsec secrets一致

上面的运行后，输出如下消息：

Connection 'L2TP-IPSEC' (046d0fcd-2602-4a55-b0e3-0d0ab1233498) successfully added.

表示添加成功，这时候运行$sudo nmcli con可以展示该连接

第二步：建立连接

$sudo nmcli c up L2TP-IPSEC

输出如下：

Error: Connection activation failed: The VPN service failed to start
Hint: use 'journalctl -xe NM_CONNECTION=046d0fcd-2602-4a55-b0e3-0d0ab1233498 + NM_DEVICE=enp1s0' to get more details.

失败。按照提示查看失败原因：

$journalctl -xe NM_CONNECTION=046d0fcd-2602-4a55-b0e3-0d0ab1233498 + NM_DEVICE=enp1s0 > fail.txt

后面加上 > fail.txt，是把输出写到这个新建的文件里，否则输出信息太多会造成刷屏。

再打开这个文件，到文件的底部看到：

Dec 21 14:08:52 minipc-H81U NetworkManager[662]: <warn> [1671602932.4913] vpn-connection[0x561e9c7587a0,046d0fcd-2602-4a55-b0e3-0d0ab1233498,"L2TP-IPSEC",0]: VPN connection: failed to connect: '属性“require-mschap-v2”无效或不支持'

它的意思是require-mschap-v2这个属性无效或者不支持，索性把refuse-chap = yes, refuse-mschap = yes, refuse-pap = yes, require-mschap-v2 = yes都去掉。

先把这个连接从表中删除掉

$ sudo nmcli connection delete L2TP-IPSEC

输出

Connection 'L2TP-IPSEC' (046d0fcd-2602-4a55-b0e3-0d0ab1233498) successfully deleted.

再运行添加连接命令：

$ sudo nmcli connection add connection.id L2TP-IPSEC con-name L2TP-IPSEC type VPN vpn-type l2tp ifname -- connection.autoconnect no ipv4.method auto vpn.data "gateway = 192.168.10.162, ipsec-enabled = yes, mru = 1410, mtu = 1410, password-flags = 0, user = xpon" vpn.secrets "password=ubuntu18.04, ipsec-psk = anyk-xgpon-unicom"

成功后再运行建立连接命令$sudo nmcli c up L2TP-IPSEC，输出如下：

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)

说明成功了，这时候调用$ sudo nmcli con，输出如下信息：

NAME UUID TYPE DEVICE
L2TP-IPSEC 09cda9a0-90ed-418b-b269-7dcdd3b09ce7 vpn enp1s0
有线连接 1 15459cc6-9dfd-35b2-be62-e252b9252b7e ethernet enp1s0
702A-5G 05f22be6-6d17-4a6d-9fd9-3cdd683d179b wifi --
tingting&hanhan_2.4 2174023a-c239-4346-84c0-6f5d3103460a wifi --
tingting&hanhan_5G 2127a09b-09fe-4a82-8b5e-be2a30a1e71b wifi --
有线连接 2 e0e3f31f-f000-35d1-b3e4-1ca904b2cb88 ethernet --

可以看到L2TP-IPSEC已经建立连接了（绿色表示当前连接是connected）。

在l2tp server侧也可以查看该连接，运行

$ sudo service xl2tpd status

输出如下：

● xl2tpd.service - LSB: layer 2 tunelling protocol daemon
Loaded: loaded (/etc/init.d/xl2tpd; generated)
Active: active (running) since Mon 2022-12-19 17:56:52 CST; 1 day 20h ago
Docs: man:systemd-sysv-generator(8)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/xl2tpd.service
├─ 9056 /usr/sbin/xl2tpd
└─13756 /usr/sbin/pppd /dev/pts/1 passive nodetach 192.168.18.162:192.168.18.1 debug file /etc/ppp/options.xl2tpd ipparam 192.168.2.133

Dec 21 14:14:26 anyk-build pppd[13756]: sent [IPCP ConfReq id=0x2 <addr 192.168.18.162>]
Dec 21 14:14:26 anyk-build xl2tpd[9056]: network_thread: recv packet from 192.168.2.133, size = 32, tunnel = 4337, call = 15603 ref=0 refhim=0
Dec 21 14:14:26 anyk-build xl2tpd[9056]: network_thread: recv packet from 192.168.2.133, size = 20, tunnel = 4337, call = 15603 ref=0 refhim=0
Dec 21 14:14:26 anyk-build pppd[13756]: rcvd [IPCP ConfReq id=0x2 <addr 192.168.18.1> <ms-dns1 192.168.10.1> <ms-dns2 127.0.0.53>]
Dec 21 14:14:26 anyk-build pppd[13756]: sent [IPCP ConfAck id=0x2 <addr 192.168.18.1> <ms-dns1 192.168.10.1> <ms-dns2 127.0.0.53>]
Dec 21 14:14:26 anyk-build pppd[13756]: rcvd [IPCP ConfAck id=0x2 <addr 192.168.18.162>]
Dec 21 14:14:26 anyk-build pppd[13756]: local IP address 192.168.18.162
Dec 21 14:14:26 anyk-build pppd[13756]: remote IP address 192.168.18.1
Dec 21 14:14:26 anyk-build pppd[13756]: Script /etc/ppp/ip-up started (pid 13766)
Dec 21 14:14:26 anyk-build pppd[13756]: Script /etc/ppp/ip-up finished (pid 13766), status = 0x0