注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

mie

 
 
 

日志

 
 

Linux VPN服务器配置(L2TP/IPSec)  

2014-10-27 18:39:21|  分类: linux、FreeBSD等 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
参考:基于Linux的 L2TP+IPSec VPN服务器搭建
所需软件:
1). openswan:提供IPSec加密 
2). lsof:用于数据访问 
3). ppp:提供用户名、密码 认证 
4). xl2tp:提供L2TP VPN服务

A. 安装lsof
yum install -y lsof
B. 安装openswan
yum install -y openswan
补充:开发环境的编译方式安装
cd /usr/local/temp
yum install -y make gcc gmp-devel bison flex lsof
wget --no-check-certificate https://download.openswan.org/openswan/openswan-2.6.42.tar.gz && tar zvxf openswan-2.6.42.tar.gz && cd openswan-2.6.42 && make programs install && cd ..
配置:
vi /etc/ipsec.conf
如果没有则写入如下内容创建:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
 
# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
 
 
version 2.0     # conforms to second version of ipsec.conf specification
 
# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey
 
 
# Add connections here
 
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=start
 
 
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.1.144
    leftprotoport=17/1701
    right=%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
leftnexthop=%defaultroute
rightnexthop=%defaultroute

vi /etc/ipsec.secrets
加入如下格式的语句 
192.168.1.144 %any: PSK "ipsec"
说明:外网IP地址 %any:  PSK  "预共享密钥"
修改包转发设置 
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
echo 1 > /proc/sys/net/core/xfrm_larval_drop
修改内核设置,使其支持转发,编辑/etc/sysctl.conf文件:
vi /etc/sysctl.conf
将“net.ipv4.ip_forward”的值改为1。
使修改生效:
sysctl -p
SeLinux的修改:
echo "0" > /selinux/enforce
设置开机启动:
chkconfig ipsec on
重启IPSec:
service ipsec restart
查看系统IPSec安装和启动的正确性:
ipsec verify
C. 安装ppp
yum install -y ppp
配置:
vi /etc/ppp/options.xl2tpd
写入:
require-mschap-v2
ms-dns 192.168.1.11
ms-dns 8.8.4.4
#ms-wins 192.168.1.2 
#ms-wins 192.168.1.4
noccp
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

配置账号密码:
vi /etc/ppp/chap-secrets
test1 l2tpd 123456 *
此处注意的是第二列的 l2tpd 为上面配置的name,如果有改动也要修改此处。

D. 安装l2tp
https://github.com/xelerance/xl2tpd/releases
补充:开发环境的编译方式安装
cd /tmp
yum install -y make gcc wget configure libpcap-devel
wget --no-check-certificate https://github.com/xelerance/xl2tpd/archive/v1.3.6.tar.gz && tar zvxf v1.3.6.tar.gz && cd xl2tpd-1.3.6 && && make && make install && cd ..
正式版本可以复制上面的编译生成文件,或者在机器上面编译
/usr/local/sbin/xl2tpd
/usr/local/bin/pfc
/usr/local/sbin/xl2tpd-control
配置:
mkdir /etc/xl2tpd
vi /etc/xl2tpd/xl2tpd.conf
加入如下内容:
[global]
ipsec saref = yes

[lns default]
ip range = 10.82.88.2-10.82.88.254
local ip = 192.168.1.144
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

添加iptables转发规则并保存重启:
iptables -t nat -A POSTROUTING -s 10.82.88.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
以debug方式启动l2tp,查看有无错误:
xl2tpd -D

错误:
xl2tpd[1958]: setsockopt recvref[30]: Protocol not available
xl2tpd[1958]: Not looking for kernel support.
xl2tpd[1958]: open_controlfd: Unable to open /var/run/xl2tpd/l2tp-control for reading.
处理:mkdir /var/run/xl2tpd

防火墙配置:
iptables -A INPUT -p udp --destination-port 1701 -j ACCEPT
service iptables save
service iptables restart
By: zhanyonhu
  评论这张
 
阅读(2179)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016