centos7 L2TP/IPSEC vpn搭建

公司原來的伺服器是pptp+freeaduis。後來由於蘋果更新系統IOS無法接入PPTP模式伺服器，所以研究了這個L2TP/IPSEC的VPN，查找了很多資料終於成功。記錄下來以後自己備查。

1.安裝相關軟體包

• 安裝必要的開發包
• 在Centos7上提供L2TP服務的最新程式包為：xl2tpd-1.3.8-2.el7.x86_64，提供IPSEC服務最新程式包為：libreswan-3.15-5.el7_1.x86_64 。
• 備註：一般xl2tpd不能直接安裝，可參考https://centos.pkgs.org/7/epel-x86_64/xl2tpd-1.3.8-2.el7.x86_64.rpm.html安裝

[root@localhost ~]#yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
[root@localhost ~]#yum install xl2tpd
[root@localhost ~]#yum install libreswan

2.修改ipsec 主配置檔案

[root@localhost ~]#cat /etc/ipsec.conf
config setup
    protostack=netkey
    dumpdir=/var/run
 
/pluto/
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
 

    dpdaction=clear
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=120.86.124.5
    #120.86.124.5 是自己的外網網絡卡Ip地址
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

3.修改l2tp_psk.conf檔案

如果沒有這個檔案，就新建一個。

[root@localhost ~]#vi /etc/ipsec.d/l2tp_psk.conf
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=120.86.124.5
    #120.86.124.5 是自己的外網網絡卡Ip地址
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

4.配置預共享密匙檔案

[root@localhost ~]# cat /etc/ipsec.secrets 
#include /etc/ipsec.d/*.secrets
120.86.124.5 %any: PSK "123456789"
#120.86.124.5 是外網網絡卡地址，PSK是預存共享密匙

5.修改核心支援

[[email protected] ~]# cat /etc/sysctl.conf 
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0

生效上面的修改使用如下命令

[root@localhost ~]#sysctl -p

6.檢驗ipsec服務配置

[root@localhost ~]# ipsec setup start
[root@localhost ~]# ipsec verify

報錯處理，當出現以下幾個[ENABLED]錯誤提示時 ，不用在意，可以繼續。當然全部OK更好。

Verifying installed system and configuration files

Version check and ipsec on-path                     [OK]
Libreswan 3.15 (netkey) on3.10.0-514.el7.x86_64
Checking for IPsec support in kernel                [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                [OK]
         ICMP default/accept_redirects              [OK]
         XFRM larval drop                           [OK]
Pluto ipsec.conf syntax                             [OK]
Hardware random device                              [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                  [ENABLED]
 /proc/sys/net/ipv4/conf/ens160/rp_filter           [ENABLED]
 /proc/sys/net/ipv4/conf/ens192/rp_filter           [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                      [OK]
 Pluto listening for IKE onudp500                 [OK]
 Pluto listening for IKE/NAT-T onudp4500          [OK]
 Pluto ipsec.secret syntax                          [OK]
Checking 'ip' command                               [OK]
Checking 'iptables' command                         [OK]
Checking 'prelink' commanddoesnotinterferewithFIPSCheckingforobsoleteipsec.confoptions             [OK]
Opportunistic Encryption                            [DISABLED]

ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

7.啟動ipsec服務

[root@localhost ~]# systemctl start ipsec
[root@localhost ~]# systemctl enable ipsec

8.修改xl2tpd主配置檔案

[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf 
[global]
listen-addr = 120.86.124.5
#本機外網網絡卡IP
ipsec saref = yes
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

9.修改xl2tpd屬性配置檔案：

[root@localhost ~]# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
#dns 寫自己的網絡卡DNS ，寫成8.8.8.8也行
ms-dns 10.118.88.10
ms-dns 130.52.1.10 
#ms-dns  8.8.8.8
ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

10.建立使用者名稱和密碼

建立xl2tpd連線的使用者，建立l2tp連線需要輸入的使用者名稱和密碼就在該檔案裡配置：

[[email protected] ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client    server  secret          IP addresses
lancer      *  123 *
#登陸使用者名稱和密碼

11.啟動和檢驗xl2tpd服務配置

[[email protected] ~]# systemctl start xl2tpd
[[email protected] ~]# systemctl status xl2tpd

12.關閉防火牆測試連結

這裡先把防火牆關閉測試，否則無法測試連線，下一章講防火牆規則。

[root@localhost ~]# systemctl stop firewalld

13.結束

這裡先把防火牆關閉測試，否則無法測試連線，下一章講防火牆規則。
如果無法連線。請檢視ipsec和xl2tpd服務是否啟動。

[root@localhost ~]# systemctl status ipsec

[root@localhost ~]# systemctl status xl2tpd