1首先安裝必備依賴包
#rpm -ivh *.rpm
# yum install xl2tpd openswan ppp  
yum install make gcc gmp-devel
安裝Openswan
yum install opemswan
編輯配置檔案/etc/ipsec.conf
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=**.*.*.*     //這是外網IP地址
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
設定共享金鑰PSK 編輯配置檔案/etc/ipsec.secrets
*.*.*.*   %any: PSK “金鑰”



調整網路策略
# vim /etc/sysctl.conf  
net.ipv4.ip_forward = 1



開啟轉發
    # vim /etc/ipsec.d/net.sh  //加入以下內空  
    for each in /proc/sys/net/ipv4/conf/*  
    do  
    echo 0 > $each/accept_redirects  
    echo 0 > $each/send_redirects  
    done  
      
    # chmod +x /etc/ipsec.d/net.sh  
    # sh /etc/ipsec.d/net.sh  

    
    
啟動ipsec，並驗證
    [

[email protected] ipv4]# /etc/init.d/ipsec start    
      
    [[email protected] ipv4]# ipsec verify  
    Checking your system to see if IPsec got installed and started correctly:  
    Version check and ipsec on-path                                 [OK]  
    Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)  
    Checking for IPsec support in kernel                            [OK]  
     SAref kernel support                                           [N/A]  
     NETKEY:  Testing for disabled ICMP send_redirects              [OK]  
    NETKEY detected, testing for disabled ICMP accept_redirects     [OK]  
    Checking that pluto is running                                  [OK]  
     Pluto listening for IKE on udp 500                             [OK]  
     Pluto listening for NAT-T on udp 4500                          [OK]  
    Checking for 'ip' command                                       [OK]  
    Checking /bin/sh is not /bin/dash                               [OK]  
    Checking for 'iptables' command                                 [OK]  
    Opportunistic Encryption Support                                [DISABLED]  

ipsec verify如果沒有出現failed，就說明ipsec安裝成功了。




配置xl2tpd    
[

[email protected] ipv4]# cat /etc/xl2tpd/xl2tpd.conf  
[global]  
ipsec saref = no  
 
[lns default]  
local ip = 192.168.10.202             //服務端IP，  
ip range = 192.168.0.128-192.168.0.254   //客戶端IP段  
refuse chap = yes  
refuse pap = yes  
require authentication = yes  
ppp debug = yes  
pppoptfile = /etc/ppp/options.xl2tpd  
length bit = yes  
 
[

[email protected] ipv4]# /etc/init.d/xl2tpd start  //啟動




配置ppp
配置options.xl2tpd
    [[email protected] ipv4]# cat /etc/ppp/options.xl2tpd  
    require-mschap-v2  
    ms-dns 8.8.8.8  
    ms-dns 8.8.4.4  
    asyncmap 0  
    auth  
    crtscts  
    lock  
    hide-password  
    modem  
    debug  
    name l2tpd  
    proxyarp  
    lcp-echo-interval 30  
    lcp-echo-failure 4  

    
    
新增VPN使用者
    # cat >>/etc/ppp/chap-secrets<<EOF  
    > vpnuser * 111111 *  
    > EOF

    
    
配置iptables snet
    # iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.0.0/24 --to 192.168.10.202  
    # iptables-save  

    
    啟動各項服務即可
    
    
    
    
系統日誌出現Cannot determine ethernet address for proxy ARP     這個一定是轉發規則有問題