l2tpipsec vpn 安裝配置詳解 nginx
阿新 • • 發佈:2019-01-12
1首先安裝必備依賴包
#rpm -ivh *.rpm
# yum install xl2tpd openswan ppp
yum install make gcc gmp-devel
安裝Openswan
yum install opemswan
編輯配置檔案/etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=**.*.*.* //這是外網IP地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
設定共享金鑰PSK 編輯配置檔案/etc/ipsec.secrets
*.*.*.* %any: PSK “金鑰”
調整網路策略
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
開啟轉發
# vim /etc/ipsec.d/net.sh //加入以下內空
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
# chmod +x /etc/ipsec.d/net.sh
# sh /etc/ipsec.d/net.sh
啟動ipsec,並驗證
[ [email protected] ipv4]# /etc/init.d/ipsec start
[[email protected] ipv4]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
ipsec verify如果沒有出現failed,就說明ipsec安裝成功了。
配置xl2tpd
[ [email protected] ipv4]# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
[lns default]
local ip = 192.168.10.202 //服務端IP,
ip range = 192.168.0.128-192.168.0.254 //客戶端IP段
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[ [email protected] ipv4]# /etc/init.d/xl2tpd start //啟動
配置ppp
配置options.xl2tpd
[[email protected] ipv4]# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
新增VPN使用者
# cat >>/etc/ppp/chap-secrets<<EOF
> vpnuser * 111111 *
> EOF
配置iptables snet
# iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.0.0/24 --to 192.168.10.202
# iptables-save
啟動各項服務即可
系統日誌出現Cannot determine ethernet address for proxy ARP 這個一定是轉發規則有問題
#rpm -ivh *.rpm
# yum install xl2tpd openswan ppp
yum install make gcc gmp-devel
安裝Openswan
yum install opemswan
編輯配置檔案/etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=**.*.*.* //這是外網IP地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
設定共享金鑰PSK 編輯配置檔案/etc/ipsec.secrets
*.*.*.* %any: PSK “金鑰”
調整網路策略
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
開啟轉發
# vim /etc/ipsec.d/net.sh //加入以下內空
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
# chmod +x /etc/ipsec.d/net.sh
# sh /etc/ipsec.d/net.sh
啟動ipsec,並驗證
[
[[email protected] ipv4]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
ipsec verify如果沒有出現failed,就說明ipsec安裝成功了。
配置xl2tpd
[
[global]
ipsec saref = no
[lns default]
local ip = 192.168.10.202 //服務端IP,
ip range = 192.168.0.128-192.168.0.254 //客戶端IP段
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[
配置ppp
配置options.xl2tpd
[[email protected] ipv4]# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
新增VPN使用者
# cat >>/etc/ppp/chap-secrets<<EOF
> vpnuser * 111111 *
> EOF
配置iptables snet
# iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.0.0/24 --to 192.168.10.202
# iptables-save
啟動各項服務即可
系統日誌出現Cannot determine ethernet address for proxy ARP 這個一定是轉發規則有問題