Centos 7 安装 l2tp/ipsec vpn
时间:2014-12-17 01:38 来源:csdn 作者:快乐天空
1.安装 l2tp ipsec 所需要的软件包
yum install epel-release
yum install openswan xl2tpd ppp lsof
2.设置ipsec
2.1 编辑 /etc/ipsec.conf
vi /etc/ipsec.conf
把下面xx.xxx.xxx.xxx换成你自己主机实际的外网固定IP。其他的不动。
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=xxx.xxx.xxx.xxx
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
2.2 编辑/etc/ipsec.secrets
vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
/etc/ipsec.secrets 文件里面默认有一句包含 /etc/ipsec.d/*.secrets 的语句.所以可以直接在 /etc/ipsec.d 目录下新建一自己的个 *.secrets 文件.也可以直接把它注释掉,添加下面的配置语句.
vi /etc/ipsec.d/my.secrets
xxx.xxx.xxx.xxx %any: PSK "kuaile"
xx.xxx.xxx.xxx换成你自己VPS实际的外网固定IP, YourPsk你自己定一个,到时候连VPN的时候用,比如可以填csdn.net, 注意空格。
2.3 修改/添加 /etc/sysctl.conf
vi /etc/sysctl.conf
确保下面的字段都有,对应的值或下面一样。省事的话直接在/etc/sysctl.conf的末尾直接把下面内容的粘过去。
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
2.4 让修改后的sysctl.conf生效
sysctl -p
2.5 验证ipsec运行状态
ipsec setup start
ipsec verify
verify的内容如下所示,那么就离成功不远了。没有 红色 的fail 就可以了.
[root@Centos7 ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.8 (netkey) on 3.10.0-123.9.3.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
[root@Centos7 ~]#
3. 设置 l2tp
3.1 编辑 /etc/xl2tpd/xl2tpd.conf
vim /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = xxx.xxx.xxx.xxx ;这里是你的主机外网ip地址,;号是注释,和一般的配置文件不同
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
force userspace = yes
;
; debug tunnel = yes
[lns default]
ip range = 10.0.10.2-10.0.10.100 ;这里是VPN client的内网ip地址范围
local ip = 10.0.10.1 ;这里是VPN server的内网地址
refuse chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
3.2 编辑 /etc/ppp/options.xl2tpd
vi /etc/ppp/options.xl2tpd
name l2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
ipcp-accept-local
ipcp-accept-remote
#ms-dns 8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
3.3 配置用户名,密码:编辑 /etc/ppp/chap-secrets
vim /etc/ppp/chap-secrets
client和secret自己填,server和IP留*号,l2tp 可以用上面自己设定的 l2tpd .* 通用
# Secrets for authentication using CHAP
# client server secret IP addresses
username * userpass *
3.4 启动xl2tp
service xl2tpd start
4. 开放端口以及转发
原样执行下面所有命令
/sbin/iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
/sbin/iptables -A INPUT -p esp -j ACCEPT
/sbin/iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
/sbin/iptables -A FORWARD -d 10.0.10.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE
再执行下面保存iptables
service iptables save
service iptables restart
添加开机自启动
systemd enabled ipsec
systemd enabled xl2tpd
如果连接不上的话, 先关掉iptalbes试试 service iptables stop
如果这时还连不上了,那么就是iptables的问题了
特别注意iptables里的顺序, INPUT和FORWARD里的REJECT一定是写在最后面,否则写在他们之后的port就都被REJECT了!
下面是我自己的iptables,可供参考
##########################################################################################
#! /bin/bash
/sbin/iptables -F INPUT
/sbin/iptables -Z INPUT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1723 -j ACCEPT
/sbin/iptables -A INPUT -p gre -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
/sbin/iptables -A INPUT -p esp -j ACCEPT
/sbin/iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
/sbin/iptables -F FORWARD
/sbin/iptables -Z FORWARD
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
#/sbin/iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
/sbin/iptables -A FORWARD -d 10.0.10.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
/sbin/iptables -F OUTPUT
/sbin/iptables -Z OUTPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -F -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE
(责任编辑:IT)
1.安装 l2tp ipsec 所需要的软件包
2.设置ipsec
3. 设置 l2tp
4. 开放端口以及转发
如果这时还连不上了,那么就是iptables的问题了 特别注意iptables里的顺序, INPUT和FORWARD里的REJECT一定是写在最后面,否则写在他们之后的port就都被REJECT了! 下面是我自己的iptables,可供参考 ##########################################################################################
(责任编辑:IT) |