标签:OK xl2tpd ACCEPT centos7 conf net 搭建 ipsec
准备工作,检查环境
1、先看看你的主机是否支持pptp,返回结果为yes就表示通过。
modprobe ppp-compress-18 && echo yes
2、检查是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过。
cat /dev/net/tun
正式开始安装配置
1、安装yum源,centos官方源已经去除xl2tpd,如果使用的官方镜像安装的服务器,则需要自己安装yum源。但是使用的阿里云或者腾讯云公共镜像安装的服务器可以不用。
yum install -y epel-release
2、安装xl2tpd
yum install -y xl2tpd libreswan lsof
3、配置xl2tpd
vim /etc/xl2tpd/xl2tpd.conf
[global]
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
4、配置ppp文件,注意其中被注释的选项,没有被注释的话,启动会报错,或者会导致连不上
vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
name xl12tpd
#noccp
auth
#crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#lock
proxyarp
connect-delay 5000
refuse-pap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
5、配置ipsec文件
1) vim /etc/ipsec.conf
config setup
protostack=netkey
nat_traversal=yes
interfaces="%defaultroute" virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
include /etc/ipsec.d/*.conf
2) vim /etc/ipsec.d/l2tp-ipsec.conf
conn l2tp-psk
authby=secret
pfs=no
auto=add
rekey=no
type=transport
left=47.75.104.65
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
6、设置用户名密码
vim /etc/ppp/chap-secrets
# client server secret IP addresses
userName * “123456” *
7、设置共享密钥
vim /etc/ipsec.d/default.secrets
: PSK "YourPSK"
8、防火墙设置
1) yum install iptables-services#下载iptables服务
2) vim /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [2:104]
:INPUT ACCEPT [2:104]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [84:7150]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:10368]
-A INPUT -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
3) service iptables restart
4) iptables -S #查看iptables规则
9、修改内核参数
1) vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
2) sysctl -p#使配置生效
10、重启检查服务
1) service ipsec restart#重启ipsec服务
service ipsec status #查看ipsec服务状态
systemctl enable ipsec #确定没有问题后,将服务设置成开机启动
2) ipsec verify##检查ipsec
[root@iZj6c7krv4f28m7t3p2f2tZ ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding[OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OBSOLETE]
003 WARNING: using a weak secret (PSK)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS[OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Warning: ignored obsolete keyword 'nat_traversal'
3) service xl2tpd restart#重启xl2tpd服务
service xl2tpd status #查看xl2tpd服务状态
systemctl enable xl2tpd #确定没有问题后,将服务设置成开机启动
11、服务器在阿里云或者腾讯云之类的平台,需要配置1701的端口开放,协议是udp
12、连接VPN。注意,如果是Mac系统,需要在/etc/ppp目录下新建options文件,否则会连不上:
sudo vim /etc/ppp/options
在options文件中输入:
plugin L2TP.ppp
l2tpnoipsec
标签:OK,xl2tpd,ACCEPT,centos7,conf,net,搭建,ipsec 来源: https://www.cnblogs.com/Christine-ting/p/11002700.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。