CentOS6.5部署L2TP over IPSec

一、环境介绍:

  1、CentOS 6.5 (要求双网卡做软路由,如果只是做VPN可以单网卡)

    a、外网IP:192.168.0.133/24

    b、内网IP:10.10.10.1/8

 

  2、Window 10 主机一台做为一台内网测试软路由使用;

    a、内网IP:10.10.10.10/8

 

二、开始前的网络测试:

  1、CentOS 6.5(以下简称VPN-Server)测试:

    a、测试外网网络是否联通;

# ping www.baidu.com

    b、测试内网网络:

# ping 10.10.10.10

  2、Windows 10 (以下简称Client)测试:

    a、测试是否可以联通VPN-Server:

# ping 10.10.10.1

    b、测试是否可以上网(现在不能上网):

# ping www.baidu.com

 

三、开始安装部署:

  以下操作在VPN-Server上操作:

  1、安装epel源:

    # cd /etc/yum.repos.d/

    # wget http://mirrors.163.com/.help/CentOS6-Base-163.repo

    # yum -y install epel-release

  2、安装必须的软件(openswan、ppp、xl2tpd);

    openswan:提供IPSec加密

    ppp:提供密码认证

    xl2tpd:提供VPN服务

# yum -y install openswan ppp xl2tpd

  3、修改ipsec的配置文件:  

# cd /etc/ipsec.d/
# ls ./*.conf|xargs -I {} mv {} {}.bak
# vim L2TP.conf

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.0.133
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

  

  4、配置ipsec的密钥:

# vim /etc/ipsec.d/L2TP.secrets

192.168.0.133 %any: PSK "YourPsk"

  注:IP为你的服务器外网IP,“YourPsk”修改为你想要的密钥

 

  5、修改Forward转发:

# vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

# sysctl -p

 

  6、验证ipsec的运行状态

# service ipsec start
# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)

Checking for IPsec support in kernel                            [OK]

 SAref kernel support                                           [N/A]

 NETKEY:  Testing for disabled ICMP send_redirects              [OK]

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

Checking that pluto is running                                  [OK]

 Pluto listening for IKE on udp 500                             [OK]

 Pluto listening for NAT-T on udp 4500                          [OK]

Checking for 'ip' command                                       [OK]

Checking /bin/sh is not /bin/dash                               [OK]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]

  注:只要没有Faild就可以了

  

  7、编辑/etc/xl2tpd/xl2tpd.conf

# vim /etc/xl2tpd/xl2tpd.conf

[global]

ipsec saref = yes

listen-addr = 192.168.0.133

[lns default]

ip range = 10.10.10.100-10.10.10.200

local ip = 10.10.10.1

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = y

 

  8、编辑 /etc/ppp/options.xl2tpd

# vim /etc/ppp/options.xl2tpd

require-mschap-v2

ms-dns 223.5.5.5

ms-dns 114.114.114.114

asyncmap 0

auth

crtscts

lock

hide-password

modem

debug

name l2tpd

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

 

  8、编辑 /etc/ppp/chap-secrets  (此配置文件是设置VPN的用户名,密码)

# vim /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client        server    secret                  IP addresses

    admin         *         admin                    *

 

  9、启动相应的服务:

# service xl2tpd start
# service ipsec start

  

  10、iptables修改:

 

# iptables -A FORWARD -s 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356
# iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.0.133
# iptables -I INPUT -p udp -m udp -m state --state NEW --dport 1701 -j ACCEPT
# iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
# iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
# iptables -I INPUT -p esp -j ACCEPT
# /etc/init.d/iptables save
# /etc/init.d/iptables restart




  修改后的iptables 例子:




# Generated by iptables-save v1.4.7 on Tue Jan 19 06:18:56 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [12:720]
:OUTPUT ACCEPT [25:2380]
-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356
COMMIT
# Completed on Tue Jan 19 06:18:56 2016
# Generated by iptables-save v1.4.7 on Tue Jan 19 06:18:56 2016
*nat
:PREROUTING ACCEPT [55:8845]
:POSTROUTING ACCEPT [1:108]
:OUTPUT ACCEPT [1:108]
-A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.0.133
COMMIT
# Completed on Tue Jan 19 06:18:56 2016




 


  到此VPN-Server的部署已经全部完成;可以在Client机器上测试是否可以上网,然后在其它要中拨号试下是否成功!






            

            
posted @ 
2016-11-17 13:57 
ღ若相惜-勿相离 
阅读(1827) 
评论(0编辑 
收藏 
举报