Centos 7 搭建L2TP/Ipsec
作者:互联网
1. 先看看你的主机是否支持pptp,返回结果为yes就表示通过。
modprobe ppp-compress-18 && echo yes
2.是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state,就表示通过。
cat /dev/net/tun
3.安装EPEL源(CentOS7官方源中已经去掉了xl2tpd)
yum install -y epel-release
4.安装xl2tpd和libreswan(openswan已经停止维护)
yum install -y xl2tpd libreswan lsof
5.编辑xl2tpd配置文件
vim /etc/xl2tpd/xl2tpd.conf # 以下配置增加到最后
[lns default]
ip range = 192.168.2.221-192.168.2.230 #分配连接客户端的地址
local ip = 192.168.2.220 #本地内网IP,如果没有本地内网IP可以在外网IP上增加子接口
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
6.编辑pppoptfile文件
vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 218.104.111.114 #设置DNS
name xl2tpd
# ms-dns 192.168.1.1
# ms-dns 192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
#noccp
auth
#obsolete: crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#obsolete: lock
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
refuse-pap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
7.编辑ipsec配置文件
vim /etc/ipsec.conf
#只修改一下选项,其他默认
protostack=netkey
dumpdir=/var/run/pluto/ #需要增加项
8.编辑include的conn文件
vim /etc/ipsec.d/l2tp-ipsec.conf #注意格式
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.2.220 #ip地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
9.设置用户名密码
vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test * 123456 *
# 格式为: 用户名 类型 密码 允许访问的ip
# 这个配置文件,也是pptpd的用户密码配置文件,直接类型上用*表示所有。因为这里我们只搭建l2tp/ipsec
10.设置预共享密钥PSK
vim /etc/ipsec.d/default.secrets
: PSK "123456" #123456为共享密钥,客户端连接时会用到此密码
11.CentOS7 防火墙设置(若关闭防火墙可不需要设置)
firewall-cmd --permanent --add-service=ipsec # 放行ipsec服务
firewall-cmd --permanent --add-port=1701/udp # xl2tp 的端口,默认1701
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade # 启用NAT转发功能。必须启用此功能
firewall-cmd --reload # 重载配置
12.修改内核参数
vim /etc/sysctl.conf # 添加如下配置到文件中,参数后面不能有空格
net.ipv4.ip_forward = 1
# for ipsec
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
修改完成后
sysctl -p # 加载内核参数使生效
13.启动ipsec
systemctl enable ipsec # 设为开机启动
systemctl start ipsec # 启动服务
14.检查配置
ipsec verify # 检查命令
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-693.11.6.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
15.启动xl2tp
systemctl enable xl2tpd # 设为卡机启动
systemctl start xl2tpd # 启动xl2tp
针对于阿里云的云服务器要在安全组上要把500、1701和4500的UDP端口放行
阿里云盾的内置服务要关闭。
标签:OK,conf,Centos,--,xl2tpd,192.168,L2TP,Ipsec,ipsec 来源: https://blog.csdn.net/lijun_work/article/details/111190411