L2TP over IPsec
1.查看系统版本和IP地址。
[root@BYGD-VPN /]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@BYGD-VPN /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.20.14.161 netmask 255.255.240.0 broadcast 172.20.15.255
ether 00:16:3e:00:4d:c5 txqueuelen 1000 (Ethernet)
RX packets 117524 bytes 88933018 (84.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 47421 bytes 8344709 (7.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2.安装所需的软件包
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
yum install xl2tpd -y
yum install libreswan -y
3.修改IPSEC配置文件
/etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf
/etc/ipsec.d/l2tp_psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=40
dpdtimeout=130
dpdaction=clear
leftnexthop=%defaultroute
rightnexthop=%defaultroute
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=172.20.14.161 (自己网卡IP地址,海外阿里云适用)
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
4.设置IPSEC VPN预共享密钥,服务器配置文件/etc/ipsec.secrets
[root@BYGD-VPN /]# cat /etc/ipsec.d/ipsec.secrets
172.20.14.161 %any: PSK "1234@abcd"
5.修改服务器内核参数,服务器配置文件/etc/sysctl.conf,然后sysctl -p使得内核参数立即生效
[root@BYGD-VPN /]# cat /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
6.检查IPsec服务
[root@BYGD-VPN /]# ipsec setup start
[root@BYGD-VPN /]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.20 (netkey) on 3.10.0-693.2.2.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Warning: ignored obsolete keyword 'nat_traversal'(貌似默认就是nat_traversal,不需要配置文件中nat_traversal=yes了)
Warning: ignored obsolete keyword 'oe'
ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help
7.修改xl2tpd主配置文件
[root@BYGD-VPN /]# cat /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 172.20.14.161(自己网卡IP地址,海外阿里云适用)
ipsec saref = yes
[lns default]
ip range = 10.255.255.2-10.255.255.254
local ip = 10.255.255.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
8.修改xl2tpd中PPP特性配置文件
[root@BYGD-VPN xl2tpd]# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 1.1.1.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
9.创建用户账号和密码
[root@BYGD-VPN xl2tpd]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 * abcd@1234 *
10.关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
别忘了开启 Openstack安全组策略。
11.配置iptables
yum install -y iptables
yum install -y iptables-services
iptables -t nat -A POSTROUTING -s 10.255.255.0/24 -o eth0 -j MASQUERADE
[root@BYGD-VPN xl2tpd]# cat /etc/sysconfig/iptables
iptables -t nat -A POSTROUTING -s 10.255.255.0/24 -o eth0 -j MASQUERADE
systemctl start iptables
systemctl enable iptables
12.启动服务
systemctl start ipsec
systemctl start xl2tpd
systemctl enable ipsec
systemctl enable xl2tpd