xl2tp部署

参考 

http://blog.51yip.com/linux/1795.html

说到VPN，就会想到google，满心的疼。以前写过一篇关于vpn的文单，请参考：centos5.5 vpn 安装配置详解，这篇文章是讲pptp的，pptp走的是tcp，l2tp走的是udp。pptp用的时间长了，就会间断性的被墙。

一，安装xl2tpd openswan

# yum install xl2tpd openswan ppp

如果没有安装包，安装epel源，在这里不多说了，在博客里面搜索一下

二，配置ipsec

 

1，配置ipsec.conf

# cat /etc/ipsec.conf

version 2
config setup
        protostack=netkey
        logfile=/var/log/pluto.log
        listen=172.16.11.2
        dumpdir=/var/run/pluto/
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT


conn L2TP-PSK-noNAT  
        authby=secret  
        pfs=no  
        auto=add  
        keyingtries=3  
        rekey=no  
        ikelifetime=8h  
        keylife=1h  
        type=transport  
        left=172.16.11.2
        leftprotoport=17/1701  
        right=%any  
        rightprotoport=17/%any  

  

2，设置 PSK共享密钥

# cat /etc/ipsec.secrets 

172.16.11.2 %any: PSK "sec123" 

 

3，调整网络策略

 

# vim /etc/sysctl.conf  
net.ipv4.ip_forward = 1    //将0改为1  
  
# sysctl -p   //立马生效  

开启转发

# vim /etc/ipsec.d/net.sh  //加入以下内空  
for each in /proc/sys/net/ipv4/conf/*  
do  
echo 0 > $each/accept_redirects  
echo 0 > $each/send_redirects  
done  
  
# chmod +x /etc/ipsec.d/net.sh  
# sh /etc/ipsec.d/net.sh  

 

4，启动ipsec，并验证

# service ipsec start

# 验证
# ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 2.6.32-573.22.1.el6.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options                [OK]
Opportunistic Encryption                                [DISABLED]

 

ipsec verify如果没有出现failed，就说明ipsec安装成功了。

三，配置xl2tpd

# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
listen-addr = 172.16.11.2

[lns default]
ip range = 192.168.100.128-192.168.100.254
local ip = 172.16.11.2
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

 

四，配置ppp

 

1，配置options.xl2tpd

# cat /etc/ppp/options.xl2tpd 
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
require-mschap-v2
asyncmap 0 
modem
name l2tpd
lcp-echo-interval 30  
lcp-echo-failure 4 

 

2，添加VPN用户

# cat >>/etc/ppp/chap-secrets<<EOF
> vpnuser * 111111 *
> EOF

五，配置iptables snet

# iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.0.0/24 --to 192.168.10.202
# iptables-save

六，加入开机启动

# chkconfig ipsec on
# chkconfig xl2tpd on
# cat >>/etc/rc.local<<EOF
sh /etc/ipsec.d/net.sh
EOF