生产环境l2tp/ipsec配置

 

 

1. 安装软件
   

   yum install ppp xl2tp libreswan

    

2. /etc/ipsec.conf
   

   config setup
       nat_traversal=yes
       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
       oe=off
       protostack=netkey
       logfile=/var/log/pluto/pluto.log
       #dumpdir=/var/run/pluto
   
   conn L2TP-PSK-NAT
       rightsubnet=vhost:%priv
       also=L2TP-PSK-noNAT
   
   conn L2TP-PSK-noNAT
       authby=secret
       #sha2-truncbug=yes
       pfs=no
       auto=add
       keyingtries=3
       #keyingtries=%forever
       rekey=no
       ikelifetime=8h
       keylife=1h
       type=transport
       left=139.196.190.88  # 自己的公网IP
       leftprotoport=17/1701
       right=%any
       rightprotoport=17/%any
       
       #dpddelay=15
       #dpdtimeout30
       #dpdaction=clear

    

3. /etc/ipsec.secrets
   

   include /etc/ipsec.d/*.secrets
   139.196.190.8 %any: PSK "your_PSK"

    139.196.190.8 是公网IP

4. ipsec
   

   ipsec start
   ipset setup restart
   ipsec verify

    

5. /etc/xl2tpd/xl2tpd.conf
   

   [global]
   ipsec saref = yes
   listen-addr = 139.196.190.8
   [lns default]
   ip range = 192.168.1.2-192.168.1.100
   local ip = 192.168.1.1
   refuse chap = yes
   refuse pap = yes
   require authentication = yes
   #name = l2tp/ipsec VPN
   ppp debug = yes
   pppoptfile = /etc/ppp/options.xl2tpd
   length bit = yes

    

6. ppp是一个拨号软件,用来提供用户登录的用户名和密码,(pptp搭建的VPN也会用到ppp),所以,pptp & l2tp 可以共存在一台服务器上的,而且他们可以共享账号信息,因为他们都使用ppp作为用户登录连接
   
   
7. l2tp 也依赖于xl2tpd,配置文件有两个
   /etc/xl2tpd/xl2tpd.conf
   /etc/ppp/options.xl2tpd
   第一个文件将第二个文件包含
   etc/ppp/options.xl2tpd
   

   require-mschap-v2
   ms-dns 8.8.8.8
   ms-dns 8.8.4.4
   asyncmap 0
   auth
   crtscts
   lock
   hide-password
   modem
   debug
   name l2tpd
   proxyarp
   lcp-echo-interval 30
   lcp-echo-failure 4
   
   #ipcp-accept-local
   #ipcp-accept-remote
   #noauth
   #nocpp
   #crtscts
   #idle 1800
   #mtu 1410
   #mru 1410
   #nodefaultroute
   #debug
   #lock
   #proxyarp
   #connect-delay 5000

    

8. /etc/ppp/chap-secrets 用户名 & 密码文件
   

   chenwk * SUt5MeOF *
   chenw * YAGKcmVS *
   sales * vq6RP0um *
   data * rD4217lb *
   personnel * AzTxPBzz *
   operation * PZbzIFx6 *
   tech * Rdev67K4 *
   dinghh * uC9oIMij *
   
   unary * unary *

   有两个星号,第一个表示以后所有使用ppp作为用户认证的服务,都可以使用这个用户名和密码,包括 pptp & l2tp,第二个星号表示这个用户可以从任何IP登录,可以把星号改成具体值来限制.
   

9. configuration iptables
   

   #filter    
   iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A INPUT -p icmp -j ACCEPT
   iptables -A INPUT -i lo -j ACCEPT
   iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
   iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
   iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
   iptables -A INPUT -p gre -j ACCEPT
   iptables -A INPUT -p ah -j ACCEPT
   iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
   iptables -A FORWARD -d 172.16.0.0/24 -j ACCEPT
   iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
   iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
       
   #nat
   iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE

    

10. /etc/sysctl.conf
    

    cat <<-delimeter |& tee -a 1.c
    > net.ipv4.ip_forward=1
    > net.ipv4.conf.default.rp_filter=0
    > net.ipv4.conf.default.accept_source_route=0
    > net.ipv4.conf.all.send_redirects=0
    > net.ipv4.conf.default.send_redirects=0
    > net.ipv4.conf.all.log_martians=0
    > net.ipv4.conf.default.log_martians=0
    > net.ipv4.conf.all.accept_redirects=0
    > net.ipv4.conf.default.accept_redirects=0
    > net.ipv4.icmp_ignore_bogus_error_response=1
    > delimeter
    
    sysctl --system

     

11. 启动服务
    

    systemctl start ipsec
    systemctl start xl2tpd

     

12. 定期更改密码脚本
    

    #!/bin/env sh
    
    account_list=('chenwk' 'chenw' 'sales' 'data' 'personnel' 'operation' 'tech' 'dinghh')
    mail_list=('chenwk@ibm.com' 'chenw@ibm.com' 'wangj@ibm.com' 'rangf@ibm.com' 'zhaol@ibm.com'\
               'qil@ibm.com' 'tech@ibm.com' 'dinghh@ibm.com')
    
    declare -A dict
    
    function make_dict(){
            for ((i=0;i<${#account_list[*]};i++));do
                    dict[${account_list[$i]}]=${mail_list[$i]}
            done
    }
    
    make_dict
    
    #for b in ${!dict[*]};do
    #       echo $b = ${dict[$b]}
    #done
    
    
    function genpass(){
            pass=$(tr -dc '[:digit:][:lower:]' < /dev/urandom | head --bytes 8)
            echo $pass
    }
    
    function changepass(){
            pass=`genpass`
            account=$1
            sed -i "/^$account / s#[ ][[:alnum:]]\{8\}[ ]# $pass #" /root/chap-secrets
            echo $pass
    }
    
    function send_mail(){
            mail=$1
            pass=$2
            mailx -s '认证中心VPN密码变更邮件通知' $mail <<-mark
    ################测试邮件,请勿理会####################
    您好,账号${mail%%@*}的VPN密码已变更为$pass
    密码的格式为小写字母和数字的组合,一共8位
    请及时通知部门内相关人员,如有问题请及时联系管理员
    mark
    }
    
    function main(){
            for account in ${account_list[*]};do
                    pass=$(changepass $account)
                    mail=${dict[$account]}
                    echo '$pass:' $pass
                    echo '$mail:' $mail
                    send_mail $mail $pass
                    sleep 30
            done
    
    }
    
    main

     

13. /etc/mail.rc
    

    set from=liuz@ibm.com
    set smtp=smtps://smtp.qiye.163.com:465
    set smtp-auth-user=liuz@ibm.com
    set smtp-auth-password=edification0!
    set smtp-auth=login
    set smtp-verify=ignore
    set nss-config-dir=/root/.certs