安装{
1、一些预先准备的环境
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
yum install openswan ppp xl2tpd
2、配置
(1)
vi /etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=ip #你的公网ip
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
(2)
vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
ip %any: PSK "123456" #你的公网ip 你的密匙
(3)
修改/添加 /etc/sysctl.conf并生效
vi /etc/sysctl.conf
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
sysctl -p
(4)验证ipsec运行状态
ipsec restart
ipsec verify
如果出现如下内容,说明已经成功:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.20.3.0.1.el6.centos.plus.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
(5) 编辑 /etc/xl2tpd/xl2tpd.conf 这一步可以跳过
ip range 写客户端的内网IP段,local ip写客户端内网IP
[lns default]
ip range = 10.10.0.2-10.10.0.100
local ip = 10.10.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
bps = 1000000
(6)配置用户名,密码:编辑 /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
"username" l2tpd "userpass" * #619错误注意双引号
(7)重启xl2tp
service xl2tpd restart
(8)添加自启动
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on
因为VPN需要路由功能习惯使用IPTABLES
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
#vpn拨入后的包通过eth0转发
#10.10.0.0/24跟/etc/xl2tpd/xl2tpd.conf的设置相对应,eth0要改成你内网的网络名字
service iptables save
(9)防火墙
/sbin/iptables -I INPUT -p tcp --dport 47 -j ACCEPT
/sbin/iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
/sbin/iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
/sbin/iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
/sbin/iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT
service iptables save
service iptables restart
}
启动
service xl2tpd restart
service xl2tpd status
日记
tail /var/log/messages -f
Maximum retries exceeded for tunnel 可能是认证之间的协议问题,最好有2台以上的客户端连接,可能是服务器或者客户端问题
1、一些预先准备的环境
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
yum install openswan ppp xl2tpd
2、配置
(1)
vi /etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=ip #你的公网ip
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
(2)
vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
ip %any: PSK "123456" #你的公网ip 你的密匙
(3)
修改/添加 /etc/sysctl.conf并生效
vi /etc/sysctl.conf
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
sysctl -p
(4)验证ipsec运行状态
ipsec restart
ipsec verify
如果出现如下内容,说明已经成功:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.20.3.0.1.el6.centos.plus.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
(5) 编辑 /etc/xl2tpd/xl2tpd.conf 这一步可以跳过
ip range 写客户端的内网IP段,local ip写客户端内网IP
[lns default]
ip range = 10.10.0.2-10.10.0.100
local ip = 10.10.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
bps = 1000000
(6)配置用户名,密码:编辑 /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
"username" l2tpd "userpass" * #619错误注意双引号
(7)重启xl2tp
service xl2tpd restart
(8)添加自启动
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on
因为VPN需要路由功能习惯使用IPTABLES
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
#vpn拨入后的包通过eth0转发
#10.10.0.0/24跟/etc/xl2tpd/xl2tpd.conf的设置相对应,eth0要改成你内网的网络名字
service iptables save
(9)防火墙
/sbin/iptables -I INPUT -p tcp --dport 47 -j ACCEPT
/sbin/iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
/sbin/iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
/sbin/iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
/sbin/iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT
service iptables save
service iptables restart
}
启动
service xl2tpd restart
service xl2tpd status
日记
tail /var/log/messages -f
Maximum retries exceeded for tunnel 可能是认证之间的协议问题,最好有2台以上的客户端连接,可能是服务器或者客户端问题
连接密码次数过多错误导致 重启 service ipsec restart 如果可以重连 多说是客户端问题
参考:
http://www.cnblogs.com/pomme/p/6767721.html