记得开放允许访问 UDP 500、1701、4500共3个端口
1. 服务器安装软件:
yum -y install openswan xl2tpd ppp
2. 服务器配置文件 /etc/ipsec.conf 修改内容如下,云服务器一般网卡地址填私网地址:
config setup
protostack=netkey
logfile=/var/log/ipsec.log
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=网卡地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv
3. 设置 VPN 共享密钥,服务器配置文件 /etc/ipsec.secrets 修改内容如下,密钥自定义:
%any: PSK "密钥"
4. 修改服务器内核参数,服务器配置文件 /etc/sysctl.conf 修改或者添加内容如下:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.core.xfrm_larval_drop = 1
5. 服务器执行命令,修改内核参数立即生效:
sysctl -p
6. 执行脚本
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
echo 0 > $each/rp_filter
done
7. 防火墙添加规则:
iptables -t nat -A POSTROUTING ! -s 127.0.0.1/8 -j MASQUERADE
iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
8. 服务器启动 ipsec 服务:
- RHEL/CentOS 6系列:
service ipsec start
- RHEL/CentOS 7系列:
systemctl start ipsec
9. 服务器检查 ipsec 服务:
ipsec verify
运行结果显示类似如下,除两行不是 [OK] 表明正常:
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-123.9.3.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
10. 服务器配置文件 /etc/xl2tpd/xl2tpd.conf 修改内容如下:
[global]
ipsec saref = yes
[lns default]
ip range = VPN客户端内网起始IP地址-VPN客户端内网结束IP地址
local ip = VPN服务器内网IP地址
require chap = yes
refuse pap = yes
require authentication = yes
name = VPN Server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
11. 服务器配置文件 /etc/ppp/options.xl2tpd 修改内容如下:
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns DNS服务器地址1
ms-dns DNS服务器地址2
noccp
noipv6
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
noproxyarp
connect-delay 5000
lcp-echo-interval 0
lcp-echo-failure 0
logfile /var/log/xl2tpd.log
12.服务器启动 xl2tpd 服务
- RHEL/CentOS 6系列:
service xl2tpd start
- RHEL/CentOS 7系列:
systemctl start xl2tpd
13. 服务器配置文件 /etc/ppp/chap-secrets 添加账号,格式如下:
账号 * 密码 *
Windows 7及以上系统连接 L2TP over IPSec VPN 不稳定解决方法:
- 新建
.reg后缀名的文件,将下列内容添加至该文件并双击运行,之后重启电脑:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
6200
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
