本环境为AWS EC2 instance Amazon Linux :
1、安装所需软件
yum install make gcc gmp-devel bison flex lsof wget libpcap-devel ppp policycoreutils
2、下载、安装、配置openswan
[root@redis01-jp ~]# wget --no-check-certificate http://www.openswan.org/download/openswan-2.6.49.tar.gz [root@redis01-jp ~]# tar -zxvf openswan-2.6.49.tar.gz (软件版本有可能发生变化) [root@redis01-jp ~]# cd openswan-2.6.49 [root@redis01-jp openswan-2.6.49]# make programs install [root@redis01-jp openswan-2.6.49]# cd [root@redis01-jp ~]# vim /etc/ipsec.conf [root@redis01-jp ~]# grep -P -v "^#|^\t#|^$" /etc/ipsec.conf version2.0# conforms to second version of ipsec.conf specification config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 oe=off protostack=netkey #将原auto改为netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=172.31.24.139 #本机IP地址 leftprotoport=17/1701 right=%any rightprotoport=17/%any [root@redis01-jp ~]# [root@redis01-jp ~]# vim /etc/ipsec.secrets [root@redis01-jp ~]# cat /etc/ipsec.secrets 172.31.24.139 %any: PSK "Yeecall" #其中 Yecall为预共享密钥 include /etc/ipsec.d/*.secrets [root@redis01-jp ~]# 以下修改IP包转发 [root@redis01-jp ~]# for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done [root@redis01-jp ~]# echo 1 >/proc/sys/net/core/xfrm_larval_drop [root@redis01-jp ~]# vim /etc/sysctl.conf [root@redis01-jp ~]# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 vm.overcommit_memory = 1 [root@redis01-jp ~]# 以下启动openswan服务 [root@redis01-jp ~]# /etc/init.d/ipsec restart ipsec_setup: Stopping Openswan IPsec... ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting Openswan IPsec U2.6.49/K4.4.35-33.55.amzn1.x86_64...
3、下载、安装 rp-l2tp和xl2tp
[root@redis01-jp ~]#cd ;wget http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz [root@redis01-jp ~]# tar -zxvf rp-l2tp-0.4.tar.gz [root@redis01-jp ~]# cd rp-l2tp-0.4/ ; ./configure && make [root@redis01-jp rp-l2tp-0.4]# cp handlers/l2tp-control /usr/local/sbin/ [root@redis01-jp rp-l2tp-0.4]# mkdir /var/run/xl2tpd/ [root@redis01-jp rp-l2tp-0.4]# ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control [root@redis01-jp rp-l2tp-0.4]# cd && wget https://github.com/xelerance/xl2tpd/archive/v1.3.7.tar.gz [root@redis01-jp ~]# tar xfz v1.3.7.tar.gz [root@redis01-jp ~]# cd xl2tpd-1.3.7/ [root@redis01-jp xl2tpd-1.3.7]# make && make install [root@redis01-jp xl2tpd-1.3.7]# mkdir /etc/xl2tpd [root@redis01-jp xl2tpd-1.3.7]# vim /etc/xl2tpd/xl2tpd.conf [root@redis01-jp xl2tpd-1.3.7]# cat /etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes [lns default] ip range = 10.8.0.150-10.8.0.254 local ip = 172.31.24.139 #本机IP地址 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes [root@redis01-jp xl2tpd-1.3.7]# cd [root@redis01-jp ~]# vim /etc/ppp/options.xl2tpd [root@redis01-jp ~]# cat /etc/ppp/options.xl2tpd require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 [root@redis01-jp ~]# [root@redis01-jp ~]# vim /etc/ppp/chap-secrets [root@redis01-jp ~]# cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses test * test *
4、添加iptables 转发规则
[root@redis01-jp ~]# iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE [root@redis01-jp ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@redis01-jp ~]#
5、以debug 方式启动xl2tpd进程,使用客户端连接并观察输出日志:
[root@redis01-jp ~]# /etc/init.d/ipsec restart ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Starting Openswan IPsec U2.6.49/K4.4.35-33.55.amzn1.x86_64... [root@redis01-jp ~]# xl2tpd -D #如果去掉参数-D 表示启动后台进程
6、最后将IP转发相关设置存放在/etc/rc.local ,以便下次重启再次生效。
tail /etc/rc.local for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done echo 1 >/proc/sys/net/core/xfrm_larval_drop [ ! -e /var/run/xl2tpd/l2tp-control ] && ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control /etc/init.d/ipsec restart xl2tpd -D &>> /var/log/xl2tpd.log &
7、开放防火墙 1701/500/4500 端口
如果在本服务器上添加pptp功能,步骤如下:
[root@redis01-jp ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo [root@redis01-jp ~]# yum install pptpd -y
修改配置如下:
[root@redis01-jp ~]# vim /etc/pptpd.conf [root@redis01-jp ~]# grep -Pv "^(#|$)" /etc/pptpd.conf option /etc/ppp/options.pptpd debug logwtmp localip 10.8.0.2 remoteip 10.8.0.100-200 [root@redis01-jp ~]# vim /etc/ppp/options.pptpd [root@redis01-jp ~]# cat /etc/ppp/options.pptpd | grep -Pv "^(#|$)" name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 8.8.8.8 ms-dns 8.8.4.4 proxyarp debug dump lock nobsdcomp novj novjccomp logfile /var/log/pptpd.log [root@redis01-jp ~]# cat /etc/ppp/chap-secrets 用户名密码列表文件 # Secrets for authentication using CHAP # clientserversecretIP addresses [root@redis01-jp ~]# chkconfig pptpd on [root@redis01-jp ~]# chkconfig pptpd --list [root@redis01-jp ~]# service pptpd restart
开放防火墙tcp1723端口
转载于:https://blog.51cto.com/caiyuanji/1896502