centos 安装配置l2tp实现***

 

1      前言

L2TP是一种工业标准的Internet隧道协议,功能大致和PPTP协议类似,比如同样可以对网络数据流进行加密。不过也有不同之处,比如PPTP要求网络为IP网络,L2TP要求面向数据包的点对点连接;PPTP使用单一隧道,L2TP使用多隧道;L2TP提供包头压缩、隧道验证,而PPTP不支持。

MAC最新系统默认已经不支持pptp协议,所以配置l2tp较为合适。

 

2      安装配置

2.1  安装软件包

安装环境包

yum install make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man

安装l2tp

centos 6:

yum install openswan ppp xl2tpd

centos 7:

yum install  xl2tpd libreswan ppp

2.2  软件配置

2.2.1      编辑xl2tpd配置文件

vi /etc/xl2tpd/xl2tpd.conf

[global]

[lns default]

ip range = 192.168.1.100-192.168.1.254   #分配给客户端的地址池

local ip = 192.168.1.99

require chap = yes

refuse pap = yes

require authentication = yes

name = Linux×××server

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

 

2.2.2      编辑pppoptfile文件

vi /etc/ppp/options.xl2tpd

ipcp-accept-local

ipcp-accept-remote

ms-dns  8.8.8.8

ms-dns  8.8.4.4

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

persist

connect-delay 5000

logfile /var/log/xl2tpd.log

 

2.2.3      编辑ipsec配置文件

vi /etc/ipsec.conf

默认就好:

config setup

        protostack=netkey

        dumpdir=/var/run/pluto/

        virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

        include /etc/ipsec.d/*.conf

vi /etc/ipsec.d/l2tp-ipsec.conf

conn L2TP-PSK-NAT

    rightsubnet=0.0.0.0/0

    dpddelay=10

    dpdtimeout=20

    dpdaction=clear

    forceencaps=yes

    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

    authby=secret

    pfs=no

    auto=add

    keyingtries=3

    rekey=no

    ikelifetime=8h

    keylife=1h

    type=transport

    left=114.114.114.114(服务器公网地址)

    leftprotoport=17/1701

    right=%any

    rightprotoport=17/%any

 

2.2.4      设置用户名密码

vi /etc/ppp/chap-secrets

#用户名               服务名           密码                                   指定IP

username         *       "password"                     *

 

2.2.5      设置PSK预共享密钥

vi /etc/ipsec.secrets

include /etc/ipsec.d/*.secrets

114.114.114.114 %any: PSK "YourPsk"

###YourPsk为预共享密钥。114.114.114.114为服务器公网IP

 

2.2.6      IP_FORWARD设置

vi /etc/sysctl.conf

追加或修改:

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.default.log_martians = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.icmp_ignore_bogus_error_responses = 1

生效:

sysctl –p

 

2.2.7      ipsec启动

centos6:

/etc/init.d/ipsec restart

centos7:

systemctl restart ipsec

2.2.8      ipsec检查

ipsec verify

正常的输出:

Verifying installed system and configuration files

 

Version check and ipsec on-path                         [OK]

Libreswan 3.15 (netkey) on 2.6.32-573.3.1.el6.x86_64

Checking for IPsec support in kernel                    [OK]

 NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects                    [OK]

         ICMP default/accept_redirects                  [OK]

         XFRM larval drop                               [OK]

Pluto ipsec.conf syntax                                 [OK]

Hardware random device                                  [N/A]

Two or more interfaces found, checking IP forwarding    [OK]

Checking rp_filter                                      [OK]

Checking that pluto is running                          [OK]

 Pluto listening for IKE on udp 500                     [OK]

 Pluto listening for IKE/NAT-T on udp 4500              [OK]

 Pluto ipsec.secret syntax                              [OK]

Checking 'ip' command                                   [OK]

Checking 'iptables' command                             [OK]

Checking 'prelink' command does not interfere with FIPS [PRESENT]

Checking for obsolete ipsec.conf options                [OK]

Opportunistic Encryption                                [DISABLED]

 

 

2.2.9      xl2tpd启动

centos6:

/etc/init.d/xl2tpd restart

centos7:

systemctl restart xl2tpd

 

2.2.10    日志配置

记录对方IP地址:

这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-xl2tpd.conf文件,内容如下:

vi /etc/rsyslog.d/20-xl2tpd.conf

if $programname == 'xl2tpd' then /var/log/l2tp-***.log

&~

 

这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-pptpd.conf文件,内容如下:

vi /etc/rsyslog.d/20-pptpd.conf

if $programname == 'pppd' then /var/log/l2tp-***.log

&~

 

重启rsyslog服务

centos6:

/etc/init.d/rsyslog restart

centos7:

systemctl restart rsyslog

 

记录用户名和登录时间:

在/etc/ppp/ip-up 脚本中加入

echo >> /var/log/l2tp-***.log

echo "Start_Time: `date -d today +%F_%T`" >> /var/log/l2tp-***.log  ##登录时间戳

echo "username: $PEERNAME" >> /var/log/l2tp-***.log  ##用户名

echo >> /var/log/l2tp-***.log

 

在/etc/ppp/ip-down 脚本中加入

echo "Stop_Time: `date -d today +%F_%T`" >> /var/log/l2tp-***.log  ##断开时间戳

echo "username: $PEERNAME" >> /var/log/l2tp-***.log  ##用户名

echo >> /var/log/l2tp-***.log

 

2.2.11    使用×××服务器公网做为客户端互联网出口(跳板机、代理)

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE (eth1为公网网卡)

2.2.12    访问×××服务器所在的内网其它服务器

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE (eth0为私网网卡)

2.3  客户端连接(windows)

注意这里只是说明windows方法,MAC和手机方法大致相同:

 

 

 

 

 

 

 

 

 

 

 

 

直接连接即可

如遇不能访问谷歌和youtube,但能访问facebook,很有可能注册表被修改导致。

查看注册表并恢复:

1. 单击“开始”,单击“运行”,键入“regedit”,然后单击“确定”

2. 找到下面的注册表子项,然后单击它:

HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\Rasman\Parameters

 

确保是0不是1

如有ProhibitIpSec,将其删除