l2tp ipsec ***
1、安装软件
yum -y install epel-release
yum -y install openswan ppp xl2tpd
2、修改ipsec的配置文件
# cd /etc/ipsec.d/
# ls ./*.conf|xargs -I {} mv {} {}.bak
# vim L2TP.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.10.10 #本机的真实IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
3、配置ipsec秘钥
vim /etc/ipsec.d/L2TP.secrets
192.168.10.10 %any: PSK "YourPsk"
#YourPsk 为域共享秘钥
4、修改forward转发
编辑文件
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
# sysctl -p
执行命令
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
并将此命令写入rc.local文件
5、确认ipsec状态
service ipsec start
ipsec verify
# 确保没有failed
# 如果出现nss 错误,执行以下命令
certutil -N -d /etc/ipsec.d
ipsec newhostkey --output my.secrets --bits 2192 --verbose --configdir /etc/pki/nssdb/
6、编辑/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = 192.168.10.10 #本机的真实IP
[lns default]
ip range = 192.168.20.128-192.168.20.254 #分给***客户端的ip地址池
local ip = 192.168.20.99 #本机的*** IP
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = y
7、编辑 /etc/ppp/options.xl2tpdrequire-mschap-v2
ms-dns 223.5.5.5
ms-dns 114.114.114.114
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4*
8、编辑 /etc/ppp/chap-secrets (此配置文件是设置×××的用户名,密码)
Secrets for authentication using CHAP
# client server secret IP addresses
admin * admin *
9、启动相应的服务:
service xl2tpd start
service ipsec start
10、iptables修改:
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -j SNAT --to-source 192.168.10.10
iptables -I INPUT -p udp -m udp -m state --state NEW --dport 1701 -j ACCEPT
iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
iptables -I INPUT -p esp -j ACCEPT
/etc/init.d/iptables save
/etc/init.d/iptables restart
pptp ***
据经验ipsec l2tp *** 比较慢,还有反应ios设备不能连,所以可以选用pptp ***,配置方便,连接速度快
1、安装pptp
yum install -y pptpd
2、编辑/etc/ppp/options.pptpd 设置自己的dns
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
ms-dns 8.8.8.8
ms-dns 8.8.4.4
3、编辑/etc/ppp/chap-secrets,设置***账号密码
vultr1 pptpd P@$$w0rd *
vultr2 pptpd P@$$w0rd2 *
4、编辑/etc/pptpd.conf,配置分配给客户端的ip
option /etc/ppp/options.pptpd
logwtmp
localip 192.168.80.1
remoteip 192.168.80.101-200
5、编辑/etc/sysctl.conf
sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
6、设置防火墙转发
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.0/24 -j MASQUERADE#或者使用iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -j SNAT --to-source 192.168.10.10
service iptables save
service iptables start
7、启动服务
service pptpd start
chkconfig pptpd on
访问在nat设备后搭建的***服务器
1、***服务器的搭建跟正常的无异,nat设备上要开启相应的服务端口,如l2tp需要映射500,4500,1701
2、windows 系统 需要设置注册表以访问在nat设备后的***服务器
* 找到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
* 右键编辑,新建DWORD (32-bit) Value,命名为AssumeUDPEncapsulationContextOnSendRule
* 修改值为2
* 重启电脑
转载于:https://blog.51cto.com/2765034/2054723