一、安装软件

  yum install -y openswan ppp xl2tpd

   

二、配置ipsec

 1.配置ipsec.conf

  cat /etc/ipsec.conf

    config setup

        protostack=netkey

        nat_traversal=yes

     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

        oe=off

    conn %default

        Forceencaps=yes

    conn L2TP-PSK-NAT              [定义一个×××的连接,L2TP-PSK-noNAT是这个连接的名字]

        rightsubnet=vhost:%priv

        also=L2TP-PSK-noNAT

    conn L2TP-PSK-noNAT

        authby=secret

        pfs=no

        auto=add                   [ipsec启动后,×××1连接处于等待状态]

        keyingtries=3

        rekey=no

        ikelifetime=8h

        keylife=1h

        type=transport

        left=133.3.5.16          [外网ip]

        leftprotoport=17/1701      [***服务器端口]

        right=%any

        rightprotoport=17/%any

        dpddelay=40

        dpdtimeout=130

        dpdaction=clear

        

 2.配置IPSec预共享密钥

  cat /etc/ipsec.secrets

    121.46.20.249 %any: PSK "good321"

       [外网ip]             [共享秘钥]

       

 3.修改包转发设置

  for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects ; done

  

 4.重启IPSec并验证

  service ipsec restart

  ipsec verify  [输出以下内容则正常]

    Verifying installed system and configuration files

    Version check and ipsec on-path                   [OK]

    Libreswan 3.15 (netkey) on 2.6.32-279.el6.x86_64

    Checking for IPsec support in kernel              [OK]

    NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects              [OK]

         ICMP default/accept_redirects            [OK]

         XFRM larval drop                         [OK]

    Pluto ipsec.conf syntax                           [OK]

    Hardware random device                            [N/A]

    Two or more interfaces found, checking IP forwarding[OK]

    Checking rp_filter                                [OK]

    Checking that pluto is running                    [OK]

    Pluto listening for IKE on udp 500               [OK]

    Pluto listening for IKE/NAT-T on udp 4500        [OK]

    Pluto ipsec.secret syntax                        [OK]

    Checking 'ip' command                             [OK]

    Checking 'iptables' command                       [OK]

    Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options          [OK]

    Opportunistic Encryption                          [DISABLED]

  

  常见验证失败解决办法

  1.Two or more interfacesfound, checking IP forwarding [Failed] 

    echo 1 > /proc/sys/net/ipv4/ip_forward   [不需要重启服务]

    vi /etc/sysctl.conf   [修改成以下内容]

     net.ipv4.ip_forward = 1

     net.ipv4.conf.default.rp_filter = 0 

  

  2. Checking that pluto isrunning [Failed] 

   cd /var/run/pluto

    ipsec pluto      [生成pluto.ctl文件]

    ipsec verify

  


三、配置ppp与l2tp

 1.配ppp

  vi /etc/ppp/options.xl2tpd

    require-mschap-v2

    ms-dns 8.8.8.8

    ms-dns 8.8.4.4

    noccp

    auth

    crtscts

    idle 1800

    mtu 1410

    mru 1410

    nodefaultroute

    debug

    lock

    proxyarp

    connect-delay 5000

    

 2.***用户名密码配置

  vi/etc/ppp/chap-secrets

    # client        server  secret                  IP addresses

    tan  *       tan  *

    

 3.配置xl2tpd

   vi /etc/xl2tpd/xl2tpd.conf

     [global]

     

     [lns default]

     ip range = 192.168.201.170-192.168.201.179

     local ip = 192.168.201.12

     require chap = yes

     refuse pap = yes

     require authentication = yes

     name = Linux×××server

     ppp debug = yes

     pppoptfile = /etc/ppp/options.xl2tpd

     length bit = yes

     

   4.启动xl2tpd

     /etc/init.d/xl2tpd restart

     xl2tpd -D  [以打印日志模式启动]

     

    

四、防火墙配置

 配置转发

   iptables -t nat -A POSTROUTING -s 192.168.201.0/24 -o eth0 -j MASQUERADE 



参考链接:

 http://my.oschina.net/xiaotian120/blog/286002

 http://wenku.baidu.com/link?url=hkhDw8sAKQbdviIaPLwn1AsBmANAysG8npTIoy4CwNnT8OBXgRd_TWDRxJGOakCElYcu_Hdp2SVLesrqr57rwhxpf71P4L-UgW4ahXxK7yu