利用IPSec/L2TP代理上网

系统：Centos 6.9 优势：Windows、macOS、Linux、IPhone、 Android等设备都能用该协议代理上网 安装软件： ——————————————————————————————————————————————————————— 运行命令：  yum install -y xl2tpd libreswan Centos7官方源中无xl2tpd，添加源  yum install -y epel-release   编辑ipsec配置文件： ——————————————————————————————————————————————————————— 运行命令： vim /etc/ipsec.conf 内容如下： # /etc/ipsec.conf - Libreswan IPsec configuration file # This file:  /etc/ipsec.conf # # Enable when using this configuration file with openswan instead of libreswan #version 2 # # Manual:     ipsec.conf.5 # basic configuration config setup         # which IPsec stack to use, "netkey" (the default), "klips" or "mast".         # For MacOSX use "bsd"         protostack=netkey         #         # Normally, pluto logs via syslog. If you want to log to a file,         # specify below or to disable logging, eg for embedded systems, use         # the file name /dev/null         # Note: SElinux policies might prevent pluto writing to a log file at         #       an unusual location.         #logfile=/var/log/pluto.log         #         # The interfaces= line is only required for the klips/mast stack         #interfaces="%defaultroute"         #interfaces="ipsec0=eth0 ipsec1=ppp0"         #         # If you want to limit listening on a single IP - not required for         # normal operation         #listen=127.0.0.1         #         # Do not set debug options to debug configuration issues!         #         # plutodebug / klipsdebug = "all", "none" or a combation from below:         # "raw crypt parsing emitting control kernel pfkey natt x509 dpd         #  private".         # Note: "crypt" is not included with "all", as it can show confidential         #       information. It must be specifically specified         # examples:         # plutodebug="control parsing"         # plutodebug="all crypt"         # Again: only enable plutodebug or klipsdebug when asked by a developer         #plutodebug=none         #klipsdebug=none         #         # Enable core dumps (might require system changes, like ulimit -C)         # This is required for abrtd to work properly         # Note: SElinux policies might prevent pluto writing the core at         #       unusual locations         dumpdir=/var/run/pluto/         #         # NAT-TRAVERSAL support         # exclude networks used on server side by adding %v4:!a.b.c.0/24         # It seems that T-Mobile in the US and Rogers/Fido in Canada are         # using 25/8 as "private" address space on their wireless networks.         # This range has never been announced via BGP (at least upto 2015)         nat_traversal=yes         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24 # For example connections, see your distribution's documentation directory, # or  https://libreswan.org/wiki/ # # There is also a lot of information in the manual page, "man ipsec.conf" # # It is best to add your IPsec connections as separate files in /etc/ipsec.d/ #include /etc/ipsec.d/*.conf conn L2TP-PSK-NAT     rightsubnet=vhost:%priv     also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT     authby=secret     pfs=no     auto=add     rekey=no     type=transport     dpddelay=15     dpdtimeout=30     dpdaction=clear     left=%eth2     leftprotoport=17/1701     right=%any     rightprotoport=17/%any     forceencaps=yes  #此项必须开启，否则NAT设备无法上网                           设置PSK密钥:    ——————————————————————————————————————————————————————— 运行命令 vim /etc/ipsec.secrets 内容如下： #include /etc/ipsec.d/*.secrets 此处填写外网IP %any : PSK "此处填写密钥"   例如： #include /etc/ipsec.d/*.secrets 192.168.1.2 %any : PSK "123456" 开启路由功能 :     ——————————————————————————————————————————————————————— 运行命令： vim /etc/sysctl.conf 将下面两项： net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 改为： net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0   运行命令： sysctl -p 启动并测试IPSec： ———————————————————————————————————————————————————————  运行命令： service ipsec start ipsec verify 运行ipsec verify返回如下信息，不报错则正常，报错自行百度。 Verifying installed system and configuration files Version check and ipsec on-path                         [OK] Libreswan 3.15 (netkey) on 2.6.32-696.23.1.el6.x86_64 Checking for IPsec support in kernel                    [OK]  NETKEY: Testing XFRM related proc values          ICMP default/send_redirects                    [OK]          ICMP default/accept_redirects                  [OK]          XFRM larval drop                               [OK] Pluto ipsec.conf syntax                                 [OK] Hardware random device                                  [N/A] Two or more interfaces found, checking IP forwarding    [OK] Checking rp_filter                                      [OK] Checking that pluto is running                          [OK]  Pluto listening for IKE on udp 500                     [OK]  Pluto listening for IKE/NAT-T on udp 4500              [OK]  Pluto ipsec.secret syntax                              [OK] Checking 'ip' command                                   [OK] Checking 'iptables' command                             [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ips                                                                                                                                                             ec.conf options                 [OK] Opportunistic Encryption                                [DISABLED]   配置  etc/xl2tpd/xl2tpd.conf ：   ———————————————————————————————————————————————————————  运行命令： vim /etc/xl2tpd/xl2tpd.conf 修改内容： ; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24.  A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] ipsec saref = yes listen-addr = 192.168.1.2  ;此处为外网IP ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ;  when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes [lns default] ip range = 100.64.0.100-100.64.0.200  ;此处内网分配ip范围 local ip = 100.64.0.1  ;此处为分配给服务器的IP require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes 配置  /etc/ppp/options.xl2tpd ：   ———————————————————————————————————————————————————————  运行命令： vim /etc/ppp/options.xl2tpd 修改一下内容： ipcp-accept-local ipcp-accept-remote ms-dns  114.114.114.114 #此处填写DNS地址 require-mschap-v2 # ms-dns  192.168.1.1 # ms-dns  192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 noauth noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 # To allow authentication against a Windows domain EXAMPLE, and require the # user to be in a group "VPN Users". Requires the samba-winbind package # require-mschap-v2 # plugin winbind.so # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"' # You need to join the domain on the server, for example using samba: #  http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html   添加  L2TP用户 ：   ———————————————————————————————————————————————————————  运行命令： vim /etc/ppp/chap-secrets 修改内容： # Secrets for authentication using CHAP # client        server  secret                  IP addresses admin * admin * #格式为：用户名空格协议空格密码空格IP地址 启动xl2tpd ：   ———————————————————————————————————————————————————————  运行命令： service xl2tpd start 配置防火墙：   ———————————————————————————————————————————————————————  编辑防火墙配置： vi /etc/sysconfig/iptables 以下内容仅供参考，新手别完全照抄： *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:100] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 100.64.0.0/24 -j ACCEPT -A FORWARD -s 100.64.0.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 30 10:36:16 2018 # Generated by iptables-save v1.4.7 on Fri Mar 30 10:36:16 2018 *nat :PREROUTING ACCEPT [831320:68105743] :POSTROUTING ACCEPT [1350:80883] :OUTPUT ACCEPT [1350:80883] -A POSTROUTING -s 100.64.0.0/24 -o eth1 -j MASQUERADE COMMIT # Completed on Fri Mar 30 10:36:16 2018 重启防火墙： service iptables restart 配置自启 ：   ———————————————————————————————————————————————————————  运行命令： chkconfig xl2tpd on chkconfig ipsec on 解决windows7无法连接：   ———————————————————————————————————————————————————————  添加2个注册表： 删除 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters 下的 ProhibitIpSec 键值（如果没有，新建一个32位DWORDS值位1） 在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 下添加 AssumeUDPEncapsulationContextOnSendRule（32位DWORDS值位2） 转载自—— 爱种树的熊

https://blog.csdn.net/XZS1097035329/article/details/79821354