1. 先安装Openswan
1
2
3
4
5
|
yum
install
-y ppp iptables
make
gcc gmp-devel xmlto bison flex xmlto libpcap-devel
lsof
wget http:
//download
.openswan.org
/openswan/openswan-2
.6.38.
tar
.gz
tar
zxvf openswan-2.6.38.
tar
.gz
cd
openswan-2.6.38
make
programs
install
|
gkp说 “安装 Openswan,记得别用2.6.26,宁可用2.6.24。它和 xL2TPD 存在严重兼容性bug”
2. 安装xL2TPD
在CentOS 6官方的yum源中,没有这个软件包。需要安装fedora的epel源。
1
2
3
|
rpm -Uvh http:
//mirrors
.ustc.edu.cn
/fedora/epel/6/x86_64/epel-release-6-7
.noarch.rpm
#CentOS 5用这个地址: rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm
yum
install
xl2tpd -y
|
如果上面这个安装地址如果不对了。参照这个fedora epel 的 faq页。安装其他一些 Linux 软件源,参照这页。
编辑 /etc/ipsec.conf 注意$esojourn.org 替换成你机器的 IP。这个 IP 应该是你的公网 IP,不是本机内网IP。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# /etc/ipsec.conf - Openswan IPsec configuration file# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5version 2.0
# conforms to second version of ipsec.conf specification# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=
/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=
yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0
/8
,%v4:192.168.0.0
/16
,%v4:172.16.0.0
/12
,%v4:25.0.0.0
/8
,%v6:fd00::
/8
,%v6:fe80::
/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
#这里注释说可以用auto,但实际上不行。还得老老实实写netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type
=transport
left=$esojourn.org
#这里写公网IP,没固定IP的就到花生壳弄个动态域名解析。
leftid=$esojourn.org
leftprotoport=17
/1701
right=%any
|
修改 ipsec 密钥
1
2
3
|
vi
/etc/ipsec
.secretswww.esojourn.org %any: PSK
"myps"
#www.esojourn.org改成公网ip,没固定IP的,就到花生壳弄个动态域名解析。http://www.oray.com/peanuthull/
#myps改成密码
|
3. 修改/etc/sysctl.conf,开启路由功能
1
|
vi
/etc/sysctl
.conf
|
星云说:将下面两项找到:
1
2
|
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
|
改为:
1
2
|
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
|
之后先让修改后的配置生效,再测试一下,
1
2
3
|
sysctl -p
service ipsec start
ipsec verify
|
如果行了就这样了,但实际上,我反复测试之后,干脆在sysctl.conf最下面,加了这一段。加好后别忘了再sysctl -p一下。
1
2
3
4
5
6
7
8
9
10
11
|
#added for xl2tpd
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
如果 ipsec verify 返回这样,就可以了。linode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
Checking your system to see
if
IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24
/K2
.6.32.16-linode28 (netkey)
Checking
for
IPsec support
in
kernel [OK]
NETKEY detected, testing
for
disabled ICMP send_redirects [OK]
NETKEY detected, testing
for
disabled ICMP accept_redirects [OK]
Checking
for
RSA private key (
/etc/ipsec
.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening
for
IKE on udp 500 [OK]
Pluto listening
for
NAT-T on udp 4500 [OK]
Two or
more
interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking
for
'ip'
command
[OK]
Checking
for
'iptables'
command
[OK]
Opportunistic Encryption Support [DISABLED]
|
我的经验中,这里可能会出这么几个故障:
第一:
1
|
SAref kernel support [N
/A
]
|
这样的话, /etc/xl2tpd/xl2tpd.conf这个文件里
1
2
|
[global]
ipsec saref = no
|
第二:
1
2
|
Two or
more
interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
|
ip转发检查失败。
Paul和Steve说:只要 cat /proc/sys/net/ipv4/ip_forward 返回结果是1就没事。这个我已经证实了。
第三:返回结果里,就没有Two or more interfaces found, checking IP forwarding和Checking NAT and MASQUERADEing这两项。碰上这个我也没办法了。重装了系统,又瞎折腾一通之后就好了。
[ 2012-7-6 ]
第四:更新加入一个新的情况
1
2
3
4
5
6
|
Checking
for
IPsec support
in
kernel [OK]
SAref kernel support [N
/A
]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[FAILED] Please
enable
/proc/sys/net/core/xfrm_larval_drop
or NETKEY will cause non-POSIX compliant long
time
-outsChecking that pluto is running [OK]
|
出这毛病,照着说明,
1
2
|
echo
1 >
/proc/sys/net/core/xfrm_larval_drop
vi
/etc/bashrc
|
然后把“echo 1 > /proc/sys/net/core/xfrm_larval_drop”这句加进去。以后每次开机自动执行一下。
4. 编辑 /etc/xl2tpd/xl2tpd.conf
vi /etc/xl2tpd/xl2tpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
; This is a minimal sample xl2tpd configuration
file
for
use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to
which
remote Windows L2TP
/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0
/24
. A special IP range within this network is reserved
;
for
the remote clients: 192.168.1.128
/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used
if
you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
;
in
the example below). Yet another IP address (
local
ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.[global]
listen-addr = esojourn.org
;这里写内网IP。或者加;注释掉也问题不大。
;
; requires openswan-2.5.18 or higher - Also does not yet work
in
combination
; with kernel mode l2tp as present
in
linux 2.6.23+
; ipsec saref =
yes
ipsec saref = no
; 这里一般都让写
yes
,但如果刚才你的ipsec verify中,有报SAref kernel support[N
/A
]的话,这里就写no。
; Use refinfo of 22
if
using an SAref kernel patch based on openswan 2.6.35 or
;when using any of the SAref kernel patches
for
kernels up to 2.6.35.
; ipsec refinfo = 30
;
; forceuserspace =
yes
;
; debug tunnel =
yes
[lns default]
ip range = 192.168.7.128-192.168.7.254
;这里写vpn client的ip段
local
ip = 192.168.7.1
require chap =
yes
refuse pap =
yes
require authentication =
yes
name = LinuxVPNserver
ppp debug =
yes
pppoptfile =
/etc/ppp/options
.xl2tpd
length bit =
yes
|
5. 修改 /etc/ppp/options.xl2tpd
vi /etc/ppp/options.xl2tpd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
require-mschap-v2
ipcp-accept-
local
ipcp-accept-remote
ms-dns 8.8.4.4
ms-dns 8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
|
vi /etc/ppp/chap-secrets
1
2
3
|
#文件格式
# user server password ip
username * userpass *
#改成你的用户名 密码
|
6. 最关键的iptables配置
做完上面这堆步骤之后,客户端建个连接就可以验证进入vpn主机了。但是无法访问内外网。我就是在这里卡了一个多星期。网上的资料,有的没说这一步。有的说了也没说全。我发个权威的吧。
1
2
3
4
5
|
iptables -t nat -A POSTROUTING -s 192.168.7.0
/24
-o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.7.0
/24
-j ACCEPT
iptables -I FORWARD -d 192.168.7.0
/24
-j ACCEPT
iptables-save
service iptables restart
|
192.168.7.0/24根据实际情况替换。
vi /etc/sysconfig/iptables 看到的应该是类似这样。
最上面先是nat规则,下面是filter规则。
下面filter表里,先把VPN要用到的udp端口1701,500,4500都打开。要用openvp的话,还要开1194。
另外filter表里,一定要有FORWARD规则。这点在网上好几个教程里都没说!坑死人。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
#下面规则做参考啊,新手别完全照抄。
*nat
:PREROUTING ACCEPT [39:3503]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.7.0
/24
-o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
# Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [121:13264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.7.0
/24
-j ACCEPT
-A FORWARD -s 192.168.7.0
/24
-j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
|
最后
1
2
3
4
5
|
service xl2tpd restart
service iptables restart
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on
|