centos 安装配置l2tp实现***
1 前言
L2TP是一种工业标准的Internet隧道协议,功能大致和PPTP协议类似,比如同样可以对网络数据流进行加密。不过也有不同之处,比如PPTP要求网络为IP网络,L2TP要求面向数据包的点对点连接;PPTP使用单一隧道,L2TP使用多隧道;L2TP提供包头压缩、隧道验证,而PPTP不支持。
MAC最新系统默认已经不支持pptp协议,所以配置l2tp较为合适。
2 安装配置
2.1 安装软件包
安装环境包
yum install make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
安装l2tp
centos 6:
yum install openswan ppp xl2tpd
centos 7:
yum install xl2tpd libreswan ppp
2.2 软件配置
2.2.1 编辑xl2tpd配置文件
vi /etc/xl2tpd/xl2tpd.conf
|
[global] [lns default] ip range = 192.168.1.100-192.168.1.254 #分配给客户端的地址池 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = yes name = Linux×××server ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes |
2.2.2 编辑pppoptfile文件
vi /etc/ppp/options.xl2tpd
|
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp persist connect-delay 5000 logfile /var/log/xl2tpd.log |
2.2.3 编辑ipsec配置文件
vi /etc/ipsec.conf
默认就好:
|
config setup protostack=netkey dumpdir=/var/run/pluto/ virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 include /etc/ipsec.d/*.conf |
vi /etc/ipsec.d/l2tp-ipsec.conf
|
conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 dpddelay=10 dpdtimeout=20 dpdaction=clear forceencaps=yes also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=114.114.114.114(服务器公网地址) leftprotoport=17/1701 right=%any rightprotoport=17/%any |
2.2.4 设置用户名密码
vi /etc/ppp/chap-secrets
#用户名 服务名 密码 指定IP
username * "password" *
2.2.5 设置PSK预共享密钥
vi /etc/ipsec.secrets
|
include /etc/ipsec.d/*.secrets 114.114.114.114 %any: PSK "YourPsk" ###YourPsk为预共享密钥。114.114.114.114为服务器公网IP |
2.2.6 IP_FORWARD设置
vi /etc/sysctl.conf
追加或修改:
|
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 |
生效:
sysctl –p
2.2.7 ipsec启动
centos6:
/etc/init.d/ipsec restart
centos7:
systemctl restart ipsec
2.2.8 ipsec检查
ipsec verify
正常的输出:
|
Verifying installed system and configuration files
Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 2.6.32-573.3.1.el6.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [PRESENT] Checking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED]
|
2.2.9 xl2tpd启动
centos6:
/etc/init.d/xl2tpd restart
centos7:
systemctl restart xl2tpd
2.2.10 日志配置
记录对方IP地址:
这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-xl2tpd.conf文件,内容如下:
vi /etc/rsyslog.d/20-xl2tpd.conf
|
if $programname == 'xl2tpd' then /var/log/l2tp-***.log &~ |
这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-pptpd.conf文件,内容如下:
vi /etc/rsyslog.d/20-pptpd.conf
|
if $programname == 'pppd' then /var/log/l2tp-***.log &~ |
重启rsyslog服务
centos6:
/etc/init.d/rsyslog restart
centos7:
systemctl restart rsyslog
记录用户名和登录时间:
在/etc/ppp/ip-up 脚本中加入
echo >> /var/log/l2tp-***.log
echo "Start_Time: `date -d today +%F_%T`" >> /var/log/l2tp-***.log ##登录时间戳
echo "username: $PEERNAME" >> /var/log/l2tp-***.log ##用户名
echo >> /var/log/l2tp-***.log
在/etc/ppp/ip-down 脚本中加入
echo "Stop_Time: `date -d today +%F_%T`" >> /var/log/l2tp-***.log ##断开时间戳
echo "username: $PEERNAME" >> /var/log/l2tp-***.log ##用户名
echo >> /var/log/l2tp-***.log
2.2.11 使用×××服务器公网做为客户端互联网出口(跳板机、代理)
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE (eth1为公网网卡)
2.2.12 访问×××服务器所在的内网其它服务器
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE (eth0为私网网卡)
2.3 客户端连接(windows)
注意这里只是说明windows方法,MAC和手机方法大致相同:
直接连接即可
如遇不能访问谷歌和youtube,但能访问facebook,很有可能注册表被修改导致。
查看注册表并恢复:
1. 单击“开始”,单击“运行”,键入“regedit”,然后单击“确定”
2. 找到下面的注册表子项,然后单击它:
HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\Rasman\Parameters
确保是0不是1
如有ProhibitIpSec,将其删除
转载于:https://blog.51cto.com/taozijishu/1972849
