centos 安装配置l2tp实现***
1 前言
L2TP是一种工业标准的Internet隧道协议,功能大致和PPTP协议类似,比如同样可以对网络数据流进行加密。不过也有不同之处,比如PPTP要求网络为IP网络,L2TP要求面向数据包的点对点连接;PPTP使用单一隧道,L2TP使用多隧道;L2TP提供包头压缩、隧道验证,而PPTP不支持。
MAC最新系统默认已经不支持pptp协议,所以配置l2tp较为合适。
2 安装配置
2.1 安装软件包
安装环境包
yum install make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
安装l2tp
centos 6:
yum install openswan ppp xl2tpd
centos 7:
yum install xl2tpd libreswan ppp
2.2 软件配置
2.2.1 编辑xl2tpd配置文件
vi /etc/xl2tpd/xl2tpd.conf
[global]
[lns default]
ip range = 192.168.1.100-192.168.1.254 #分配给客户端的地址池
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = Linux×××server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
|
2.2.2 编辑pppoptfile文件
vi /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
persist
connect-delay 5000
logfile /var/log/xl2tpd.log
|
2.2.3 编辑ipsec配置文件
vi /etc/ipsec.conf
默认就好:
config setup
protostack=netkey
dumpdir=/var/run/pluto/
virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf
|
vi /etc/ipsec.d/l2tp-ipsec.conf
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=114.114.114.114(服务器公网地址)
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
|
2.2.4 设置用户名密码
vi /etc/ppp/chap-secrets
#用户名 服务名 密码 指定IP
username * "password" *
2.2.5 设置PSK预共享密钥
vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
114.114.114.114 %any: PSK "YourPsk"
###YourPsk为预共享密钥。114.114.114.114为服务器公网IP
|
2.2.6 IP_FORWARD设置
vi /etc/sysctl.conf
追加或修改:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
生效:
sysctl –p
2.2.7 ipsec启动
centos6:
/etc/init.d/ipsec restart
centos7:
systemctl restart ipsec
2.2.8 ipsec检查
ipsec verify
正常的输出:
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-573.3.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
|
2.2.9 xl2tpd启动
centos6:
/etc/init.d/xl2tpd restart
centos7:
systemctl restart xl2tpd
2.2.10 日志配置
记录对方IP地址:
这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-xl2tpd.conf文件,内容如下:
vi /etc/rsyslog.d/20-xl2tpd.conf
if $programname == 'xl2tpd' then /var/log/l2tp-***.log
&~
|
这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-pptpd.conf文件,内容如下:
vi /etc/rsyslog.d/20-pptpd.conf
if $programname == 'pppd' then /var/log/l2tp-***.log
&~
|
重启rsyslog服务
centos6:
/etc/init.d/rsyslog restart
centos7:
systemctl restart rsyslog
记录用户名和登录时间:
在/etc/ppp/ip-up 脚本中加入
echo >> /var/log/l2tp-***.log
echo "Start_Time: `date -d today +%F_%T`" >> /var/log/l2tp-***.log ##登录时间戳
echo "username: $PEERNAME" >> /var/log/l2tp-***.log ##用户名
echo >> /var/log/l2tp-***.log
在/etc/ppp/ip-down 脚本中加入
echo "Stop_Time: `date -d today +%F_%T`" >> /var/log/l2tp-***.log ##断开时间戳
echo "username: $PEERNAME" >> /var/log/l2tp-***.log ##用户名
echo >> /var/log/l2tp-***.log
2.2.11 使用×××服务器公网做为客户端互联网出口(跳板机、代理)
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE (eth1为公网网卡)
2.2.12 访问×××服务器所在的内网其它服务器
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE (eth0为私网网卡)
2.3 客户端连接(windows)
注意这里只是说明windows方法,MAC和手机方法大致相同:
直接连接即可
如遇不能访问谷歌和youtube,但能访问facebook,很有可能注册表被修改导致。
查看注册表并恢复:
1. 单击“开始”,单击“运行”,键入“regedit”,然后单击“确定”
2. 找到下面的注册表子项,然后单击它:
HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\Rasman\Parameters
确保是0不是1
如有ProhibitIpSec,将其删除