centos搭建L2TP实现VPN

前端之家收集整理的这篇文章主要介绍了centos搭建L2TP实现VPN前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

参考:http://blog.csdn.net/kitvv/article/details/50696585

以前的文章(centos搭建PPTP实现VPN):http://www.jb51.cc/article/p-uafjbyel-bbb.html

1 先看看你的主机是否支持pptp,返回结果为yes就表示通过。

modprobe ppp-compress-18 && echo yes
2 是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过。

cat /dev/net/tun

3 更新一下再安装

yum install update 
yum update -y
4 安装EPEL源(CentOS7官方源中已经去掉了xl2tpd)

yum install -y epel-release

5 安装xl2tpd和libreswan(openswan已经停止维护)

yum install -y xl2tpd libreswan lsof

6 编辑xl2tpd配置文件

vim /etc/xl2tpd/xl2tpd.conf

修改内容如下:

[global]
[lns default]
ip range = 192.168.1.100-192.168.1.150
local ip = 192.168.1.1
require chap = yes 
refuse pap = yes 
require authentication = yes 
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

7 编辑pppoptfile文件

vim /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
ms-dns  209.244.0.3
ms-dns  208.67.222.222
name xl2tpd
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
#noccp
auth
#crtscts   # 这个加上centos会报错
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#lock   # 这个加上centos会报错
proxyarp
connect-delay 5000
refuse-pap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log

8 编辑ipsec配置文件(默认就好)

vim /etc/ipsec.conf

config setup
        protostack=netkey
        dumpdir=/var/run/pluto/
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%
v6:fe80::/10

include /etc/ipsec.d/*.conf

9 编辑include的conn文件

vim /etc/ipsec.d/l2tp-ipsec.conf

conn L2TP-PSK-NAT
        rightsubnet=0.0.0.0/0
        dpddelay=10
        dpdtimeout=20
        dpdaction=clear
        forceencaps=yes
        also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=172.31.19.114 # 这个是ifconfig网卡eth0的内网IP,后面通过NAT转发
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

10 设置用户名密码

vim /etc/ppp/chap-secrets

修改内容

vpnuser * pass *
说明:
用户名[空格]service[空格]密码[空格]指定IP

11 设置PSK

vim /etc/ipsec.d/default.secrets
: PSK "testvpn"
12 CentOS7防火墙设置(7以下的用iptables)

firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

如果出现

FirewallD is not running
先执行下面这个语句开启防火墙,然后再执行上面的

systemctl start firewalld

CentOS 7 以下IPTABLES设置

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p tcp --dport 47 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.9.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -p UDP --dport 53 -j ACCEPT

13 IP_FORWARD 设置

vim /etc/sysctl.d/60-sysctl_ipsec.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0

重启生效

systemctl restart network

14 ipsec启动&检查

systemctl enable ipsec
systemctl restart ipsec
检查:
ipsec verify

正常输出

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-123.13.2.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf Syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found,checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret Syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options             [OK]
Opportunistic Encryption                                [DISABLED]

15 xl2tpd启动

systemctl enable xl2tpd
systemctl restart xl2tpd
注意:以上配置文件直接复制粘贴可能会出现格式问题等等

其余问题可以查看日志 /var/log/message 或者 /var/log/xl2tpd.log

猜你在找的CentOS相关文章