1.安装一堆乱七八糟的环境包
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man policycoreutil
2.安装openswan,ppp等
yum install openswan ppp xl2tpd注意,以上openswan,xl2tpd如果找不到yum源,则需自行添加yum源,也可以直接wget下载后安装,具体如下:
a.openswan
wget https://download.openswan.org/openswan/old/openswan-2.6/openswan-2.6.38.tar.gz tar -zxvf openswan-2.6.38.tar.gz cd openswan-2.6.38 make programs installb.xl2tpd
wget https://download.openswan.org/xl2tpd/xl2tpd-1.3.0.tar.gz tar zxf xl2tpd-1.3.0.tar.gz cd xl2tpd-1.3.0 make && make installc.rp-l2tp,xl2tpd是新版的话,这玩意可以不安装。
wget http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz tar -zxvf rp-l2tp-0.4.tar.gz cd rp-l2tp-0.4 ./configure make cp handlers/l2tp-control /usr/local/sbin/ mkdir /var/run/xl2tpd/ ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
3.修改/etc/ipsec.conf内容如下:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all","none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes,like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support,see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on,to enable.
oe=off
# which IPsec stack to use. auto will try netkey,then klips then mast
protostack=netkey
#这里如果是auto,改为netkey
# Use this to log to a file,or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample V*PN connection
# for more examples,see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway,subnet behind it,nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway,nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection,but not actually start it,# # at startup,uncomment this.
# #auto=add
#以下为新增内容
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=103.74.195.xx #这里配置服务器公网IP
leftprotoport=17/1701 #服务端口
right=%any
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
leftnexthop=%defaultroute
rightnexthop=%defaultroute
4.配置网络转发等,修改/etc/sysctl.conf内容如下:
# Kernel sysctl configuration file for Red Hat Linux # # For binary values,0 is disabled,1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 #0改为1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 #1改为0 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Controls the use of TCP syncookies #net.ipv4.tcp_syncookies = 1 # Disable netfilter on bridges. #net.bridge.bridge-nf-call-ip6tables = 0 #net.bridge.bridge-nf-call-iptables = 0 #net.bridge.bridge-nf-call-arptables = 0 # Controls the default maxmimum size of a mesage queue kernel.msgmnb = 65536 # Controls the maximum size of a message,in bytes kernel.msgmax = 65536 # Controls the maximum shared segment size,in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments,in pages kernel.shmall = 4294967296 #以下为新增内容 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1执行以下命令令配置生效:
sysctl -p
5.配置l*2tp网络参数,修改/etc/xl2tpd/xl2tpd.conf内容如下:
[global] ipsec saref = yes listen-addr = 103.74.195.xx #公网IP [lns default] ip range = 192.168.1.2-192.168.1.100 #l*2tp内网客户端IP端 local ip = 192.168.1.1 #l*2tp内网本地IP refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes修改/etc/ppp/options.xl2tpd内容如下:
ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 require-mschap-v2
6.配置客户端预共享密码,编辑/etc/ipsec.secrets内容如下:
include /etc/ipsec.d/*.secrets 103.74.195.xx %any: PSK "password"password为预共享密钥。
7.配置客户端用户名和密码,修改/etc/ppp/chap-secrets内容如下:
dancen l2tpd password *dancen是用户名,password是密码。
8.验证ipsec运行状态
ipsec restart ipsec verify显示如下说明运行正常:
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-504.12.2.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf Syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret Syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
9.修改防火墙配置:
开放l*2tp对外网的访问,增加iptables的nat表规则:iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE #eth1为公网网卡 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE #eth0为私网网卡开放udp协议的1701,500,4500端口,开放l*2tp内网forward,增加iptables的filter表规则:
iptables -t filter -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT iptables -t filter -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT iptables -t filter -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT执行
service iptables save或
iptables-save保存防火墙配置
执行
service iptables restart重启防火墙
也可以直接修改防火墙配置/etc/sysconfig/iptables的内容如下:
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A FORWARD -d 192.168.1.0/24 -j ACCEPT -A FORWARD -s 192.168.1.0/24 -j ACCEPT COMMIT *nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE COMMIT
10.重启xl2tp
service xl2tpd restart没有配置服务的话,直接执行
xl2tp运行即可。
11.添加自启动,需要把xl2tpd配置为服务:
chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on
