CentOS6.5部署L2TP over IPSec

前端之家收集整理的这篇文章主要介绍了CentOS6.5部署L2TP over IPSec前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

一、环境介绍:

  1、CentOS 6.5 (要求双网卡做软路由,如果只是做VPN可以单网卡)

    a、外网IP:192.168.0.133/24    b、内网IP:10.10.10.1/8

  2、Window 10 主机一台做为一台内网测试软路由使用;

    a、内网IP:10.10.10.10/8

二、开始前的网络测试:

  1、CentOS 6.5(以下简称VPN-Server)测试:

    a、测试外网网络是否联通;

#pingwww.baidu.com

    b、测试内网网络:

#ping10.10.10.10

  2、Windows 10 (以下简称Client)测试:

    a、测试是否可以联通VPN-Server:

#ping10.10.10.1

    b、测试是否可以上网(现在不能上网):

#pingwww.baidu.com

三、开始安装部署:

  以下操作在VPN-Server上操作:

  1、安装epel源:

    #cd/etc/yum.repos.d/    
    #wgethttp://mirrors.163.com/.help/CentOS6-Base-163.repo
    #yum-yinstallepel-release

  2、安装必须的软件(openswan、ppp、xl2tpd);

    openswan:提供IPSec加密

    ppp:提供密码认证

    xl2tpd:提供VPN服务

#yum-yinstallopenswanpppxl2tpd

  3、修改ipsec的配置文件  

#cd/etc/ipsec.d/
#ls./*.conf|xargs-I{}mv{}{}.bak
#vimL2TP.conf

connL2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

connL2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.0.133
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

  

  4、配置ipsec的密钥:

#vim/etc/ipsec.d/L2TP.secrets

192.168.0.133%any:PSK"YourPsk"

  注:IP为你的服务器外网IP,“YourPsk”修改为你想要的密钥


  5、修改Forward转发:


#vim/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.log_martians=0
net.ipv4.conf.default.log_martians=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.icmp_ignore_bogus_error_responses=1

#sysctl-p


  6、验证ipsec的运行状态


#serviceipsecstart
#ipsecverify

CheckingyoursystemtoseeifIPsecgotinstalledandstartedcorrectly:
Versioncheckandipsecon-path[OK]
LinuxOpenswanU2.6.32/K2.6.32-431.el6.x86_64(netkey)
CheckingforIPsecsupportinkernel[OK]
SArefkernelsupport[N/A]
NETKEY:TestingfordisabledICMPsend_redirects[OK]
NETKEYdetected,testingfordisabledICMPaccept_redirects[OK]
Checkingthatplutoisrunning[OK]
PlutolisteningforIKEonudp500[OK]
PlutolisteningforNAT-Tonudp4500[OK]
Checkingfor'ip'command[OK]
Checking/bin/shisnot/bin/dash[OK]
Checkingfor'iptables'command[OK]
OpportunisticEncryptionSupport[DISABLED]

  注:只要没有Faild就可以了

  

一、错误信息:

StartingplutoIKEdaemonforIPsec:InitializingNSSdatabase
See'manpluto'ifyouwanttoprotecttheNSSdatabasewithapassword

certutil-UtilitytomanipulateNSScertificatedatabases

Usage:certutil<command>-d<database-directory><options>

Validcommands:
-AAddacertificatetothedatabase(createifneeded)
-BRunaseriesofcertutilcommandsfromabatchfile
-EAddanEmailcertificatetothedatabase(createifneeded)
-CCreateanewbinarycertificatefromaBINARYcertrequest
-GGenerateanewkeypair
-DDeleteacertificatefromthedatabase
-FDeleteakeyfromthedatabase
-UListallmodules
-KListallprivatekeys
-LListallcerts,orprintoutasinglenamedcert
-MModifytrustattributesofcertificate
-NCreateanewcertificatedatabase
-TResettheKeydatabaSEOrtoken
-OPrintthechainofacertificate
-RGenerateacertificaterequest(stdout)
-VValidateacertificate
-WChangethekeydatabasepassword
--upgrade-mergeUpgradeanolddatabaseandmergeitintoanewone
--mergeMergesourcedatabaseintothetargetdatabase
-SMakeacertificateandaddtodatabase

certutil-H<command>:Printavailableoptionsforthegivencommand
certutil-H:Printcompletehelpoutputofallcommandsandoptions
certutil--@R_404_156@:Printashortsummaryofallcommandsandoptions
Failedtoinitializenssdatabasesql:/etc/ipsec.d
.InitializingNSSdatabase
See'manpluto'ifyouwanttoprotecttheNSSdatabasewithapassword

certutil-UtilitytomanipulateNSScertificatedatabases

Usage:certutil<command>-d<database-directory><options>

Validcommands:
-AAddacertificatetothedatabase(createifneeded)
-BRunaseriesofcertutilcommandsfromabatchfile
-EAddanEmailcertificatetothedatabase(createifneeded)
-CCreateanewbinarycertificatefromaBINARYcertrequest
-GGenerateanewkeypair
-DDeleteacertificatefromthedatabase
-FDeleteakeyfromthedatabase
-UListallmodules
-KListallprivatekeys
-LListallcerts,orprintoutasinglenamedcert
-MModifytrustattributesofcertificate
-NCreateanewcertificatedatabase
-TResettheKeydatabaSEOrtoken
-OPrintthechainofacertificate
-RGenerateacertificaterequest(stdout)
-VValidateacertificate
-WChangethekeydatabasepassword
--upgrade-mergeUpgradeanolddatabaseandmergeitintoanewone
--mergeMergesourcedatabaseintothetargetdatabase
-SMakeacertificateandaddtodatabase

certutil-H<command>:Printavailableoptionsforthegivencommand
certutil-H:Printcompletehelpoutputofallcommandsandoptions
certutil--@R_404_156@:Printashortsummaryofallcommandsandoptions
Failedtoinitializenssdatabasesql:/etc/ipsec.d
....[Failed]


解决方法


#certutil-N-d/etc/ipsec.d
#ipsecnewhostkey--configdir/etc/ipsec.d/--output/etc/ipsec.d/keys.secrets--bits2192


二、错误信息:

CheckingyoursystemtoseeifIPsecgotinstalledandstartedcorrectly:
Versioncheckandipsecon-path	[OK]
LinuxOpenswanU2.6.32/K2.6.32-431.el6.x86_64(netkey)
CheckingforIPsecsupportinkernel	[OK]
SArefkernelsupport	[N/A]
NETKEY:TestingfordisabledICMPsend_redirects	[Failed]

Pleasedisable/proc/sys/net/ipv4/conf/*/send_redirects
orNETKEYwillcausethesendingofbogusICMPredirects!

NETKEYdetected,testingfordisabledICMPaccept_redirects	[Failed]

Pleasedisable/proc/sys/net/ipv4/conf/*/accept_redirects
orNETKEYwillacceptbogusICMPredirects!

Checkingthatplutoisrunning	[OK]
PlutolisteningforIKEonudp500	[OK]
PlutolisteningforNAT-Tonudp4500	[OK]
Checkingfor'ip'command	[OK]
Checking/bin/shisnot/bin/dash	[OK]
Checkingfor'iptables'command	[OK]
OpportunisticEncryptionSupport	[DISABLED]


解决方法

#vim/etc/sysctl.conf

在任意位置添加以下:

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

#sysctl-p

#ipsecverify

  

7、编辑/etc/xl2tpd/xl2tpd.conf


#vim/etc/xl2tpd/xl2tpd.conf

[global]
ipsecsaref=yes
listen-addr=192.168.0.133
[lnsdefault]
iprange=10.10.10.100-10.10.10.200
localip=10.10.10.1
refusechap=yes
refusepap=yes
requireauthentication=yes
pppdebug=yes
pppoptfile=/etc/ppp/options.xl2tpd
lengthbit=y

  8、编辑/etc/ppp/options.xl2tpd


#vim/etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns223.5.5.5
ms-dns114.114.114.114
asyncmap0
auth
crtscts
lock
hide-password
modem
debug
namel2tpd
proxyarp
lcp-echo-interval30
lcp-echo-failure4


  9、编辑 /etc/ppp/chap-secrets (此配置文件是设置VPN的用户名,密码)

#vim/etc/ppp/chap-secrets

#SecretsforauthenticationusingCHAP
#clientserver  secretIPaddresses
admin*admin*


  10、启动相应的服务:

#servicexl2tpdstart
#serviceipsecstart

  

  11、iptables修改

 


#iptables-AFORWARD-s10.0.0.0/8-ptcp-mtcp--tcp-flagsFIN,SYN,RST,ACKSYN-jTCPMSS--set-mss1356
#iptables-tnat-APOSTROUTING-s10.0.0.0/8-jSNAT--to-source192.168.0.133
#iptables-IINPUT-pudp-mudp-mstate--stateNEW--dport1701-jACCEPT
#iptables-IINPUT-pudp-mudp-mstate--stateNEW--dport500-jACCEPT
#iptables-IINPUT-pudp-mudp-mstate--stateNEW--dport500-jACCEPT
#iptables-IINPUT-pesp-jACCEPT
#/etc/init.d/iptablessave
#/etc/init.d/iptablesrestart


  修改后的iptables 例子:

#Generatedbyiptables-savev1.4.7onTueJan1906:18:562016*filter
:INPUTACCEPT[0:0]
:FORWARDACCEPT[12:720]
:OUTPUTACCEPT[25:2380]-AINPUT-pesp-jACCEPT
-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT
-AINPUT-pudp-mudp--dport1701-mstate--stateNEW-jACCEPT
-AINPUT-pudp-mudp--dport4500-mstate--stateNEW-jACCEPT
-AINPUT-pudp-mudp--dport500-mstate--stateNEW-jACCEPT
-AINPUT-picmp-jACCEPT
-AINPUT-ilo-jACCEPT
-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT
-AINPUT-jREJECT--reject-withicmp-host-prohibited
-AFORWARD-s10.0.0.0/8-ptcp-mtcp--tcp-flagsFIN,ACKSYN-jTCPMSS--set-mss1356COMMIT
#CompletedonTueJan1906:18:562016
#Generatedbyiptables-savev1.4.7onTueJan1906:18:562016*nat
:PREROUTINGACCEPT[55:8845]
:POSTROUTINGACCEPT[1:108]
:OUTPUTACCEPT[1:108]
-APOSTROUTING-s10.0.0.0/8-jSNAT--to-source192.168.0.133COMMIT
#CompletedonTueJan1906:18:562016


  到此VPN-Server的部署已经全部完成;可以在Client机器上测试是否可以上网,然后在其它要中拨号试下是否成功!祝大家成功!


如有问题可以直接在本文下方回复


友情连接:www.cnblogs.com/zlyang/p/6073488.html

猜你在找的CentOS相关文章