一、环境介绍:
1、CentOS 6.5 (要求双网卡做软路由,如果只是做VPN可以单网卡)
a、外网IP:192.168.0.133/24 b、内网IP:10.10.10.1/8
2、Window 10 主机一台做为一台内网测试软路由使用;
a、内网IP:10.10.10.10/8
二、开始前的网络测试:
1、CentOS 6.5(以下简称VPN-Server)测试:
a、测试外网网络是否联通;
#pingwww.baidu.com
b、测试内网网络:
#ping10.10.10.10
2、Windows 10 (以下简称Client)测试:
a、测试是否可以联通VPN-Server:
#ping10.10.10.1
b、测试是否可以上网(现在不能上网):
#pingwww.baidu.com
三、开始安装部署:
以下操作在VPN-Server上操作:
1、安装epel源:
#cd/etc/yum.repos.d/ #wgethttp://mirrors.163.com/.help/CentOS6-Base-163.repo #yum-yinstallepel-release
2、安装必须的软件(openswan、ppp、xl2tpd);
openswan:提供IPSec加密
ppp:提供密码认证
xl2tpd:提供VPN服务
#yum-yinstallopenswanpppxl2tpd
#cd/etc/ipsec.d/ #ls./*.conf|xargs-I{}mv{}{}.bak #vimL2TP.conf connL2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT connL2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=192.168.0.133 leftprotoport=17/1701 right=%any rightprotoport=17/%any
4、配置ipsec的密钥:
#vim/etc/ipsec.d/L2TP.secrets 192.168.0.133%any:PSK"YourPsk"
注:IP为你的服务器外网IP,“YourPsk”修改为你想要的密钥
5、修改Forward转发:
#vim/etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.all.log_martians=0 net.ipv4.conf.default.log_martians=0 net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.icmp_ignore_bogus_error_responses=1 #sysctl-p
6、验证ipsec的运行状态
#serviceipsecstart #ipsecverify CheckingyoursystemtoseeifIPsecgotinstalledandstartedcorrectly: Versioncheckandipsecon-path[OK] LinuxOpenswanU2.6.32/K2.6.32-431.el6.x86_64(netkey) CheckingforIPsecsupportinkernel[OK] SArefkernelsupport[N/A] NETKEY:TestingfordisabledICMPsend_redirects[OK] NETKEYdetected,testingfordisabledICMPaccept_redirects[OK] Checkingthatplutoisrunning[OK] PlutolisteningforIKEonudp500[OK] PlutolisteningforNAT-Tonudp4500[OK] Checkingfor'ip'command[OK] Checking/bin/shisnot/bin/dash[OK] Checkingfor'iptables'command[OK] OpportunisticEncryptionSupport[DISABLED]
注:只要没有Faild就可以了
一、错误信息:
StartingplutoIKEdaemonforIPsec:InitializingNSSdatabase See'manpluto'ifyouwanttoprotecttheNSSdatabasewithapassword certutil-UtilitytomanipulateNSScertificatedatabases Usage:certutil<command>-d<database-directory><options> Validcommands: -AAddacertificatetothedatabase(createifneeded) -BRunaseriesofcertutilcommandsfromabatchfile -EAddanEmailcertificatetothedatabase(createifneeded) -CCreateanewbinarycertificatefromaBINARYcertrequest -GGenerateanewkeypair -DDeleteacertificatefromthedatabase -FDeleteakeyfromthedatabase -UListallmodules -KListallprivatekeys -LListallcerts,orprintoutasinglenamedcert -MModifytrustattributesofcertificate -NCreateanewcertificatedatabase -TResettheKeydatabaSEOrtoken -OPrintthechainofacertificate -RGenerateacertificaterequest(stdout) -VValidateacertificate -WChangethekeydatabasepassword --upgrade-mergeUpgradeanolddatabaseandmergeitintoanewone --mergeMergesourcedatabaseintothetargetdatabase -SMakeacertificateandaddtodatabase certutil-H<command>:Printavailableoptionsforthegivencommand certutil-H:Printcompletehelpoutputofallcommandsandoptions certutil--@R_404_156@:Printashortsummaryofallcommandsandoptions Failedtoinitializenssdatabasesql:/etc/ipsec.d .InitializingNSSdatabase See'manpluto'ifyouwanttoprotecttheNSSdatabasewithapassword certutil-UtilitytomanipulateNSScertificatedatabases Usage:certutil<command>-d<database-directory><options> Validcommands: -AAddacertificatetothedatabase(createifneeded) -BRunaseriesofcertutilcommandsfromabatchfile -EAddanEmailcertificatetothedatabase(createifneeded) -CCreateanewbinarycertificatefromaBINARYcertrequest -GGenerateanewkeypair -DDeleteacertificatefromthedatabase -FDeleteakeyfromthedatabase -UListallmodules -KListallprivatekeys -LListallcerts,orprintoutasinglenamedcert -MModifytrustattributesofcertificate -NCreateanewcertificatedatabase -TResettheKeydatabaSEOrtoken -OPrintthechainofacertificate -RGenerateacertificaterequest(stdout) -VValidateacertificate -WChangethekeydatabasepassword --upgrade-mergeUpgradeanolddatabaseandmergeitintoanewone --mergeMergesourcedatabaseintothetargetdatabase -SMakeacertificateandaddtodatabase certutil-H<command>:Printavailableoptionsforthegivencommand certutil-H:Printcompletehelpoutputofallcommandsandoptions certutil--@R_404_156@:Printashortsummaryofallcommandsandoptions Failedtoinitializenssdatabasesql:/etc/ipsec.d ....[Failed]
解决方法:
#certutil-N-d/etc/ipsec.d #ipsecnewhostkey--configdir/etc/ipsec.d/--output/etc/ipsec.d/keys.secrets--bits2192
二、错误信息:
CheckingyoursystemtoseeifIPsecgotinstalledandstartedcorrectly: Versioncheckandipsecon-path [OK] LinuxOpenswanU2.6.32/K2.6.32-431.el6.x86_64(netkey) CheckingforIPsecsupportinkernel [OK] SArefkernelsupport [N/A] NETKEY:TestingfordisabledICMPsend_redirects [Failed] Pleasedisable/proc/sys/net/ipv4/conf/*/send_redirects orNETKEYwillcausethesendingofbogusICMPredirects! NETKEYdetected,testingfordisabledICMPaccept_redirects [Failed] Pleasedisable/proc/sys/net/ipv4/conf/*/accept_redirects orNETKEYwillacceptbogusICMPredirects! Checkingthatplutoisrunning [OK] PlutolisteningforIKEonudp500 [OK] PlutolisteningforNAT-Tonudp4500 [OK] Checkingfor'ip'command [OK] Checking/bin/shisnot/bin/dash [OK] Checkingfor'iptables'command [OK] OpportunisticEncryptionSupport [DISABLED]
解决方法:
#vim/etc/sysctl.conf 在任意位置添加以下: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 #sysctl-p #ipsecverify
7、编辑/etc/xl2tpd/xl2tpd.conf
#vim/etc/xl2tpd/xl2tpd.conf [global] ipsecsaref=yes listen-addr=192.168.0.133 [lnsdefault] iprange=10.10.10.100-10.10.10.200 localip=10.10.10.1 refusechap=yes refusepap=yes requireauthentication=yes pppdebug=yes pppoptfile=/etc/ppp/options.xl2tpd lengthbit=y
8、编辑/etc/ppp/options.xl2tpd
#vim/etc/ppp/options.xl2tpd require-mschap-v2 ms-dns223.5.5.5 ms-dns114.114.114.114 asyncmap0 auth crtscts lock hide-password modem debug namel2tpd proxyarp lcp-echo-interval30 lcp-echo-failure4
9、编辑 /etc/ppp/chap-secrets (此配置文件是设置VPN的用户名,密码)
#vim/etc/ppp/chap-secrets #SecretsforauthenticationusingCHAP #clientserver secretIPaddresses admin*admin*
10、启动相应的服务:
#servicexl2tpdstart #serviceipsecstart
11、iptables修改:
#iptables-AFORWARD-s10.0.0.0/8-ptcp-mtcp--tcp-flagsFIN,SYN,RST,ACKSYN-jTCPMSS--set-mss1356 #iptables-tnat-APOSTROUTING-s10.0.0.0/8-jSNAT--to-source192.168.0.133 #iptables-IINPUT-pudp-mudp-mstate--stateNEW--dport1701-jACCEPT #iptables-IINPUT-pudp-mudp-mstate--stateNEW--dport500-jACCEPT #iptables-IINPUT-pudp-mudp-mstate--stateNEW--dport500-jACCEPT #iptables-IINPUT-pesp-jACCEPT #/etc/init.d/iptablessave #/etc/init.d/iptablesrestart
修改后的iptables 例子:
#Generatedbyiptables-savev1.4.7onTueJan1906:18:562016*filter :INPUTACCEPT[0:0] :FORWARDACCEPT[12:720] :OUTPUTACCEPT[25:2380]-AINPUT-pesp-jACCEPT -AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT -AINPUT-pudp-mudp--dport1701-mstate--stateNEW-jACCEPT -AINPUT-pudp-mudp--dport4500-mstate--stateNEW-jACCEPT -AINPUT-pudp-mudp--dport500-mstate--stateNEW-jACCEPT -AINPUT-picmp-jACCEPT -AINPUT-ilo-jACCEPT -AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT -AINPUT-jREJECT--reject-withicmp-host-prohibited -AFORWARD-s10.0.0.0/8-ptcp-mtcp--tcp-flagsFIN,ACKSYN-jTCPMSS--set-mss1356COMMIT #CompletedonTueJan1906:18:562016 #Generatedbyiptables-savev1.4.7onTueJan1906:18:562016*nat :PREROUTINGACCEPT[55:8845] :POSTROUTINGACCEPT[1:108] :OUTPUTACCEPT[1:108] -APOSTROUTING-s10.0.0.0/8-jSNAT--to-source192.168.0.133COMMIT #CompletedonTueJan1906:18:562016
到此VPN-Server的部署已经全部完成;可以在Client机器上测试是否可以上网,然后在其它要中拨号试下是否成功!祝大家成功!
如有问题可以直接在本文下方回复。