安装软件:
yum install epel-release
yum install openswan xl2tpd ppp lsof
1./etc/ipsec.conf
config setup protostack=netkey dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8h keylife=1h type=transport left=xxx.xxx.xxx.xxx leftprotoport=17/1701 right=%any rightprotoport=17/%any
2./etc/ipsec.d/my.secrets #密钥
xxx.xxx.xxx.xxx %any: PSK "fucktest"
3./etc/sysctl.conf #转发
net.ipv4.ip_forward = 1 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0
sysctl -p
4.打开ipsec服务,并检查状态。正常状态如下
[root@server ~]# ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.8 (netkey) on 3.10.0-123.9.3.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED]
5./etc/xl2tpd/xl2tpd.conf #xl2tpd配置
[global] ipsec saref = yes listen-addr = xxx.xxx.xxx.xxx ;这里是你的主机外网ip地址,;号是注释,和一般的配置文件不同 ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; force userspace = yes ; ; debug tunnel = yes [lns default] ip range = 10.0.10.2-10.0.10.100 ;这里是VPN client的内网ip地址范围 local ip = 10.0.10.1 ;这里是VPN server的内网地址 refuse chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
6./etc/ppp/options.xl2tpd
name l2tpd require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 ipcp-accept-local ipcp-accept-remote #ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
7./etc/ppp/chap-secrets #设置拨号用户名密码
# Secrets for authentication using CHAP # client server secret IP addresses username * userpass *
service xl2tpd start
——————————————————————————————————————–
常见问题
1.拨入后无法上网。
增加iptables nat规则。如下
[root@server ~]# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE [root@server ~]# iptables -A FORWARD -s 10.254.251.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356
2.ipsec验证时出现以下错误(内核转发原因)
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects! [FAILED]
You need to disable send and accept:
# Disable send redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects # Disable accept redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects