Centos 6.X 搭建 L2TP/IPSEC 详细教程
网上有很多的 L2TP/IPSEC一键安装脚本,但测试时,都有各种各样的错误出现。最终考虑还是自己手动配置。在此声明:本教程仅供个人学习使用,请勿做非法用途。
环境准备
由于Centos默认源中已经没有xl2tpd,需要我们手动更新源,提供两种源的替换办法:
1)#安装epel源
rpm -ivh http://mirrors.yun-idc.com/epel/6/x86_64/epel-release-6-8.noarch.rpm
更新epel源CA证书:
yum --disablerepo=epel -y update ca-certificates
更新yum缓存:
yum makecache
2)使用阿里云源
详见
http://plus.wsisp.net/thread-755-1-1.html
两种源使用哪一种都可以
#关闭防火墙
service iptables stop
#关闭SELinux
setenforce 0
#开启数据包转发
sysctl -w net.ipv4.ip_forward=1
2、软件安装
安装环境依赖包
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
安装软件包
yum install -y openswan ppp xl2tpd
3、配置
编辑 /etc/ipsec.conf
vi /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=0.0.0.0 #为服务器公网Ip
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
这里一定要注意部分参数前是TAB键增加的空格,否则会出错。
(2)编辑/etc/ipsec.secrets
vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
117.18.15.12 %any: PSK "YourPsk"#YourPsk 为PSK密钥
(3) 修改/添加 /etc/sysctl.conf并生效
vim /etc/sysctl.conf
在/etc/sysctl.conf的末尾加上如下内容:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
生效上面的修改使用如下命令
sysctl -p
(4)验证ipsec运行状态
ipsec restart
ipsec verify
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path
Linux Openswan U2.6.32/K2.6.32-431.23.3.el6.x86_64 (netkey)
Checking for IPsec support in kernel
SAref kernel support
NETKEY: Testing for disabled ICMP send_redirects
NETKEY detected, testing for disabled ICMP accept_redirects
Checking that pluto is running
Pluto listening for IKE on udp 500
Pluto listening for NAT-T on udp 4500
Two or more interfaces found, checking IP forwarding
Checking NAT and MASQUERADEing
Checking for 'ip' command
Checking /bin/sh is not /bin/dash
Checking for 'iptables' command
Opportunistic Encryption Support
这里可能会出现一些错误,但测试并不影响正常的代理使用。具体根据自己的系统环境而定。
(5) 编辑 /etc/xl2tpd/xl2tpd.conf
vi /etc/xl2tpd/xl2tpd.conf
ip range = 192.168.100.10-192.168.100.200#客户端获取的IP范围
local ip = 0.0.0.0 #服务器的IP
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
(6)配置用户名,密码:编辑 /etc/ppp/chap-secrets
vi /etc/ppp/chap-secrets
username 写登录vpn的用户名,userpass 写登录vpn的密码
# Secrets for authentication using CHAP
# client server secret IP addresses
vpn * "123456" *
(7)重启xl2tp
service xl2tpd restart
(8)添加自启动
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on
(8)使用VPN服务器公网做为客户端互联网出口(跳板机、代理)
使用iptables实现,增加规则
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
eth1为公网网卡,后面的Ip段为在xl2tpd.conf配置文件中设置的客户端IP
然后保存
iptables save
重启
/etc/init.d/iptables restart
到这里配置就完成了,已测苹果IOS10系统可以正常连接。
页:
[1]