|
网上有很多的 L2TP/IPSEC一键安装脚本,但测试时,都有各种各样的错误出现。最终考虑还是自己手动配置。
在此声明:本教程仅供个人学习使用,请勿做非法用途。
环境准备
由于Centos默认源中已经没有xl2tpd,需要我们手动更新源,提供两种源的替换办法:
1)#安装epel源
- rpm -ivh http://mirrors.yun-idc.com/epel/6/x86_64/epel-release-6-8.noarch.rpm
复制代码
更新epel源CA证书:
- yum --disablerepo=epel -y update ca-certificates
复制代码
更新yum缓存:
2)使用阿里云源
详见
- http://plus.wsisp.net/thread-755-1-1.html
复制代码
两种源使用哪一种都可以
- #关闭防火墙
- service iptables stop
复制代码
- #开启数据包转发
- sysctl -w net.ipv4.ip_forward=1
复制代码
2、软件安装
安装环境依赖包
- yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
复制代码
安装软件包
- yum install -y openswan ppp xl2tpd
复制代码
3、配置
编辑 /etc/ipsec.conf
- config setup
- nat_traversal=yes
- virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
- oe=off
- protostack=netkey
- conn L2TP-PSK-NAT
- rightsubnet=vhost:%priv
- also=L2TP-PSK-noNAT
- conn L2TP-PSK-noNAT
- authby=secret
- pfs=no
- auto=add
- keyingtries=3
- rekey=no
- ikelifetime=8h
- keylife=1h
- type=transport
- left=0.0.0.0 #为服务器公网Ip
- leftprotoport=17/1701
- right=%any
- rightprotoport=17/%any
复制代码
这里一定要注意部分参数前是TAB键增加的空格,否则会出错。
(2)编辑/etc/ipsec.secrets
- include /etc/ipsec.d/*.secrets
- 117.18.15.12 %any: PSK "YourPsk" #YourPsk 为PSK密钥
复制代码
(3) 修改/添加 /etc/sysctl.conf并生效
在/etc/sysctl.conf的末尾加上如下内容:
- net.ipv4.ip_forward = 1
- net.ipv4.conf.default.rp_filter = 0
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.default.send_redirects = 0
- net.ipv4.conf.all.log_martians = 0
- net.ipv4.conf.default.log_martians = 0
- net.ipv4.conf.default.accept_source_route = 0
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv4.conf.default.accept_redirects = 0
- net.ipv4.icmp_ignore_bogus_error_responses = 1
复制代码
生效上面的修改使用如下命令
(4)验证ipsec运行状态
- ipsec restart
- ipsec verify
- [root@server17 ~]# ipsec verify
- Checking your system to see if IPsec got installed and started correctly:
- Version check and ipsec on-path [OK]
- Linux Openswan U2.6.32/K2.6.32-431.23.3.el6.x86_64 (netkey)
- Checking for IPsec support in kernel [OK]
- SAref kernel support [N/A]
- NETKEY: Testing for disabled ICMP send_redirects [OK]
- NETKEY detected, testing for disabled ICMP accept_redirects [OK]
- Checking that pluto is running [OK]
- Pluto listening for IKE on udp 500 [OK]
- Pluto listening for NAT-T on udp 4500 [OK]
- Two or more interfaces found, checking IP forwarding [OK]
- Checking NAT and MASQUERADEing [OK]
- Checking for 'ip' command [OK]
- Checking /bin/sh is not /bin/dash [OK]
- Checking for 'iptables' command [OK]
- Opportunistic Encryption Support [DISABLED]
复制代码
这里可能会出现一些错误,但测试并不影响正常的代理使用。具体根据自己的系统环境而定。
(5) 编辑 /etc/xl2tpd/xl2tpd.conf
- vi /etc/xl2tpd/xl2tpd.conf
- [lns default]
- ip range = 192.168.100.10-192.168.100.200 #客户端获取的IP范围
- local ip = 0.0.0.0 #服务器的IP
- require chap = yes
- refuse pap = yes
- require authentication = yes
- name = LinuxVPNserver
- ppp debug = yes
- pppoptfile = /etc/ppp/options.xl2tpd
- length bit = yes
复制代码
(6)配置用户名,密码:编辑 /etc/ppp/chap-secrets
username 写登录vpn的用户名,userpass 写登录vpn的密码
- # Secrets for authentication using CHAP
- # client server secret IP addresses
- vpn * "123456" *
复制代码
(7)重启xl2tp
(8)添加自启动
- chkconfig xl2tpd on
- chkconfig iptables on
- chkconfig ipsec on
复制代码
(8)使用VPN服务器公网做为客户端互联网出口(跳板机、代理)
使用iptables实现,增加规则
- iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
复制代码
eth1为公网网卡,后面的Ip段为在xl2tpd.conf配置文件中设置的客户端IP
然后保存
重启
- /etc/init.d/iptables restart
复制代码
到这里配置就完成了,已测苹果IOS10系统可以正常连接。
|
|