阿里云CentOS6安装IPSec+L2TP
简述
第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信。
L2TP本身并没有任何加密,但是我们可以使用IPSec对L2TP包进行加密。L2TP VPN比PPTP VPN搭建复杂一些。
环境说明
[root@l2tp_server ~]# cat /etc/redhat-release CentOS release 6.9 (Final) [root@l2tp_server ~]# uname -r 2.6.32-696.10.1.el6.x86_64
安装步骤
1、需要先添加epel源:
rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-6.noarch.rpm
yum -y install openswan ppp xl2tpd ##openswan是Linux系统上IPsec的一个实现 官网:http://www.openswan.org/
安装一些依赖包:
yum -y install make gcc gmp-devel bison flex lsof
2、配置IPsec
编辑配置文件/etc/ipsec.conf,只需要将最下面的"YOUR_SERVER_IP"改成你的公网IP即可:
[root@l2tp_server ~]# vim /etc/ipsec.conf
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file: /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual: ipsec.conf.5
# basic configuration
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
# For MacOSX use "bsd"
protostack=netkey
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
# an unusual location.
logfile=/var/log/pluto.log
#
# The interfaces= line is only required for the klips/mast stack
#interfaces="%defaultroute"
#interfaces="ipsec0=eth0 ipsec1=ppp0"
#
# If you want to limit listening on a single IP - not required for
# normal operation
#listen=127.0.0.1
#
# Do not set debug options to debug configuration issues!
#
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
# private".
# Note: "crypt" is not included with "all", as it can show confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#plutodebug=none
#klipsdebug=none
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least upto 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=5
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=YOUR_SERVER_IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
3、设置预共享密钥PSK
[root@l2tp_server ~]# vim /etc/ipsec.secrets YOUR_SERVER_IP.ADDRESS %any: PSK "YourSharedSecret"
4、修改包转发设置
[root@l2tp_server ~]# for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done [root@l2tp_server ~]# echo 1 >/proc/sys/net/core/xfrm_larval_drop
修改内核设置,使其支持转发,编辑/etc/sysctl.conf文件:
[root@l2tp_server ~]# sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
[root@l2tp_server ~]# sysctl -p
5、启动IPsec
/etc/init.d/ipsec start
查看系统IPSec安装和启动的正确性:
[root@l2tp_server ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.10.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ppp0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
没有FAILD报错就可以/
6、安装L2TP(xl2tpd和rp-l2tp) xl2tpd是由Xelerance Corporation维护的l2tpd应用。但是xl2tpd没有l2tp-control,需要从rp-l2tp这个里面提取。所以要装这两个软件包。
yum -y install libpcap-devel ppp policycoreutils #依赖软件
安装xl2tpd和rp-l2tp:
[root@localhost ~]# cd /usr/local/src/
[root@localhost src]# wget http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz
[root@localhost src]# tar -zxvf rp-l2tp-0.4.tar.gz [root@localhost src]# cd rp-l2tp-0.4
[root@localhost rp-l2tp-0.4]# ./configure && make [root@localhost rp-l2tp-0.4]# cp handlers/l2tp-control /usr/local/sbin/ [root@localhost rp-l2tp-0.4]# mkdir /var/run/xl2tpd/ [root@localhost rp-l2tp-0.4]# ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control ##安装xl2tpd [root@localhost ~]# cd /usr/local/src [root@localhost src]# wget https://github.com/xelerance/xl2tpd/archive/v1.3.10.1.tar.gz [root@localhost src]# tar xf v1.3.10.1.tar.gz && cd xl2tpd-1.3.10.1 && make && make install
7、编辑xl2tpd配置文件
[root@localhost ~]# mkdir /etc/xl2tpd/ [root@localhost ~]# vim /etc/xl2tpd/xl2tpd.conf
; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] ipsec saref = yes ; listen-addr = 192.168.1.98 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes [lns default] ip range = 192.168.20.2-192.168.20.220 local ip = 192.168.20.1 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
8、配置PPP
[root@localhost ~]# vim /etc/ppp/options.xl2tpd
require-mschap-v2 ms-dns 8.8.8.8 auth mtu 1200 mru 1000 crtscts hide-password modem lock name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
9、设置拨号用户名和密码
[root@localhost ~]# vim /etc/ppp/chap-secrets
1 # Secrets for authentication using CHAP 2 # client server secret IP addresses 3 test l2tpd 123456 *
10、以debug方式启动l2tp,查看有无错误:
[root@localhost ~]# xl2tpd -D xl2tpd[30734]: Enabling IPsec SAref processing for L2TP transport mode SAs xl2tpd[30734]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes xl2tpd[30734]: setsockopt recvref[30]: Protocol not available xl2tpd[30734]: Not looking for kernel support. xl2tpd[30734]: xl2tpd version xl2tpd-1.3.10.1 started on localhost.localdomain PID:30734 xl2tpd[30734]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[30734]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[30734]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[30734]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[30734]: Listening on IP address 0.0.0.0, port 1701
11、加入开机自启动
[root@localhost ~]# echo -e "/usr/local/sbin/xl2tpd\n/etc/init.d/ipsec restart\necho 1 >/proc/sys/net/core/xfrm_larval_drop" >> /etc/rc.local [root@localhost ~]# echo "for each in /proc/sys/net/ipv4/conf/*; do echo 0 > $each/accept_redirects; echo 0 > $each/send_redirects; done" >> /etc/rc.local
12、添加iptables转发规则,如果服务端是在内网的话,需要在路由器上做1701端口的映射,以及添加到对应VPN网段的路由
iptables --table nat --append POSTROUTING --jump MASQUERADE /etc/init.d/iptables save /etc/init.d/iptables restart
Mac 连接 VPN (L2TP/IPSec) 配置步骤
http://xieboke.net/article/287/
本文参考自:
https://www.cnblogs.com/Template/p/9245945.html
http://xieboke.net/article/287/
共有 0 条评论