java linux wordpress HTML5 shell linux命令 Firefox Windows apache php nginx centos google Android 微软 开源 Python mysql 程序员 Ubuntu

CentOS Linux 5.9 32bit搭建L2TP ipsec VPN服务器

L2TP ipsec vpn是PPTP VPN的升级版,似乎是企业专用的。本文的方法在Chicagovps的xen上通过,并能成功联网,而且速度还不错。

环境:CentOS 5.9 32bit,且支持ppp

1、安装基础包

yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced

2、下载安装openswan

wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
tar zxvf openswan-2.6.24.tar.gz
cd openswan-2.6.24
make programs install

 

3、安装xl2tpd

centos 5.x安装:
rpm -ivh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
centos 6.x安装:
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm

yum install xl2tpd

4、修改配置文件
编辑 /etc/ipsec.conf,贴出配置文件,大家直接粘贴进去即可

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
 
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=你的ip地址
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

5、编辑 /etc/ipsec.secrets
很可能不存在这个文件,不用担心,如果没有就新建

你的IP地址 %any: PSK "密钥"

6、修改/etc/sysctl.conf,添加转发补丁等功能
注意这里的你参照你文件内容的改,没有的添加。

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

修改完成后,运行如下命令使之生效

sysctl -p

7、验证ipsec运行

ipsec setup restart
ipsec verify

输出以下内容就表示配置成功了

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey)
Checking for IPsec support in kernel                        	[OK]
NETKEY detected, testing for disabled ICMP send_redirects   	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
Checking that pluto is running                              	[OK]
Pluto listening for IKE on udp 500                          	[OK]
Pluto listening for NAT-T on udp 4500                       	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

8、编辑 /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
listen-addr = $vpsip
[lns default]
ip range = 10.1.88.2-10.1.88.254    
local ip = 10.1.88.1     
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

9、编辑 /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 208.67.222.222
ms-dns 208.67.220.220
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

10、设置用户名,密码
编辑 /etc/ppp/chap-secrets

# user server password ip
用户名 * 密码 *

11、设置防火墙及开机自启动

iptables --table nat --append POSTROUTING --jump MASQUERADE
service iptables save
service iptables restart

service xl2tpd restart  #重启xl2tpd
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on

至此,搭建完成。可见,安装还是比较简单的,比openvpn简单很多。

延伸阅读

评论