centos7 L2TP/IPSEC vpn搭建
公司原来的服务器是pptp+freeaduis。后来由于苹果更新系统IOS无法接入PPTP模式服务器,所以研究了这个L2TP/IPSEC的VPN,查找了很多资料终于成功。记录下来以后自己备查。
1.安装相关软件包
首先配置网络YUM源:
通过下面这条命令get到阿里云的网络yum源到/etc/yum.repos.d/epel.repo文件下。
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
- 安装必要的开发包
- 在Centos7上提供L2TP服务的最新程序包为:xl2tpd-1.3.6-8.el7.x86_64,提供IPSEC服务最新程序包为:libreswan-3.15-5.el7_1.x86_64 。
[root@localhost ~]#yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
[root@localhost ~]#yum install xl2tpd
[root@localhost ~]#yum install libreswan2.修改ipsec 主配置文件
[root@localhost ~]#cat /etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=120.86.124.5
#120.86.124.5 是自己的外网网卡Ip地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any3.修改l2tp_psk.conf文件
如果没有这个文件,就新建一个。
[root@localhost ~]#vi /etc/ipsec.d/l2tp_psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=120.86.124.5
#120.86.124.5 是自己的外网网卡Ip地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any4.配置预共享密匙文件
[root@localhost ~]# cat /etc/ipsec.secrets
#include /etc/ipsec.d/*.secrets
120.86.124.5 %any: PSK "123456789"
#120.86.124.5 是外网网卡地址,PSK是预存共享密匙5.修改内核支持
[root@localhost ~]# cat /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
生效上面的修改使用如下命令
[root@localhost ~]#sysctl -p6.检验ipsec服务配置
[root@localhost ~]# ipsec setup start
[root@localhost ~]# ipsec verify报错处理,当出现以下几个[ENABLED]错误提示时 ,不用在意,可以继续。当然全部OK更好。
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ens160/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ens192/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help
7.启动ipsec服务
[root@localhost ~]# systemctl start ipsec
[root@localhost ~]# systemctl enable ipsec- 1
- 2
8.修改xl2tpd主配置文件
[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 120.86.124.5
#本机外网网卡IP
ipsec saref = yes
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes9.修改xl2tpd属性配置文件:
[root@localhost ~]# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
#dns 写自己的网卡DNS ,写成8.8.8.8也行
ms-dns 10.118.88.10
ms-dns 130.52.1.10
#ms-dns 8.8.8.8
ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 500010.建立用户名和密码
建立xl2tpd连接的用户,建立l2tp连接需要输入的用户名和密码就在该文件里配置:
[root@localhost ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
lancer * 123 *
#登陆用户名和密码11.启动和检验xl2tpd服务配置
[root@localhost ~]# systemctl start xl2tpd
[root@localhost ~]# systemctl status xl2tpd
12.关闭防火墙测试链接
这里先把防火墙关闭测试,否则无法测试连接,下一章讲防火墙规则。
[root@localhost ~]# systemctl stop firewalld- 1
13.结束
这里先把防火墙关闭测试,否则无法测试连接,下一章讲防火墙规则。
如果无法连接。请查看ipsec和xl2tpd服务是否启动。
[root@localhost ~]# systemctl status ipsec
[root@localhost ~]# systemctl status xl2tpd