版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_24549317/article/details/73381810
1首先安装必备依赖包
#rpm -ivh *.rpm
# yum install xl2tpd openswan ppp
yum install make gcc gmp-devel
安装Openswan
yum install opemswan
编辑配置文件/etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=**.*.*.* //这是外网IP地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
设置共享密钥PSK 编辑配置文件/etc/ipsec.secrets
*.*.*.* %any: PSK “密钥”
调整网络策略
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
开启转发
# vim /etc/ipsec.d/net.sh //加入以下内空
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
# chmod +x /etc/ipsec.d/net.sh
# sh /etc/ipsec.d/net.sh
启动ipsec,并验证
[root@network ipv4]# /etc/init.d/ipsec start
[root@network ipv4]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
ipsec verify如果没有出现failed,就说明ipsec安装成功了。
配置xl2tpd
[root@network ipv4]# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
[lns default]
local ip = 192.168.10.202 //服务端IP,
ip range = 192.168.0.128-192.168.0.254 //客户端IP段
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[root@network ipv4]# /etc/init.d/xl2tpd start //启动
配置ppp
配置options.xl2tpd
[root@network ipv4]# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
添加VPN用户
# cat >>/etc/ppp/chap-secrets<<EOF
> vpnuser * 111111 *
> EOF
配置iptables snet
# iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.0.0/24 --to 192.168.10.202
# iptables-save
启动各项服务即可
系统日志出现Cannot determine ethernet address for proxy ARP 这个一定是转发规则有问题
#rpm -ivh *.rpm
# yum install xl2tpd openswan ppp
yum install make gcc gmp-devel
安装Openswan
yum install opemswan
编辑配置文件/etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=**.*.*.* //这是外网IP地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
设置共享密钥PSK 编辑配置文件/etc/ipsec.secrets
*.*.*.* %any: PSK “密钥”
调整网络策略
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
开启转发
# vim /etc/ipsec.d/net.sh //加入以下内空
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
# chmod +x /etc/ipsec.d/net.sh
# sh /etc/ipsec.d/net.sh
启动ipsec,并验证
[root@network ipv4]# /etc/init.d/ipsec start
[root@network ipv4]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
ipsec verify如果没有出现failed,就说明ipsec安装成功了。
配置xl2tpd
[root@network ipv4]# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
[lns default]
local ip = 192.168.10.202 //服务端IP,
ip range = 192.168.0.128-192.168.0.254 //客户端IP段
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[root@network ipv4]# /etc/init.d/xl2tpd start //启动
配置ppp
配置options.xl2tpd
[root@network ipv4]# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
添加VPN用户
# cat >>/etc/ppp/chap-secrets<<EOF
> vpnuser * 111111 *
> EOF
配置iptables snet
# iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.0.0/24 --to 192.168.10.202
# iptables-save
启动各项服务即可
系统日志出现Cannot determine ethernet address for proxy ARP 这个一定是转发规则有问题