How to build L2TP/IPSEC VPN

很多时候,我们不主要是用于翻墙,而是企业内部个人用户使用,使得个人用户能使用公司网络,访问公司私有资源等。比如,一台云服务器,只允许公司网络登陆,那么通过这个vpn,就可以在家连上vpn后,使用公司网络登陆云服务器。好了,废话不多说,现在记录一下 l2tp/ipsec VPN的搭建。

1、先看看你的主机是否支持pptp,返回结果为yes就表示通过。
1
modprobe ppp-compress-18 && echo yes
2、是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过
1
cat /dev/net/tun
3、安装EPEL源(CentOS7官方源中已经去掉了xl2tpd)
1
# yum install -y epel-release
4、安装xl2tpd和libreswan(openswan已经停止维护)
1
yum install -y xl2tpd libreswan lsof
5、编辑xl2tpd配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# vim /etc/xl2tpd/xl2tpd.conf
------------------------------------------
修改以下内容:

[lns default]
ip range = 192.168.255.1-192.168.255.252 /这里是VPN连接后分配地址的地址范围
local ip = 192.168.255.254
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
6、编辑pppoptfile文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# vim /etc/ppp/options.xl2tpd
-------------------------------------------

修改以下内容:

ipcp-accept-local
ipcp-accept-remote
ms-dns 223.5.5.5 /这里是设置VPN的DNS地址
ms-dns 223.6.6.6
# ms-dns 192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
# noccp
auth
# crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
# lock
proxyarp
connect-delay 5000
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
7、编辑ipsec配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# vim /etc/ipsec.conf
-------------------------------------------
添加和修改以下内容:
config setup
# Normally, pluto logs via syslog.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
#plutodebug=none
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
protostack=netkey
dumpdir=/var/run/pluto/
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
   left=172.17.166.68   /这是服务器的内网地址,可以用ifconfig命令查看自己的服务器内网地址
   leftprotoport=17/1701
right=%any
rightprotoport=17/%any

# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
8、编辑include的conn文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# vim /etc/ipsec.d/l2tp-ipsec.conf  /没有找到l2tp-ipsec.conf这个文件的话,需手动创建
-------------------------------------------
添加以下内容:

conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
   left=172.17.166.68      /这是服务器的内网地址,可以用ifconfig命令查看自己的服务器内网地址   
   leftprotoport=17/1701  
right=%any
   rightprotoport=17/%any
`
9、设置用户名密码
1
2
3
4
5
6
# vim /etc/ppp/chap-secrets
-------------------------------------------
# Secrets for authentication using CHAP
# client server secret IP addresses
username * 123456789 *
格式为: 用户名 类型 密码 分配到客户端的IP地址(可以指定,也可以系统随机分配,*就是代表任意IP,系统随机分配)
10、设置预共享密钥PSK
1
2
3
4
5
6
# 
vim /etc/ipsec.d/default.secrets  /若没有default.secrets这个文件,需手动创建  
-------------------------------------------
输入以下内容:

: PSK "MyPSK"    MyPSK可以填写自己要的内容 连接时会使用到
11、 CentOS7 防火墙设置
1
2
3
4
5
firewall-cmd --permanent --add-service=ipsec        # 放行ipsec服务,安装时会自定生成此服务
firewall-cmd --permanent --add-port=1701/udp      # xl2tp 的端口,默认1701.
firewall-cmd --permanent --add-port=4500/udp  
firewall-cmd --permanent --add-masquerade       # 启用NAT转发功能。必须启用此功能
firewall-cmd --reload       # 重载配置
12、修改内核参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# vim /etc/sysctl.conf   /这里一定是sysctl.conf,而不是sysctl.conf.rpmsave,阿里服务器有这个.rpmsave的文件  
------------------------------------------------------------------------------------------------------------
输入以下内容:
net.ipv4.ip_forward = 1  
net.ipv4.conf.all.accept_redirects = 0  
net.ipv4.conf.all.rp_filter = 0  
net.ipv4.conf.all.send_redirects = 0  
net.ipv4.conf.default.accept_redirects = 0  
net.ipv4.conf.default.rp_filter = 0  
net.ipv4.conf.default.send_redirects = 0  
net.ipv4.conf.eth0.accept_redirects = 0   /这里的eth0是看自己网卡叫啥再填进去的
net.ipv4.conf.eth0.rp_filter = 0  
net.ipv4.conf.eth0.send_redirects = 0   
net.ipv4.conf.ip_vti0.accept_redirects = 0  
net.ipv4.conf.ip_vti0.rp_filter = 0  
net.ipv4.conf.ip_vti0.send_redirects = 0  
net.ipv4.conf.lo.accept_redirects = 0  
net.ipv4.conf.lo.rp_filter = 0  
net.ipv4.conf.lo.send_redirects = 0

-------------------------------------------
sysctl -p / 加载内核参数使生效
14、启动ipsec
1
2
systemctl enable ipsec     # 设为开机启动
systemctl start ipsec # 启动服务
14、检查配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ipsec verify     # 检查命令
# 可能会出现类似如下情况:
Checking rp_filter                                  [ENABLED]
 /proc/sys/net/ipv4/conf/ens160/rp_filter           [ENABLED]
 /proc/sys/net/ipv4/conf/ens192/rp_filter           [ENABLED]
# 这是内核参数没有生效,直接依次手动打开这些文件,将 1 改为 0
# 然后重新执行检查,输出如下内容则OK:
Verifying installed system and configuration files
 
 
Version check and ipsec on-path                   [OK]
Libreswan 3.23 (netkey) on 3.10.0-327.el7.x86_64
Checking for IPsec support in kernel              [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              [OK]
         ICMP default/accept_redirects            [OK]
         XFRM larval drop                         [OK]
Pluto ipsec.conf syntax                           [OK]
Two or more interfaces found, checking IP forwarding[OK]
Checking rp_filter                                [OK]
Checking that pluto is running                    [OK]
 Pluto listening for IKE on udp 500               [OK]
 Pluto listening for IKE/NAT-T on udp 4500        [OK]
 Pluto ipsec.secret syntax                        [OK]
Checking 'ip' command                             [OK]
Checking 'iptables' command                       [OK]
Checking 'prelink' command does not interfere with FIPS[OK]
Checking for obsolete ipsec.conf options          [OK]
15、启动xl2tp
1
2
systemctl enable xl2tpd      # 设为卡机启动
systemctl start xl2tpd # 启动xl2tp

这样子L2TP/IPSec VPN就搭建好了,可以用Windows10自带的VPN拨号功能连接

文章目录
  1. 1. 1、先看看你的主机是否支持pptp,返回结果为yes就表示通过。
  2. 2. 2、是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过
  3. 3. 3、安装EPEL源(CentOS7官方源中已经去掉了xl2tpd)
  4. 4. 4、安装xl2tpd和libreswan(openswan已经停止维护)
  5. 5. 5、编辑xl2tpd配置文件
  6. 6. 6、编辑pppoptfile文件
  7. 7. 7、编辑ipsec配置文件
  8. 8. 8、编辑include的conn文件
  9. 9. 9、设置用户名密码
  10. 10. 10、设置预共享密钥PSK
  11. 11. 11、 CentOS7 防火墙设置
  12. 12. 12、修改内核参数
  13. 13. 14、启动ipsec
  14. 14. 14、检查配置
  15. 15. 15、启动xl2tp


本站总访问量 本文总阅读量