|
前言:有时候出于安全考虑,对某些地址、端口的访问会做些限制,比如像外出人员访问内网资源时,就不能让直接访问,这时最简易快速的方法就是搭建一台VPN服务器,通常为了稳定我们会选择LINUX系统,在LINUX系统上建立拨号VPN的方式通常有PPTP、L2TP、OPENVPN等。
以下为linux的最新系统centos7/rhel7上的l2tpd服务器配置方法。
本文为在linux的最新系统centos7和rhel7上的l2tpd服务器配置方法。
在Centos7上提供L2TP服务的最新程序包为:xl2tpd-1.3.6-8.el7.x86_64,提供IPSEC服务最新程序包为:libreswan-3.15-5.el7_1.x86_64 。在早些版本的LINUX系统提供IPSEC服务是由openswan包提供,但在Centos7中,openswan更名为libreswan
一 , 安装相关的软件包,xl2tpd提供l2tp服务,libreswan提供ipsec服务,在centos7 版本后, 提供ipsec 服务包由libreswan替代了openswan
[root@linuxcc.com]#yum install xl2tpd
[root@linuxcc.com]#yum install libreswan
|
注:如果系统找不到包,请在http://linuxcc.com 选择linux包搜索,进行搜索下载。
二,配置和启用linux系统的ipsec服务,如果版本一致,站内的配置文件可以直接覆盖你的配置,本站测试的系统版本为centos7
1,修改ipsec 主配置文件:
|
[root@linuxcc.com]#vi /etc/ipsec.conf
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file: /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual: ipsec.conf.5
# basic configuration
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
# For MacOSX use "bsd"
protostack=netkey
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
# an unusual location.
#logfile=/var/log/pluto.log
#
# The interfaces= line is only required for the klips/mast stack
#interfaces="%defaultroute"
#interfaces="ipsec0=eth0 ipsec1=ppp0"
#
# If you want to limit listening on a single IP - not required for
# normal operation
#listen=127.0.0.1
#
# Do not set debug options to debug configuration issues!
#
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
# private".
# Note: "crypt" is not included with "all", as it can show confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#plutodebug=none
#klipsdebug=none
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least upto 2015)
#在配置文件里加入这一行,充许传透nat建立l2tp连接
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,
%v6:fd00::/8,%v6:fe80::/10
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
|
2,建立ipsec 与 l2tp 服务关联的配置文件:
[root@linuxcc.com]#cd /etc/ipsec.d/
[root@linuxcc.com]#vi l2tp_psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=123.57.255.228
#123.57.255.228对外提供连接的ip地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
|
3,当建立l2tp连接时,需要输入预共享密匙,以下为预共享密匙的配置文件:
[root@linuxcc.com]# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
#却省配置中已包含这行,请确认
[root@linuxcc.com]#cd /etc/ipsec.d/
[root@linuxcc.com]#touch linuxcc_l2tp.secrets
[root@linuxcc.com]#vi linuxcc_l2tp.secrets
123.57.255.228 %any: PSK "l2tppass"
#123.57.255.228 为对外提供l2tp连接的服务器地址
|
4,修改内核支持,可以对照以下配置修改,或者直接复制,修改完后运行sysctl -p 使配置生效
[root@linuxcc.com]#vi /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
#如果不需要建立ipv6建接支持,ipv6的配置可以省略
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 =
|
5,检验ipsec服务配置:
[root@linuxcc.com]# ipsec setup start
[root@linuxcc.com]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-123.9.3.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
#当出现类似于这样,无报错的输出时,恭喜你ipsec服务配置完成。
|
6,报错处理,当出现以下错误提示时 ,不用在意,可以继续。
[root@linuxcc.com]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-229.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/enp2s0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/enp3s7/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking ‘ip’ command [OK]
Checking ‘iptables’ command [OK]
Checking ‘prelink’ command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 5 errors – see ‘man ipsec_verify’ for help
|
6,启动ipsec服务:
[root@linuxcc.com]# systemctl start ipsec
[root@linuxcc.com]# systemctl enable ipsec
ln -s '/usr/lib/systemd/system/ipsec.service' '/etc/systemd/system/multi-user.target.wants/ipsec.service'
#设置为开机启动
|
三,安装配置xl2tpd服务
1,修改xl2tpd主配置文件:
#安装提供l2tp的服务包
[root@linuxcc.com]#yum install xl2tpd
#打开修改xl2tpd主配置文件
[root@linuxcc.com]#vi /etc/xl2tpd/xl2tpd.conf
;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
[global]
#启用xl2tpd的ipsec支持
ipsec saref = yes
#123.57.255.228为对外提供连接的服务器地址
listen-addr = 123.57.255.228
;listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes
[lns default]
#设置建立连接后,分配给客户端的ip地址
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = linuxcc_l2tp_server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
|
2,修改xl2tpd属性配置文件:
[root@linuxcc.com]# vi /etc/ppp/options.xl2tpd
require-mschap-v2
#require-mschap-v2 用来支持windows 7,windows8 连接
ipcp-accept-local
ipcp-accept-remote
#8.8.8.8为分配给客户端的dns
ms-dns 8.8.8.8
# ms-dns 192.168.1.1
# ms-dns 192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
|
3,建立xl2tpd连接的用户,建立l2tp连接需要输入的用户名和密码就在该文件里配置:
[root@linuxcc.com]# vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
#linuxcc_l2tpduser为连接用户,linuxcc_l2tp123为连接密码,中间以空格和tab键分割
linuxcc_l2tpuser * linuxcc_l2tp123 *
|
4,启动和检验xl2tpd服务配置,然后进行连接测试
[root@linuxcc.com]# systemctl start xl2tpd
[root@linuxcc.com]# systemctl status xl2tpd
xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP)
Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; disabled)
Active: active (running) since Thu 2015-12-31 23:36:24 CST; 9s ago
Process: 1322 ExecStartPre=/sbin/modprobe -q l2tp_ppp (code=exited, status=0/SUCCESS)
Main PID: 1324 (xl2tpd)
CGroup: /system.slice/xl2tpd.service
1324 /usr/sbin/xl2tpd -D
Dec 31 23:36:24 Linuxdc_USA systemd[1]: Starting Level 2 Tunnel Protocol Daemon (L2TP)...
Dec 31 23:36:24 Linuxdc_USA systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Not looking for kernel SAref support.
Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Using l2tp kernel support.
Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: xl2tpd version xl2tpd-1.3.6 started on Linuxdc_USA PID:1324
Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Forked by Scott Balmos and David Stipp, (C) 2001
Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Inherited by Jeff McAdams, (C) 2002
Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Dec 31 23:36:24 Linuxdc_USA xl2tpd[1324]: xl2tpd[1324]: Listening on IP address 0.0.0.0, port 1701
|
结束:
基于centos7 和rhel7的l2tpd服务器其本配置完成 ,欢迎测试,有其他问题,可在站内该文的评论外留言。
转载请注明出处 ,更多好文请收藏linuxcc.org,谢谢! |
