Liunx之xl2TP的一键搭建
作者: 邓聪聪
1
L2TP(Layer 2 Tunnel Protocol 二层隧道协议 l),上图说明了 VPN 的一些特点,出差员工或者外出员工通过拨特定号码的方式接入到企业内部网络;
-------------------------------------------------
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex libpcap-devel lsof vim-enhanced man
2、安装 openswan
cd openswan-2.6.50/ make programs install
3、安装 xl2tpd 和 rp-l2tp
cd rp-l2tp-0.4 ./configure make cp handlers/l2tp-control /usr/local/sbin/ mkdir /var/run/xl2tpd/ ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
------------------------------------------------------------------
cd xl2tpd-1.3.8
make && make install
4、配置
(1)编辑配置文件 /etc/ipsec.conf
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkeyconn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNATconn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left= 接口上的公网 IP 地址
leftid= 接口上的公网地址
leftprotoport=17/1701
right=%any
rightid=%any
rightprotoport=17/%any
(2)设置共享密钥 PSK 编辑配置文件 /etc/ipsec.secrets
ServerIP %any: PSK "YourPSK"
(3)修改内核设置,使其支持转发,编辑 /etc/sysctl.conf 文件并生效
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf sed -i 's/net.ipv4.conf.default.rp_filter = 1/net.ipv4.conf.default.rp_filter = 0/g' /etc/sysctl.confsysctl -p
编辑个一个脚本修改参数,防火墙配置 nat 转发
#!/bin/shfor each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
echo 0 > $each/rp_filter
echo 0 > $each/rp_filter
echo 0 > $each/rp_filter
done
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING --jump MASQUERADE
(4)验证 ipsec 运行状态;查看系统 IPSec 安装和启动的正确性
ipsec setup start
ipsec verify
如果没有报错那么就没有问题,如果有报错逐一检查!!!
(5) 编辑配置文件 /etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes [lns default] ip range = (vpn 拨号所需的自定义内网地址) local ip = (vpn 本地的内网地址) refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
配置 ppp 建立 /etc/ppp/options.xl2tpd 文件
require-mschap-v2 ms-dns 219.141.140.10 ms-dns 114.114.114 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
(6)配置用户名, 密码: 编辑 /etc/ppp/chap-secrets
#default user & password set #username server password client-ipaddress vpn l2tpd vpnpwd *
(7)添加自启动
chkconfig ipsec on
chkconfig xl2tpd on
(8)检查 ipsec 配置的正确性,启动服务并验证服务是否正常启动
[root@heju ~]# ipsec verify Checking if IPsec got installed and started correctly:Version check and ipsec on-path [OK]
Openswan U2.6.50/K2.6.32-642.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
------表示无异常[root@heju ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1214/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1293/master
tcp 0 0 :::22 :::* LISTEN 1214/sshd
tcp 0 0 ::1:25 :::* LISTEN 1293/master
udp 0 0 127.0.0.1:500 0.0.0.0:* 2821/pluto
udp 0 0 192.168.168.250:500 0.0.0.0:* 2821/pluto
udp 0 0 X.X.X.X:500 0.0.0.0:* 2821/pluto
udp 0 0 127.0.0.1:4500 0.0.0.0:* 2821/pluto
udp 0 0 192.168.168.250:4500 0.0.0.0:* 2821/pluto
udp 0 0 X.X.X.X:4500 0.0.0.0:* 2821/pluto
udp 0 0 X.X.X.X:1701 0.0.0.0:* 2574/xl2tpd
udp 0 0 ::1:500 :::* 2821/pluto
------ 端口检查中存在 500、4500、1701,即表示服务已启动
echo "****************************************************" >> /var/log/xl2tpd-${1}-up.log echo "username: $PEERNAME" >> /var/log/xl2tpd-${1}-up.log echo "clientIP: $6" >> /var/log/xl2tpd-${1}-up.log echo "device: $1" >> /var/log/xl2tpd-${1}-up.log echo "vpnIP: $4" >> /var/log/xl2tpd-${1}-up.log echo "assignIP: $5" >> /var/log/xl2tpd-${1}-up.log echo "logintime: `date -d today +%F_%T`" >> /var/log/xl2tpd-${1}-up.log
echo "****************************************************" >> /var/log/xl2tpd-${1}-up.log
echo "****************************************************" >> /var/log/xl2tpd-${1}-down.log echo "downtime: `date -d today +%F_%T`" >> /var/log/xl2tpd-${1}-down.log echo "bytes sent: $BYTES_SENT" >> /var/log/xl2tpd-${1}-down.log echo "bytes received: $BYTES_RCVD" >> /var/log/xl2tpd-${1}-down.log echo "connect time: $CONNECT_TIME" >> /var/log/xl2tpd-${1}-down.log echo "****************************************************" >> /var/log/xl2tpd-${1}-down.log