centos l2tp/ipsec vpn 安装配置详解

张映 发表于 2016-04-29

分类目录: linux

标签:, , ,

说到VPN,就会想到google,满心的疼。以前写过一篇关于vpn的文单,请参考:centos5.5 vpn 安装配置详解,这篇文章是讲pptp的,pptp走的是tcp,l2tp走的是udp。pptp用的时间长了,就会间断性的被墙。

一,安装xl2tpd openswan

# yum install xl2tpd openswan ppp

如果没有安装包,安装epel源,在这里不多说了,在博客里面搜索一下

二,配置ipsec

1,配置ipsec.conf

[root@network ipsec.d]# cat /etc/ipsec.conf
version 2.0

config setup
 nat_traversal=yes
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
 oe=off
 protostack=netkey

conn L2TP-PSK-NAT
 rightsubnet=vhost:%priv
 also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
 authby=secret
 pfs=no
 auto=add
 keyingtries=3
 rekey=no
 ikelifetime=8h
 keylife=1h
 type=transport
 left=192.168.10.202      //VPN服务端IP,填外网IP就行了
 leftprotoport=17/1701
 right=%any
 rightprotoport=17/%any

2,设置 PSK共享密钥

[root@network ipsec.d]# cat /etc/ipsec.secrets
192.168.10.202 %any: PSK "sec123"

外网IP,%any表示任何人可以连接,共享密码sec123,注意双引号

3,调整网络策略

# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1    //将0改为1

# sysctl -p   //立马生效

开启转发

# vim /etc/ipsec.d/net.sh  //加入以下内空
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

# chmod +x /etc/ipsec.d/net.sh
# sh /etc/ipsec.d/net.sh

4,启动ipsec,并验证

[root@network ipv4]# /etc/init.d/ipsec start  

[root@network ipv4]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

ipsec verify如果没有出现failed,就说明ipsec安装成功了。

三,配置xl2tpd

[root@network ipv4]# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no

[lns default]
local ip = 192.168.10.202             //服务端IP,
ip range = 192.168.0.128-192.168.0.254   //客户端IP段
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

[root@network ipv4]# /etc/init.d/xl2tpd start  //启动

四,配置ppp

1,配置options.xl2tpd

[root@network ipv4]# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

2,添加VPN用户

# cat >>/etc/ppp/chap-secrets<<EOF
> vpnuser * 111111 *
> EOF

五,配置iptables snet

# iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.0.0/24 --to 192.168.10.202
# iptables-save

六,加入开机启动

# chkconfig ipsec on
# chkconfig xl2tpd on
# cat >>/etc/rc.local<<EOF
sh /etc/ipsec.d/net.sh
EOF

看一下,win7连接的效果图,l2tp客户 端连接比较麻烦的。下篇文章会详细的说一下。

l2tp win7连接成功

l2tp win7连接成功



转载请注明
作者:海底苍鹰
地址:http://blog.51yip.com/linux/1795.html

1 条评论

  1. tumars 留言

    大神我按照你的方法配置了,中间没问题没报错,但链接时提示:

    无法建立计算机与vpn服务之间的网络连接,因为远程服务器未响应。这可能是未将计算机与远程服务器之间的某种网络设备(如防火墙、NAT、路由器等)配置为允许VPN链接。请与管理员或服务提供商联系以确定哪种设备可能产生此问题。

    我服务器是openvz 的 centOS5.9,本地 windows 是 win10,同时 ios10 也无法链接

留下评论

留下评论
  • (必需)
  • (必需) (will not be published)
  • (必需)   1X8=?