Centos 6.5 搭建l2tp 服務端和客戶端

廢話不多說直接上步驟。

 

server

#epel倉庫願安裝
rpm -ivh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm

#l2tp程序安裝
yum install openswan ppp xl2tpd -y

 vim /etc/ipsec.conf

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.42.191        #換成自己的公網ip，由於我這里測試所以是內網
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

 

vim /etc/ipsec.secrets

 

192.168.42.191 %any: PSK "shiyiwen"       #修改ip 和 密碼

 

 

把如下添加進 /etc/sysctl.conf         #注意順序

    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 0
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.conf.default.send_redirects = 0
    net.ipv4.conf.all.log_martians = 0
    net.ipv4.conf.default.log_martians = 0
    net.ipv4.conf.default.accept_source_route = 0
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.icmp_ignore_bogus_error_responses = 1

 sysctl -p 刷新

啟動ipsec 和xl2tpd 應用

ipsec restart
/etc/init.d/xl2tpd start

chkconfig xl2tpd on
chkconfig  ipsec on

 

使用ipsec verify查看狀態 （關閉selinux 和iptables 如果要開iptables 本文下面有全的）

 

enabled 沒有管，因為后面也可以連接成功，內核參數也是設置對的。有知道的通知望告訴我。

/etc/xl2tpd/xl2tpd.conf 這里的配置文件可以配置分配的網段還有一些其他參數。默認可以不配置。

接下來配置ppp協議

vim /etc/ppp/chap-secrets  #配置用戶名和密碼其實還有權限。

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
  admin * "yingzi" *

重啟xl2tpd 服務

 ===============================================================

client：

#安裝epel源
#安裝客戶端l2tpd 這里我們還是用xl2tpd，當然2邊都需要ppp協議
yum install xl2tpd ppp

 vim /etc/xl2tpd/xl2tpd.conf

[lac sywvpn]
name = admin;
lns = 192.168.42.191;
pppoptfile = /etc/ppp/peers/sywvpn.l2tpd;
ppp debug = yes;

 vim /etc/ppp/peers/sywvpn.l2tpd

#下面對應的參數是服務端配置過的
remotename sywvpn
user "admin"
password "yingzi"
unit 0
lock
nodeflate
nobsdcomp
noauth
persist
nopcomp
noaccomp
debug

 #啟動客戶端

/etc/init.d/xl2tpd start

# 啟動還沒開始撥號。

開始撥號

echo 'c sywvpn' > /var/run/xl2tpd/l2tp-control

# 查看client撥號日志

Aug 31 15:38:59 app7 xl2tpd[3464]: Connecting to host 192.168.42.191, port 1701
Aug 31 15:38:59 app7 xl2tpd[3464]: Connection established to 192.168.42.191, 1701.  Local: 52638, Remote: 44491 (ref=0/0).
Aug 31 15:38:59 app7 xl2tpd[3464]: Calling on tunnel 52638
Aug 31 15:38:59 app7 xl2tpd[3464]: Call established with 192.168.42.191, Local: 28263, Remote: 3204, Serial: 2 (ref=0/0)
Aug 31 15:38:59 app7 pppd[4629]: pppd 2.4.5 started by root, uid 0
Aug 31 15:38:59 app7 pppd[4629]: Using interface ppp0
Aug 31 15:38:59 app7 pppd[4629]: Connect: ppp0 <--> /dev/pts/2
Aug 31 15:39:02 app7 pppd[4629]: CHAP authentication succeeded: Access granted
Aug 31 15:39:02 app7 pppd[4629]: CHAP authentication succeeded
Aug 31 15:39:02 app7 pppd[4629]: local  IP address 192.168.1.128
Aug 31 15:39:02 app7 pppd[4629]: remote IP address 192.168.1.99

 #查看server端日志

Aug 31 15:38:41 Monitor xl2tpd[30013]: control_finish: Connection closed to 172.16.38.7, port 1701 (Goodbye!), Local: 63296, Remote: 51768  #之前斷的 
Aug 31 15:38:59 Monitor xl2tpd[30013]: Connection established to 172.16.38.7, 1701.  Local: 44491, Remote: 52638 (ref=0/0).  LNS session is 'default'
Aug 31 15:38:59 Monitor xl2tpd[30013]: Call established with 172.16.38.7, Local: 3204, Remote: 28263, Serial: 2
Aug 31 15:38:59 Monitor pppd[30138]: pppd 2.4.5 started by root, uid 0
Aug 31 15:38:59 Monitor pppd[30138]: Using interface ppp0
Aug 31 15:38:59 Monitor pppd[30138]: Connect: ppp0 <--> /dev/pts/1
Aug 31 15:39:02 Monitor pppd[30138]: Cannot determine ethernet address for proxy ARP
Aug 31 15:39:02 Monitor pppd[30138]: local  IP address 192.168.1.99
Aug 31 15:39:02 Monitor pppd[30138]: remote IP address 192.168.1.128

 

#ifconfig 客戶端

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.1.128  P-t-P:192.168.1.99  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1410  Metric:1
          RX packets:1341 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:112434 (109.7 KiB)  TX bytes:112440 (109.8 KiB)

 #ping 服務端

[root@app7 var]# ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99) 56(84) bytes of data.
64 bytes from 192.168.1.99: icmp_seq=1 ttl=64 time=4.26 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=64 time=4.01 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=64 time=3.88 ms
64 bytes from 192.168.1.99: icmp_seq=4 ttl=64 time=3.91 ms
64 bytes from 192.168.1.99: icmp_seq=5 ttl=64 time=3.86 m

 

#斷開撥號

echo 'd sywvpn' > /var/run/xl2tpd/l2tp-control

 #查看該文件應該屬於數據庫過度文件

prw------- 1 root root 0 Aug 31 15:38 /var/run/xl2tpd/l2tp-control

# 網上解釋如下

管道（FIFO，pipe）

用來解決多個程序同時訪問一個文件所造成的錯誤問題，first-in-first-out(FIFO)，第一屬性為 （p）。

=================================================配置 iptables 來自網絡======服務端的哦===========

 

 

iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE

iptables -I FORWARD -s 192.168.7.0/24 -j ACCEPT

iptables -I FORWARD -d 192.168.7.0/24 -j ACCEPT

iptables-save

service iptables restart

192.168.7.0/24根據實際情況替換。

vi /etc/sysconfig/iptables 看到的應該是類似這樣。
最上面先是nat規則，下面是filter規則。
下面filter表里，先把VPN要用到的udp端口1701，500，4500都打開。要用openvp的話，還要開1194。
另外filter表里，一定要有FORWARD規則。這點在網上好幾個教程里都沒說！坑死人。

Shell

#下面規則做參考啊，新手別完全照抄。 *nat :PREROUTING ACCEPT [39:3503] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Jun 28 15:50:40 2012 # Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [121:13264] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.7.0/24 -j ACCEPT -A FORWARD -s 192.168.7.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jun 28 15:50:40 2012

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

#下面規則做參考啊，新手別完全照抄。 *nat :PREROUTING ACCEPT [39:3503] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Jun 28 15:50:40 2012 # Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [121:13264] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.7.0/24 -j ACCEPT -A FORWARD -s 192.168.7.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jun 28 15:50:40 2012

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　by:V