作者:鄧聰聰
1
L2TP(Layer 2 Tunnel Protocol二層隧道協議l),上圖說明了VPN的一些特點,出差員工或者外出員工通過撥特定號碼的方式接入到企業內部網絡;
-------------------------------------------------
1、搭建環境
Centos6.8
所需軟件:openswan、xl2tpd、rp-l2tp 鏈接:https://pan.baidu.com/s/1C9plODlCXlVO3x51_OFcNQ 密碼:1ry8
yum安裝所需的程序
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex libpcap-devel lsof vim-enhanced man
2、安裝openswan
cd openswan-2.6.50/ make programs install
3、安裝xl2tpd和rp-l2tp
cd rp-l2tp-0.4 ./configure make cp handlers/l2tp-control /usr/local/sbin/ mkdir /var/run/xl2tpd/ ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
------------------------------------------------------------------
cd xl2tpd-1.3.8
make && make install
4、配置
(1)編輯配置文件/etc/ipsec.conf
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=接口上的公網IP地址 leftid=接口上的公網地址 leftprotoport=17/1701 right=%any rightid=%any rightprotoport=17/%any
(2)設置共享密鑰PSK 編輯配置文件/etc/ipsec.secrets
ServerIP %any: PSK "YourPSK"
(3)修改內核設置,使其支持轉發,編輯/etc/sysctl.conf文件並生效
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf sed -i 's/net.ipv4.conf.default.rp_filter = 1/net.ipv4.conf.default.rp_filter = 0/g' /etc/sysctl.conf sysctl -p
編輯個一個腳本修改參數,防火牆配置nat轉發
#!/bin/sh for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects echo 0 > $each/rp_filter echo 0 > $each/rp_filter echo 0 > $each/rp_filter done
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING --jump MASQUERADE
(4)驗證ipsec運行狀態;查看系統IPSec安裝和啟動的正確性
ipsec setup start
ipsec verify
如果沒有報錯那么就沒有問題,如果有報錯逐一檢查!!!
(5) 編輯配置文件/etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes [lns default] ip range = (vpn撥號所需的自定義內網地址) local ip = (vpn本地的內網地址) refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
配置ppp 建立/etc/ppp/options.xl2tpd文件
require-mschap-v2 ms-dns 219.141.140.10 ms-dns 114.114.114 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
(6)配置用戶名,密碼:編輯 /etc/ppp/chap-secrets
#default user & password set #username server password client-ipaddress vpn l2tpd vpnpwd *
(7)添加自啟動
chkconfig ipsec on
chkconfig xl2tpd on
(8)檢查ipsec配置的正確性,啟動服務並驗證服務是否正常啟動
[root@heju ~]# ipsec verify Checking if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Openswan U2.6.50/K2.6.32-642.el6.x86_64 (netkey) See `ipsec --copyright' for copyright information. Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Hardware random device check [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED] Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK] ------表示無異常 [root@heju ~]# netstat -lntup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1214/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1293/master tcp 0 0 :::22 :::* LISTEN 1214/sshd tcp 0 0 ::1:25 :::* LISTEN 1293/master udp 0 0 127.0.0.1:500 0.0.0.0:* 2821/pluto udp 0 0 192.168.168.250:500 0.0.0.0:* 2821/pluto udp 0 0 X.X.X.X:500 0.0.0.0:* 2821/pluto udp 0 0 127.0.0.1:4500 0.0.0.0:* 2821/pluto udp 0 0 192.168.168.250:4500 0.0.0.0:* 2821/pluto udp 0 0 X.X.X.X:4500 0.0.0.0:* 2821/pluto udp 0 0 X.X.X.X:1701 0.0.0.0:* 2574/xl2tpd udp 0 0 ::1:500 :::* 2821/pluto ------端口檢查中存在500、4500、1701,即表示服務已啟動
記錄用戶名和登錄時間:
在/etc/ppp/ip-up 腳本中加入
echo "****************************************************" >> /var/log/xl2tpd-${1}-up.log echo "username: $PEERNAME" >> /var/log/xl2tpd-${1}-up.log echo "clientIP: $6" >> /var/log/xl2tpd-${1}-up.log echo "device: $1" >> /var/log/xl2tpd-${1}-up.log echo "vpnIP: $4" >> /var/log/xl2tpd-${1}-up.log echo "assignIP: $5" >> /var/log/xl2tpd-${1}-up.log echo "logintime: `date -d today +%F_%T`" >> /var/log/xl2tpd-${1}-up.log
echo "****************************************************" >> /var/log/xl2tpd-${1}-up.log
在/etc/ppp/ip-down 腳本中加入
echo "****************************************************" >> /var/log/xl2tpd-${1}-down.log echo "downtime: `date -d today +%F_%T`" >> /var/log/xl2tpd-${1}-down.log echo "bytes sent: $BYTES_SENT" >> /var/log/xl2tpd-${1}-down.log echo "bytes received: $BYTES_RCVD" >> /var/log/xl2tpd-${1}-down.log echo "connect time: $CONNECT_TIME" >> /var/log/xl2tpd-${1}-down.log echo "****************************************************" >> /var/log/xl2tpd-${1}-down.log
===================================================================