centos7 配置PPTP、L2TP、IPSec服務

首先，推薦跑下面的腳本：

https://github.com/BoizZ/PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7

這個腳本將pptp l2tp  ipsec都按照，並且配置好，當然很多配置不准確

跑腳本的時候配置好ip規划，PPsk共享秘鑰（這個后面客戶端連接需要用到） 用戶名 ，密碼 （后面連接都需要用到）  

PSK共享秘鑰在/etc/ipsec.secrets可以找到和配置

用戶名密碼在/etc/ppp/chap-secrets 可以找到配置

下面的簡單修改流程：

vim /etc/ipsec.conf

config setup
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    #nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    # OE is now off by default. Uncomment and change to on, to enable.
    #oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    protostack=netkey
    #force_keepalive=yes
    keep_alive=1800

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=47.52.219.118  #這里要寫外網ip
    leftid=47.52.219.118  #id隨便填
    leftprotoport=17/1701 #端口
    right=%any
    rightprotoport=17/%any
    dpddelay=40
    dpdtimeout=130
    dpdaction=clear
    leftnexthop=%defaultroute
    rightnexthop=%defaultroute
    ike=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
    phase2alg=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
    sha2-truncbug=yes

 

vim /etc/xl2tpd/xl2tpd.conf

[global]
; ipsec saref = yes
listen-addr = 外網ip
auth file = /etc/ppp/chap-secrets   (用戶名密碼文件）
port = 1701
[lns default]
ip range = 10.81.24.100-10.81.24.199  （這個根據自己的內網網段和需要的ip數配置)
local ip = 10.81.24.1  (分配給自己的ip)
refuse chap = yes
refuse pap = yes
require authentication = yes
name = L2TPVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd  這里有xl2tpd的一些配置
length bit = yes

用戶名和密碼會保存在這里

/etc/ppp/chap-secrets

vim /etc/ppp/options.xl2tpd

#require-pap
#require-chap
#require-mschap
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
#crtscts  #這幾個注釋的是新的配置里面沒有，原來有的，注釋掉就正常了
#lock
hide-password
#modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1400
noccp
connect-delay 5000

vim /etc/pptpd.conf

#ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd  pptpd的一些配置
#debug
# stimeout 10
#noipparam
logwtmp
#vrf test
#bcrelay eth1
#delegate
#connections 100
localip 10.81.24.2
remoteip 10.81.24.200-254

vim  /etc/xl2tpd/xl2tpd.conf

[global]
; ipsec saref = yes
listen-addr = 外網ip
auth file = /etc/ppp/chap-secrets
port = 1701
[lns default]
ip range = 10.81.24.100-10.81.24.199  
local ip = 10.81.24.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = L2TPVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd   #這里有xl2tpd的一些配置
length bit = yes

系統配置：

net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0   這個允許轉發的接口要配置好
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

防火牆配置

創建文件/usr/lib/firewalld/services/pptpd.xml並修改：

<?xml version="1.0" encoding="utf-8"?> <service> <short>pptpd</short> <description>PPTP</description> <port protocol="tcp" port="1723"/> </service>

創建文件/usr/lib/firewalld/services/l2tpd.xml並修改：

<?xml version="1.0" encoding="utf-8"?> <service> <short>l2tpd</short> <description>L2TP IPSec</description> <port protocol="udp" port="500"/> <port protocol="udp" port="4500"/> <port protocol="udp" port="1701"/> </service>

firewall-cmd --reload
firewall-cmd --permanent --add-service=pptpd
firewall-cmd --permanent --add-service=l2tpd
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356
firewall-cmd --reload

開機啟動設置：
systemctl enable pptpd ipsec xl2tpd
systemctl restart pptpd ipsec xl2tpd

 ipsec檢查：全部ok ，碰到不是ok的，就看報錯來解決，很多配置以及去掉了  會報錯

Verifying installed system and configuration files

Version check and ipsec on-path                       [OK]
Libreswan 3.25 (netkey) on 3.10.0-514.26.2.el7.x86_64
Checking for IPsec support in kernel                  [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                  [OK]
         ICMP default/accept_redirects                [OK]
         XFRM larval drop                             [OK]
Pluto ipsec.conf syntax                               [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                    [OK]
Checking that pluto is running                        [OK]
 Pluto listening for IKE on udp 500                   [OK]
 Pluto listening for IKE/NAT-T on udp 4500            [OK]
 Pluto ipsec.secret syntax                            [OK]
Checking 'ip' command                                 [OK]
Checking 'iptables' command                           [OK]
Checking 'prelink' command does not interfere with FIPS    [OK]
Checking for obsolete ipsec.conf options              [OK]