碼上歡樂
相關內容    簡體    繁體

CentOS7 搭建L2TP

本文轉載自   查看原文   2019-09-24 09:43   3672    梯子類
L2TP是一種工業標准的Internet隧道協議,功能大致和PPTP協議類似,比如同樣可以對網絡數據流進行加密。不過也有不同之處,比如PPTP要求網絡為IP網絡,L2TP要求面向數據包的點對點連接;PPTP使用單一隧道,L2TP使用多隧道;L2TP提供包頭壓縮、隧道驗證,而PPTP不支持。本文來介紹如何搭建L2TP。
1.先看看你的主機是否支持pptp,返回結果為yes就表示通過 
modprobe ppp-compress-18 && echo yes
2.是否開啟了TUN

有的虛擬機主機需要開啟,返回結果為cat: /dev/net/tun: File descriptor in bad state。就表示通過。

cat /dev/net/tun
3.更新一下再安裝 
yum install update 
yum update -y
4.安裝EPEL源 
yum install -y epel-release
5.安裝xl2tpd和libreswan 
yum install -y xl2tpd libreswan lsof
6.編輯xl2tpd配置文件 
vim /etc/xl2tpd/xl2tpd.conf

修改內容如下:

[global]
[lns default]
ip range = 172.100.1.100-172.100.1.150   #分配給客戶端的地址池
local ip = 172.100.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
7.編輯pppoptfile文件 
vim /etc/ppp/options.xl2tpd

修改內容如下:

ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
ms-dns 209.244.0.3
ms-dns 208.67.222.222
name xl2tpd
#noccp
auth
crtscts
idle 1800
mtu 1410         #第一次配置不建議設置mtu,mru,否則可能789錯誤
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
8.編輯ipsec配置文件 
vim /etc/ipsec.conf
config setup
        protostack=netkey
        dumpdir=/var/run/pluto/
        virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
        include /etc/ipsec.d/*.conf
9.編輯include的conn文件 
vim /etc/ipsec.d/l2tp-ipsec.conf

修改內容如下:

conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.0.17   #service/VPS的外網地址,某些vps只有eth0一塊網卡的,
                        #就填內網地址,內核開啟nat轉發就可以了,
                        #CentOS7以下的用iptables定義轉發規則
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
10.設置用戶名密碼 
vim /etc/ppp/chap-secrets

修改內容:

vpnuser * pass * 
說明:用戶名[空格]service[空格]密碼[空格]指定IP
11.設置PSK 
vim /etc/ipsec.d/default.secrets
: PSK "testvpn"
12.CentOS7防火牆設置 
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
13.IP_FORWARD 設置 
vim /etc/sysctl.d/60-sysctl_ipsec.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0

重啟生效

systemctl restart network
13.ipsec啟動&檢查 
systemctl enable ipsec
systemctl restart ipsec

檢查:ipsec verify

正常輸出:

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-123.13.2.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options             [OK]
Opportunistic Encryption                                [DISABLED]
14.xl2tpd啟動 
systemctl enable xl2tpd
systemctl restart xl2tpd
15.Windows連接

Windows連接,需要修改注冊表鍵值(據說可以不用修改,但是我的不修改的話,一直789,log無顯示)


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 CentOS 搭建L2TP centos7 配置PPTP、L2TP、IPSec服務 CentOS7.6搭建PPTP和L2TP/IPSec服務 l2tp/ipsec搭建xxx 腳本搭建l2tp/IPSec L2TP簡介 L2TP協議 Ubuntu 15.10搭建IPSec L2TP服務器 Linux作為l2tp client 連接l2tp server L2TP 和 IPsec over L2TP
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM