- 安裝軟件
yum install ppp xl2tp libreswan - /etc/ipsec.conf
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey logfile=/var/log/pluto/pluto.log #dumpdir=/var/run/pluto conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret #sha2-truncbug=yes pfs=no auto=add keyingtries=3 #keyingtries=%forever rekey=no ikelifetime=8h keylife=1h type=transport left=139.196.190.88 # 自己的公網IP leftprotoport=17/1701 right=%any rightprotoport=17/%any #dpddelay=15 #dpdtimeout30 #dpdaction=clear - /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets 139.196.190.8 %any: PSK "your_PSK"139.196.190.8 是公網IP
- ipsec
ipsec start
ipset setup restart ipsec verify - /etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes listen-addr = 139.196.190.8 [lns default] ip range = 192.168.1.2-192.168.1.100 local ip = 192.168.1.1 refuse chap = yes refuse pap = yes require authentication = yes #name = l2tp/ipsec VPN ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes - ppp是一個撥號軟件,用來提供用戶登錄的用戶名和密碼,(pptp搭建的VPN也會用到ppp),所以,pptp & l2tp 可以共存在一台服務器上的,而且他們可以共享賬號信息,因為他們都使用ppp作為用戶登錄連接
- l2tp 也依賴於xl2tpd,配置文件有兩個
/etc/xl2tpd/xl2tpd.conf
/etc/ppp/options.xl2tpd
第一個文件將第二個文件包含
etc/ppp/options.xl2tpd
require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 #ipcp-accept-local #ipcp-accept-remote #noauth #nocpp #crtscts #idle 1800 #mtu 1410 #mru 1410 #nodefaultroute #debug #lock #proxyarp #connect-delay 5000 - /etc/ppp/chap-secrets 用戶名 & 密碼文件
chenwk * SUt5MeOF * chenw * YAGKcmVS * sales * vq6RP0um * data * rD4217lb * personnel * AzTxPBzz * operation * PZbzIFx6 * tech * Rdev67K4 * dinghh * uC9oIMij * unary * unary *有兩個星號,第一個表示以后所有使用ppp作為用戶認證的服務,都可以使用這個用戶名和密碼,包括 pptp & l2tp,第二個星號表示這個用戶可以從任何IP登錄,可以把星號改成具體值來限制.
- configuration iptables
#filter iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p ah -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -d 172.16.0.0/24 -j ACCEPT iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited #nat iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE - /etc/sysctl.conf
cat <<-delimeter |& tee -a 1.c > net.ipv4.ip_forward=1 > net.ipv4.conf.default.rp_filter=0 > net.ipv4.conf.default.accept_source_route=0 > net.ipv4.conf.all.send_redirects=0 > net.ipv4.conf.default.send_redirects=0 > net.ipv4.conf.all.log_martians=0 > net.ipv4.conf.default.log_martians=0 > net.ipv4.conf.all.accept_redirects=0 > net.ipv4.conf.default.accept_redirects=0 > net.ipv4.icmp_ignore_bogus_error_response=1 > delimeter
sysctl --system - 啟動服務
systemctl start ipsec systemctl start xl2tpd - 定期更改密碼腳本
#!/bin/env sh account_list=('chenwk' 'chenw' 'sales' 'data' 'personnel' 'operation' 'tech' 'dinghh') mail_list=('chenwk@ibm.com' 'chenw@ibm.com' 'wangj@ibm.com' 'rangf@ibm.com' 'zhaol@ibm.com'\ 'qil@ibm.com' 'tech@ibm.com' 'dinghh@ibm.com') declare -A dict function make_dict(){ for ((i=0;i<${#account_list[*]};i++));do dict[${account_list[$i]}]=${mail_list[$i]} done } make_dict #for b in ${!dict[*]};do # echo $b = ${dict[$b]} #done function genpass(){ pass=$(tr -dc '[:digit:][:lower:]' < /dev/urandom | head --bytes 8) echo $pass } function changepass(){ pass=`genpass` account=$1 sed -i "/^$account / s#[ ][[:alnum:]]\{8\}[ ]# $pass #" /root/chap-secrets echo $pass } function send_mail(){ mail=$1 pass=$2 mailx -s '認證中心VPN密碼變更郵件通知' $mail <<-mark ################測試郵件,請勿理會#################### 您好,賬號${mail%%@*}的VPN密碼已變更為$pass 密碼的格式為小寫字母和數字的組合,一共8位 請及時通知部門內相關人員,如有問題請及時聯系管理員 mark } function main(){ for account in ${account_list[*]};do pass=$(changepass $account) mail=${dict[$account]} echo '$pass:' $pass echo '$mail:' $mail send_mail $mail $pass sleep 30 done } main - /etc/mail.rc
set from=liuz@ibm.com set smtp=smtps://smtp.qiye.163.com:465 set smtp-auth-user=liuz@ibm.com set smtp-auth-password=edification0! set smtp-auth=login set smtp-verify=ignore set nss-config-dir=/root/.certs