程序博客网 > 百度歌词搜索vb

Centos 6.5 下配置L2tp Vpn

来源:互联网 发布:百度歌词搜索vb 编辑:程序博客网 时间:2024/05/24 15:38

Linux(Centos)下配置L2tp Vpn。
1.安装环境包

yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man

2.安装

yum install openswan ppp xl2tpd

3.配置
(1)编辑 /etc/ipsec.conf

vi /etc/ipsec.confconfig setupnat_traversal=yesvirtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12oe=offprotostack=netkeyconn L2TP-PSK-NATrightsubnet=vhost:%privalso=L2TP-PSK-noNATconn L2TP-PSK-noNATauthby=secretpfs=noauto=addkeyingtries=3rekey=noikelifetime=8hkeylife=1htype=transportleft=114.114.114.114 (服务器公网IP)leftprotoport=17/1701right=%anyrightprotoport=17/%any

(2)编辑/etc/ipsec.secrets

vi /etc/ipsec.secretsinclude /etc/ipsec.d/*.secrets114.114.114.114 %any: PSK "YourPsk"###YourPsk为预共享密钥。

(3) 修改/添加 /etc/sysctl.conf并生效

vim /etc/sysctl.conf在/etc/sysctl.conf的末尾加上如下内容。net.ipv4.ip_forward = 1net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.all.log_martians = 0net.ipv4.conf.default.log_martians = 0net.ipv4.conf.default.accept_source_route = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.icmp_ignore_bogus_error_responses = 1

生效上面的修改使用如下命令

sysctl -p

(4)验证ipsec运行状态

ipsec restartipsec verify[root@server17 ~]# ipsec verifyChecking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path [OK]Linux Openswan U2.6.32/K2.6.32-431.23.3.el6.x86_64 (netkey)Checking for IPsec support in kernel [OK]SAref kernel support [N/A]NETKEY: Testing for disabled ICMP send_redirects [OK]NETKEY detected, testing for disabled ICMP accept_redirects [OK]Checking that pluto is running [OK]Pluto listening for IKE on udp 500 [OK]Pluto listening for NAT-T on udp 4500 [OK]Two or more interfaces found, checking IP forwarding [OK]Checking NAT and MASQUERADEing [OK]Checking for 'ip' command [OK]Checking /bin/sh is not /bin/dash [OK]Checking for 'iptables' command [OK]Opportunistic Encryption Support [DISABLED]

(5) 编辑 /etc/xl2tpd/xl2tpd.conf 这一步可以跳过
ip range 客户端获取的IP范围,local ip VPN服务器端的IP

vim /etc/xl2tpd/xl2tpd.conf[lns default]ip range = 192.168.100.10-192.168.100.200local ip = 192.168.100.1require chap = yesrefuse pap = yesrequire authentication = yesname = LinuxVPNserverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes

(6)配置用户名,密码:编辑 /etc/ppp/chap-secrets

vim /etc/ppp/chap-secretsusername 写登录vpn的用户名,userpass 写登录vpn的密码# Secrets for authentication using CHAP# client server secret IP addressesusername * "userpass" *

(7)重启xl2tp

service xl2tpd restart

(8)添加自启动

chkconfig xl2tpd onchkconfig iptables onchkconfig ipsec on

设置完成。

Windows下设置VPN连接客户端

拨入后,服务器可以看到ppp0接口


额外需求:
1、配置单独的l2tp日志记录
这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-xl2tpd.conf文件,内容如下:

[root@server17 rsyslog.d]# cat 20-xl2tpd.confif $programname == 'xl2tpd' then /var/log/xl2tpd.log&~

这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-pptpd.conf文件,内容如下:

[root@server17 rsyslog.d]# cat 20-pptpd.confif $programname == 'pppd' then /var/log/xl2tpd.log&~

但是这样只能在日志中看到客户端的公网IP地址、私网IP等信息,却无法看到是哪个用户登录的,这不利于做审计工作,所以需要能将连接用户的信息也写入到日志中,解决方法如下:

在/etc/ppp/ip-up 脚本中加入

echo "Start_Time: `date -d today +%F_%T`" >> /var/log/xl2tpd.log  ##登录时间戳echo "username: $PEERNAME" >> /var/log/xl2tpd.log  ##用户名

在/etc/ppp/ip-down 脚本中加入

echo "Stop_Time: `date -d today +%F_%T`" >> /var/log/xl2tpd.log  ##断开时间戳echo "username: $PEERNAME" >> /var/log/xl2tpd.log  ##用户名

重启rsyslog服务

service rsyslog restart

最终的日志信息如下,客户端的公网IP、获取的内网IP、用户名、时间等重要信息都被记录下来了。

cat /var/log/xl2tpd.logNov  5 13:47:57 server17 xl2tpd[24509]: control_finish: Peer requested tunnel 29 twice, ignoring second one.Nov  5 13:47:58 server17 xl2tpd[24509]: Connection established to 202.202.202.202, 1701.  Local: 36071, Remote: 29 (ref=0/0).  LNS session is 'default'Nov  5 13:47:58 server17 xl2tpd[24509]: result_code_avp: result code not appropriate for Incoming-Call-Request.  Ignoring.Nov  5 13:47:58 server17 xl2tpd[24509]: Call established with 202.202.202.202, Local: 3764, Remote: 1, Serial: 0Nov  5 13:47:58 server17 pppd[16218]: pppd 2.4.5 started by root, uid 0Nov  5 13:47:58 server17 pppd[16218]: using channel 28Nov  5 13:47:58 server17 pppd[16218]: Using interface ppp0Nov  5 13:47:58 server17 pppd[16218]: Connect: ppp0  /dev/pts/0Nov  5 13:47:58 server17 pppd[16218]: sent [LCP ConfReq id=0x1      ]Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfReq id=0x0     ]Nov  5 13:47:58 server17 pppd[16218]: sent [LCP ConfRej id=0x0 ]Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfAck id=0x1      ]Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfReq id=0x1    ]Nov  5 13:47:58 server17 pppd[16218]: sent [LCP ConfAck id=0x1    ]Nov  5 13:47:58 server17 pppd[16218]: sent [CHAP Challenge id=0xfd , name = "LinuxVPNserver"]Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x2 magic=0x5597000a "MSRASV5.20"]Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x3 magic=0x5597000a "MSRAS-0-WWW-PC"]Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x4 magic=0x5597000a "\3777777774012@?\37777777642\37777777705A\37777777642\37777777623\021\37777777764\37777777656;t$"]Nov  5 13:47:58 server17 pppd[16218]: rcvd [CHAP Response id=0xfd , name = "wujr"]Nov  5 13:47:58 server17 pppd[16218]: sent [CHAP Success id=0xfd "Access granted"]Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfReq id=0x1  ]Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPV6CP ConfReq id=0x5 ]Nov  5 13:47:58 server17 pppd[16218]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) receivedNov  5 13:47:58 server17 pppd[16218]: sent [LCP ProtRej id=0x2 80 57 01 05 00 0e 01 0a b8 71 8f aa 3d c3 d8 78]Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x6     ]Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfRej id=0x6  ]Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfRej id=0x1 ]Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfReq id=0x2 ]Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x7   ]Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfNak id=0x7   ]Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfAck id=0x2 ]Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x8   ]Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfAck id=0x8   ]Nov  5 13:47:58 server17 pppd[16218]: Cannot determine ethernet address for proxy ARPNov  5 13:47:58 server17 pppd[16218]: local  IP address 192.168.100.1Nov  5 13:47:58 server17 pppd[16218]: remote IP address 192.168.100.10Nov  5 13:47:58 server17 pppd[16218]: Script /etc/ppp/ip-up started (pid 16225)Start_Time: 2015-11-05_13:47:58username: testNov  5 13:47:58 server17 pppd[16218]: Script /etc/ppp/ip-up finished (pid 16225), status = 0x0

2、使用VPN服务器公网做为客户端互联网出口(跳板机、代理)
使用iptables实现,增加规则

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100.0/24 -j MASQUERADE (eth1为公网网卡)

3、访问VPN服务器所在的内网其它服务器
使用iptables实现,增加规则

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE (eth0为私网网卡)h
0 0
百度歌词搜索vb 百度歌词搜索vb
原创粉丝点击
热门IT博客
淘宝禁售品发生纠纷淘宝禁售品发生纠纷
windows vista 旗舰版windows vista 旗舰版
相片拼图软件
java 线程池框架
网络聊天室有哪些
韶关市仁化县网络问政
云朵课堂源码
javascript脚本教程
互动感应投影软件
淘宝卖家花呗客服
js获取元素的方法
网络安全管理咨询
谷歌优化软件
淘宝推广软件免费的
淘宝开店的流程是什么?
雷洋事件始末 知乎
故宫攻略 知乎
淘宝卖衣服
java encode解密
亿乐社区源码
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 分手数字怎么表达 能不能不分手 想分手怎么说比较合适 分手后还能联系吗 怎么分手不伤人 想分手却又舍不得 陶瓷纤维异型件 异型件 高分子聚乙烯异型件 铝合金异型材 不锈钢异型材 塑料异型材挤出模具 珍珠棉异型材厂家 异型材加工 异型无缝钢管 六角异型钢管 异型钢管图片 无缝异型钢管 304不锈钢异型管 异型管厂家 异型镀锌管 冷拔无缝异型管 316不锈钢异型管 异型管成型机 镀锌椭圆管厂家 异型管图片 异形管厂家 异形号码管 异形钢管 锥形钢管 冷拉异形钢 不锈钢异形件 异形管材 霸天异形 异形拉丝模具 异形拉伸模具 卡兹克霸天异形 铝合金异形件 异形卡厂家 异形加工机 异形特别版

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里