Centos 6.5 下配置L2tp Vpn
来源:互联网 发布:百度歌词搜索vb 编辑:程序博客网 时间:2024/05/24 15:38
Linux(Centos)下配置L2tp Vpn。
1.安装环境包
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
2.安装
yum install openswan ppp xl2tpd
3.配置
(1)编辑 /etc/ipsec.conf
vi /etc/ipsec.confconfig setupnat_traversal=yesvirtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12oe=offprotostack=netkeyconn L2TP-PSK-NATrightsubnet=vhost:%privalso=L2TP-PSK-noNATconn L2TP-PSK-noNATauthby=secretpfs=noauto=addkeyingtries=3rekey=noikelifetime=8hkeylife=1htype=transportleft=114.114.114.114 (服务器公网IP)leftprotoport=17/1701right=%anyrightprotoport=17/%any
(2)编辑/etc/ipsec.secrets
vi /etc/ipsec.secretsinclude /etc/ipsec.d/*.secrets114.114.114.114 %any: PSK "YourPsk"###YourPsk为预共享密钥。
(3) 修改/添加 /etc/sysctl.conf并生效
vim /etc/sysctl.conf在/etc/sysctl.conf的末尾加上如下内容。net.ipv4.ip_forward = 1net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.all.log_martians = 0net.ipv4.conf.default.log_martians = 0net.ipv4.conf.default.accept_source_route = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.icmp_ignore_bogus_error_responses = 1
生效上面的修改使用如下命令
sysctl -p
(4)验证ipsec运行状态
ipsec restartipsec verify[root@server17 ~]# ipsec verifyChecking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path [OK]Linux Openswan U2.6.32/K2.6.32-431.23.3.el6.x86_64 (netkey)Checking for IPsec support in kernel [OK]SAref kernel support [N/A]NETKEY: Testing for disabled ICMP send_redirects [OK]NETKEY detected, testing for disabled ICMP accept_redirects [OK]Checking that pluto is running [OK]Pluto listening for IKE on udp 500 [OK]Pluto listening for NAT-T on udp 4500 [OK]Two or more interfaces found, checking IP forwarding [OK]Checking NAT and MASQUERADEing [OK]Checking for 'ip' command [OK]Checking /bin/sh is not /bin/dash [OK]Checking for 'iptables' command [OK]Opportunistic Encryption Support [DISABLED]
(5) 编辑 /etc/xl2tpd/xl2tpd.conf 这一步可以跳过
ip range 客户端获取的IP范围,local ip VPN服务器端的IP
vim /etc/xl2tpd/xl2tpd.conf[lns default]ip range = 192.168.100.10-192.168.100.200local ip = 192.168.100.1require chap = yesrefuse pap = yesrequire authentication = yesname = LinuxVPNserverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes
(6)配置用户名,密码:编辑 /etc/ppp/chap-secrets
vim /etc/ppp/chap-secretsusername 写登录vpn的用户名,userpass 写登录vpn的密码# Secrets for authentication using CHAP# client server secret IP addressesusername * "userpass" *
(7)重启xl2tp
service xl2tpd restart
(8)添加自启动
chkconfig xl2tpd onchkconfig iptables onchkconfig ipsec on
设置完成。
Windows下设置VPN连接客户端
拨入后,服务器可以看到ppp0接口
额外需求:
1、配置单独的l2tp日志记录
这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-xl2tpd.conf文件,内容如下:
[root@server17 rsyslog.d]# cat 20-xl2tpd.confif $programname == 'xl2tpd' then /var/log/xl2tpd.log&~
这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-pptpd.conf文件,内容如下:
[root@server17 rsyslog.d]# cat 20-pptpd.confif $programname == 'pppd' then /var/log/xl2tpd.log&~
但是这样只能在日志中看到客户端的公网IP地址、私网IP等信息,却无法看到是哪个用户登录的,这不利于做审计工作,所以需要能将连接用户的信息也写入到日志中,解决方法如下:
在/etc/ppp/ip-up 脚本中加入
echo "Start_Time: `date -d today +%F_%T`" >> /var/log/xl2tpd.log ##登录时间戳echo "username: $PEERNAME" >> /var/log/xl2tpd.log ##用户名
在/etc/ppp/ip-down 脚本中加入
echo "Stop_Time: `date -d today +%F_%T`" >> /var/log/xl2tpd.log ##断开时间戳echo "username: $PEERNAME" >> /var/log/xl2tpd.log ##用户名
重启rsyslog服务
service rsyslog restart
最终的日志信息如下,客户端的公网IP、获取的内网IP、用户名、时间等重要信息都被记录下来了。
cat /var/log/xl2tpd.logNov 5 13:47:57 server17 xl2tpd[24509]: control_finish: Peer requested tunnel 29 twice, ignoring second one.Nov 5 13:47:58 server17 xl2tpd[24509]: Connection established to 202.202.202.202, 1701. Local: 36071, Remote: 29 (ref=0/0). LNS session is 'default'Nov 5 13:47:58 server17 xl2tpd[24509]: result_code_avp: result code not appropriate for Incoming-Call-Request. Ignoring.Nov 5 13:47:58 server17 xl2tpd[24509]: Call established with 202.202.202.202, Local: 3764, Remote: 1, Serial: 0Nov 5 13:47:58 server17 pppd[16218]: pppd 2.4.5 started by root, uid 0Nov 5 13:47:58 server17 pppd[16218]: using channel 28Nov 5 13:47:58 server17 pppd[16218]: Using interface ppp0Nov 5 13:47:58 server17 pppd[16218]: Connect: ppp0 /dev/pts/0Nov 5 13:47:58 server17 pppd[16218]: sent [LCP ConfReq id=0x1 ]Nov 5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfReq id=0x0 ]Nov 5 13:47:58 server17 pppd[16218]: sent [LCP ConfRej id=0x0 ]Nov 5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfAck id=0x1 ]Nov 5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfReq id=0x1 ]Nov 5 13:47:58 server17 pppd[16218]: sent [LCP ConfAck id=0x1 ]Nov 5 13:47:58 server17 pppd[16218]: sent [CHAP Challenge id=0xfd , name = "LinuxVPNserver"]Nov 5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x2 magic=0x5597000a "MSRASV5.20"]Nov 5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x3 magic=0x5597000a "MSRAS-0-WWW-PC"]Nov 5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x4 magic=0x5597000a "\3777777774012@?\37777777642\37777777705A\37777777642\37777777623\021\37777777764\37777777656;t$"]Nov 5 13:47:58 server17 pppd[16218]: rcvd [CHAP Response id=0xfd , name = "wujr"]Nov 5 13:47:58 server17 pppd[16218]: sent [CHAP Success id=0xfd "Access granted"]Nov 5 13:47:58 server17 pppd[16218]: sent [IPCP ConfReq id=0x1 ]Nov 5 13:47:58 server17 pppd[16218]: rcvd [IPV6CP ConfReq id=0x5 ]Nov 5 13:47:58 server17 pppd[16218]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) receivedNov 5 13:47:58 server17 pppd[16218]: sent [LCP ProtRej id=0x2 80 57 01 05 00 0e 01 0a b8 71 8f aa 3d c3 d8 78]Nov 5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x6 ]Nov 5 13:47:58 server17 pppd[16218]: sent [IPCP ConfRej id=0x6 ]Nov 5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfRej id=0x1 ]Nov 5 13:47:58 server17 pppd[16218]: sent [IPCP ConfReq id=0x2 ]Nov 5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x7 ]Nov 5 13:47:58 server17 pppd[16218]: sent [IPCP ConfNak id=0x7 ]Nov 5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfAck id=0x2 ]Nov 5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x8 ]Nov 5 13:47:58 server17 pppd[16218]: sent [IPCP ConfAck id=0x8 ]Nov 5 13:47:58 server17 pppd[16218]: Cannot determine ethernet address for proxy ARPNov 5 13:47:58 server17 pppd[16218]: local IP address 192.168.100.1Nov 5 13:47:58 server17 pppd[16218]: remote IP address 192.168.100.10Nov 5 13:47:58 server17 pppd[16218]: Script /etc/ppp/ip-up started (pid 16225)Start_Time: 2015-11-05_13:47:58username: testNov 5 13:47:58 server17 pppd[16218]: Script /etc/ppp/ip-up finished (pid 16225), status = 0x0
2、使用VPN服务器公网做为客户端互联网出口(跳板机、代理)
使用iptables实现,增加规则
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100.0/24 -j MASQUERADE (eth1为公网网卡)
3、访问VPN服务器所在的内网其它服务器
使用iptables实现,增加规则
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE (eth0为私网网卡)h
- Centos 6.5 下配置L2tp Vpn
- Centos配置L2TP-VPN
- ubuntu 下配置 L2TP vpn
- CENTOS 6.5 L2TP 连接VPN
- CENTOS LINUX 安装配置L2TP+IPSEC VPN
- Debian/Ubuntu下L2TP VPN配置
- CentOS 安装L2TP VPN
- CentOS 6.5下配置PPTP VPN客户端
- ubuntu 安装配置VPN L2TP
- CentOS下配置VPN客户端
- Centos 7 安装 l2tp/ipsec vpn
- centos使用l2tp协议连接vpn服务器
- centos一键安装L2TP-VPN
- CentOS 一键搭建 L2TP VPN 服务器
- CentOS 一键搭建 L2TP VPN 服务器
- CentOS 一键搭建 L2TP VPN 服务器
- CentOS 7 安装l2tp vpn,配置客户端,并使用net-speeder优化速度
- CentOs下L2tp+IPsec 配置与相关问题解决
- 方法中参数传递的机制
- 设置应用内的系统控件语言
- hdu1059 多重背包
- 自定义View(圆形标题内容)
- nginx群集配置
- Centos 6.5 下配置L2tp Vpn
- fzu 2216 The Longest Straight
- zoj-3947-Very Happy Great BG
- CSS3中的变形与动画(上)【2D】 Transform 和 Transition
- Strng[]去重
- LintCode: 两个链表的交叉
- Leetcode Power of Two 231
- 两种用自定义数据初始化Mat
- 计算机系统内的字长到底指的是什么?