centos7 L2TP/ipsec vpn搭建
来源:互联网 发布:读取股票数据 编辑:程序博客网 时间:2024/04/30 06:12
centos7 L2TP/IPSEC vpn搭建
公司原来的服务器是pptp+freeaduis。后来由于苹果更新系统IOS无法接入PPTP模式服务器,所以研究了这个L2TP/IPSEC的VPN,查找了很多资料终于成功。记录下来以后自己备查。
- centos7 L2TPIPSEC vpn搭建
- 安装相关软件包
- 修改ipsec 主配置文件
- 修改l2tp_pskconf文件
- 配置预共享密匙文件
- 修改内核支持
- 检验ipsec服务配置
- 启动ipsec服务
- 修改xl2tpd主配置文件
- 修改xl2tpd属性配置文件
- 建立用户名和密码
- 启动和检验xl2tpd服务配置
- 关闭防火墙测试链接
- 结束
1.安装相关软件包
- 安装必要的开发包
- 在Centos7上提供L2TP服务的最新程序包为:xl2tpd-1.3.6-8.el7.x86_64,提供IPSEC服务最新程序包为:libreswan-3.15-5.el7_1.x86_64 。
[root@localhost ~]#yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man[root@localhost ~]#yum install xl2tpd[root@localhost ~]#yum install libreswan
2.修改ipsec 主配置文件
[root@localhost ~]#cat /etc/ipsec.confconfig setup protostack=netkey dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8h keylife=1h type=transport left=120.86.124.5 #120.86.124.5 是自己的外网网卡Ip地址 leftprotoport=17/1701 right=%any rightprotoport=17/%any
3.修改l2tp_psk.conf文件
如果没有这个文件,就新建一个。
[root@localhost ~]#vi /etc/ipsec.d/l2tp_psk.confconn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8h keylife=1h type=transport left=120.86.124.5 #120.86.124.5 是自己的外网网卡Ip地址 leftprotoport=17/1701 right=%any rightprotoport=17/%any
4.配置预共享密匙文件
[root@localhost ~]# cat /etc/ipsec.secrets #include /etc/ipsec.d/*.secrets120.86.124.5 %any: PSK "123456789"#120.86.124.5 是外网网卡地址,PSK是预存共享密匙
5.修改内核支持
[root@localhost ~]# cat /etc/sysctl.conf # System default settings live in /usr/lib/sysctl.d/00-system.conf.# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file## For more information, see sysctl.conf(5) and sysctl.d(5).vm.swappiness = 0net.ipv4.neigh.default.gc_stale_time=120net.ipv4.conf.all.rp_filter=0net.ipv4.conf.default.rp_filter=0net.ipv4.conf.default.arp_announce = 2net.ipv4.conf.all.arp_announce=2net.ipv4.tcp_max_tw_buckets = 5000net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 1024net.ipv4.tcp_synack_retries = 2net.ipv4.conf.lo.arp_announce=2net.ipv4.ip_forward = 1net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.default.accept_source_route = 0
生效上面的修改使用如下命令
[root@localhost ~]#sysctl -p
6.检验ipsec服务配置
[root@localhost ~]# ipsec setup start[root@localhost ~]# ipsec verify
报错处理,当出现以下几个[ENABLED]错误提示时 ,不用在意,可以继续。当然全部OK更好。
Verifying installed system and configuration filesVersion check and ipsec on-path [OK]Libreswan 3.15 (netkey) on 3.10.0-514.el7.x86_64Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK]Pluto ipsec.conf syntax [OK]Hardware random device [N/A]Two or more interfaces found, checking IP forwarding [OK]Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ens160/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ens192/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabledChecking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK]Checking 'ip' command [OK]Checking 'iptables' command [OK]Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]Opportunistic Encryption [DISABLED]ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help
7.启动ipsec服务
[root@localhost ~]# systemctl start ipsec[root@localhost ~]# systemctl enable ipsec
8.修改xl2tpd主配置文件
[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf [global] listen-addr = 120.86.124.5 #本机外网网卡IP ipsec saref = yes[lns default]ip range = 192.168.1.128-192.168.1.254local ip = 192.168.1.99require chap = yesrefuse pap = yesrequire authentication = yesname = LinuxVPNserverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes
9.修改xl2tpd属性配置文件:
[root@localhost ~]# cat /etc/ppp/options.xl2tpdrequire-mschap-v2ipcp-accept-localipcp-accept-remote#dns 写自己的网卡DNS ,写成8.8.8.8也行ms-dns 10.118.88.10ms-dns 130.52.1.10 #ms-dns 8.8.8.8ipcp-accept-localipcp-accept-remotenoccpauthcrtsctsidle 1800mtu 1410mru 1410nodefaultroutedebuglockproxyarpconnect-delay 5000
10.建立用户名和密码
建立xl2tpd连接的用户,建立l2tp连接需要输入的用户名和密码就在该文件里配置:
[root@localhost ~]# cat /etc/ppp/chap-secrets# Secrets for authentication using CHAP# client server secret IP addresseslancer * 123 *#登陆用户名和密码
11.启动和检验xl2tpd服务配置
[root@localhost ~]# systemctl start xl2tpd
[root@localhost ~]# systemctl status xl2tpd
12.关闭防火墙测试链接
这里先把防火墙关闭测试,否则无法测试连接,下一章讲防火墙规则。
[root@localhost ~]# systemctl stop firewalld
13.结束
这里先把防火墙关闭测试,否则无法测试连接,下一章讲防火墙规则。
如果无法连接。请查看ipsec和xl2tpd服务是否启动。
[root@localhost ~]# systemctl status ipsec[root@localhost ~]# systemctl status xl2tpd
0 0
- centos7 L2TP/ipsec vpn搭建
- centos7 L2TP/ipsec vpn搭建
- 搭建L2TP over IPSec VPN
- centos7 配置VPN 客户端 l2tp ipsec
- tencent云 centos7 vpn pptp、l2tp搭建
- Debian 7 下搭建 IPSEC + L2TP VPN 服务器
- Ubuntu server 12 上搭建 L2TP/IPSec VPN
- centos 6.4 用openswan ipsec和xl2tpd搭建l2tp VPN
- CentOS Linux 5.9 32bit搭建L2TP ipsec VPN服务器
- 在AWS的EC2上搭建IPsec/L2TP VPN服务
- linux l2tp ipsec vpn服务器
- 树莓派搭建L2TP/IPSec
- CentOS7下Strongswan架设IPSec-IKEv1, IKEv2, L2TP VPN,适用于 IOS9,OSX, Windows, Linux
- CentOS7下Strongswan架设IPSec-IKEv1, IKEv2, L2TP VPN,适用于 IOS9,OSX, Windows, Linux
- L2TP VPN服务器搭建
- 使用Linux L2TP/IPsec VPN 服务器
- PPTP、L2TP、IPSec、SSL VPN、OpenVPN 区别
- how to configure L2TP/IPSec VPN
- 在linux服务器上面部署java web项目jar包
- PHP学习笔记【三】之《数据库抽象层PDO---PDOStatement对象的使用》
- 关于变量的声明和定义
- PAT甲级1006. Sign In and Sign Out (25)
- 根据数组里面数据的日期进行排序
- centos7 L2TP/ipsec vpn搭建
- 图片轮播
- i春秋
- kvm vm运行
- 我的CSDN的第一天
- Jquery选择器-基本选择器
- spark.eventLog.dir和spark.history.fs.logDirectory的区别
- ccs元素定位
- python解决乱码问题-文件