centos7 L2TP/ipsec vpn搭建

来源：互联网发布：读取股票数据编辑：程序博客网时间：2024/04/30 06:12

centos7 L2TP/IPSEC vpn搭建

公司原来的服务器是pptp+freeaduis。后来由于苹果更新系统IOS无法接入PPTP模式服务器，所以研究了这个L2TP/IPSEC的VPN，查找了很多资料终于成功。记录下来以后自己备查。

centos7 L2TPIPSEC vpn搭建
- 安装相关软件包
- 修改ipsec 主配置文件
- 修改l2tp_pskconf文件
- 配置预共享密匙文件
- 修改内核支持
- 检验ipsec服务配置
- 启动ipsec服务
- 修改xl2tpd主配置文件
- 修改xl2tpd属性配置文件
- 建立用户名和密码
- 启动和检验xl2tpd服务配置
- 关闭防火墙测试链接
- 结束

1.安装相关软件包

安装必要的开发包
在Centos7上提供L2TP服务的最新程序包为：xl2tpd-1.3.6-8.el7.x86_64，提供IPSEC服务最新程序包为：libreswan-3.15-5.el7_1.x86_64 。

[root@localhost ~]#yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man[root@localhost ~]#yum install xl2tpd[root@localhost ~]#yum install libreswan

2.修改ipsec 主配置文件

[root@localhost ~]#cat /etc/ipsec.confconfig setup    protostack=netkey    dumpdir=/var/run/pluto/    nat_traversal=yes    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10conn L2TP-PSK-NAT    rightsubnet=vhost:%priv    also=L2TP-PSK-noNATconn L2TP-PSK-noNAT    authby=secret    pfs=no    auto=add    keyingtries=3    dpddelay=30    dpdtimeout=120    dpdaction=clear    rekey=no    ikelifetime=8h    keylife=1h    type=transport    left=120.86.124.5    #120.86.124.5 是自己的外网网卡Ip地址    leftprotoport=17/1701    right=%any    rightprotoport=17/%any

3.修改l2tp_psk.conf文件

如果没有这个文件，就新建一个。

[root@localhost ~]#vi /etc/ipsec.d/l2tp_psk.confconn L2TP-PSK-NAT    rightsubnet=vhost:%priv    also=L2TP-PSK-noNATconn L2TP-PSK-noNAT    authby=secret    pfs=no    auto=add    keyingtries=3    dpddelay=30    dpdtimeout=120    dpdaction=clear    rekey=no    ikelifetime=8h    keylife=1h    type=transport    left=120.86.124.5    #120.86.124.5 是自己的外网网卡Ip地址    leftprotoport=17/1701    right=%any    rightprotoport=17/%any

4.配置预共享密匙文件

[root@localhost ~]# cat /etc/ipsec.secrets #include /etc/ipsec.d/*.secrets120.86.124.5 %any: PSK "123456789"#120.86.124.5 是外网网卡地址，PSK是预存共享密匙

5.修改内核支持

[root@localhost ~]# cat /etc/sysctl.conf # System default settings live in /usr/lib/sysctl.d/00-system.conf.# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file## For more information, see sysctl.conf(5) and sysctl.d(5).vm.swappiness = 0net.ipv4.neigh.default.gc_stale_time=120net.ipv4.conf.all.rp_filter=0net.ipv4.conf.default.rp_filter=0net.ipv4.conf.default.arp_announce = 2net.ipv4.conf.all.arp_announce=2net.ipv4.tcp_max_tw_buckets = 5000net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 1024net.ipv4.tcp_synack_retries = 2net.ipv4.conf.lo.arp_announce=2net.ipv4.ip_forward = 1net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.default.accept_source_route = 0

生效上面的修改使用如下命令

[root@localhost ~]#sysctl -p

6.检验ipsec服务配置

[root@localhost ~]# ipsec setup start[root@localhost ~]# ipsec verify

报错处理，当出现以下几个[ENABLED]错误提示时，不用在意，可以继续。当然全部OK更好。

Verifying installed system and configuration filesVersion check and ipsec on-path                     [OK]Libreswan 3.15 (netkey) on 3.10.0-514.el7.x86_64Checking for IPsec support in kernel                [OK] NETKEY: Testing XFRM related proc values         ICMP default/send_redirects                [OK]         ICMP default/accept_redirects              [OK]         XFRM larval drop                           [OK]Pluto ipsec.conf syntax                             [OK]Hardware random device                              [N/A]Two or more interfaces found, checking IP forwarding    [OK]Checking rp_filter                                  [ENABLED] /proc/sys/net/ipv4/conf/ens160/rp_filter           [ENABLED] /proc/sys/net/ipv4/conf/ens192/rp_filter           [ENABLED]  rp_filter is not fully aware of IPsec and should be disabledChecking that pluto is running                      [OK] Pluto listening for IKE on udp 500                 [OK] Pluto listening for IKE/NAT-T on udp 4500          [OK] Pluto ipsec.secret syntax                          [OK]Checking 'ip' command                               [OK]Checking 'iptables' command                         [OK]Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options             [OK]Opportunistic Encryption                            [DISABLED]ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

7.启动ipsec服务

[root@localhost ~]# systemctl start ipsec[root@localhost ~]# systemctl enable ipsec

8.修改xl2tpd主配置文件

[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf [global] listen-addr = 120.86.124.5 #本机外网网卡IP ipsec saref = yes[lns default]ip range = 192.168.1.128-192.168.1.254local ip = 192.168.1.99require chap = yesrefuse pap = yesrequire authentication = yesname = LinuxVPNserverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes

9.修改xl2tpd属性配置文件：

[root@localhost ~]# cat /etc/ppp/options.xl2tpdrequire-mschap-v2ipcp-accept-localipcp-accept-remote#dns 写自己的网卡DNS ，写成8.8.8.8也行ms-dns 10.118.88.10ms-dns 130.52.1.10 #ms-dns  8.8.8.8ipcp-accept-localipcp-accept-remotenoccpauthcrtsctsidle 1800mtu 1410mru 1410nodefaultroutedebuglockproxyarpconnect-delay 5000

10.建立用户名和密码

建立xl2tpd连接的用户，建立l2tp连接需要输入的用户名和密码就在该文件里配置：

[root@localhost ~]# cat /etc/ppp/chap-secrets# Secrets for authentication using CHAP# client    server  secret          IP addresseslancer      *  123 *#登陆用户名和密码

11.启动和检验xl2tpd服务配置

[root@localhost ~]# systemctl start xl2tpd
[root@localhost ~]# systemctl status xl2tpd

12.关闭防火墙测试链接

这里先把防火墙关闭测试，否则无法测试连接，下一章讲防火墙规则。

[root@localhost ~]# systemctl stop firewalld

13.结束

这里先把防火墙关闭测试，否则无法测试连接，下一章讲防火墙规则。
如果无法连接。请查看ipsec和xl2tpd服务是否启动。

[root@localhost ~]# systemctl status ipsec[root@localhost ~]# systemctl status xl2tpd

0 0