L2TP Over IPSEC VPN安装与配置

 未分类  No Responses »
3 月 132015
 

参考

https://github.com/xelerance/Openswan/wiki/L2tp-ipsec-configuration-using-openswan-and-xl2tpd

安装
openswan xl2tpd lsof ppp

http://mirrors.zju.edu.cn/epel/6/i386/epel-release-6-8.noarch.rpm
配置openswan 两部分
公网接口IP地址
# /etc/ipsec.secrets
193.110.157.148 %any 0.0.0.0: PSK “test”
# /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
protostack=netkey
#protostack=mast # used for SAref + MAST only
interfaces=”%defaultroute”
oe=off

conn l2tp-psk
authby=secret
pfs=no
auto=add
rekey=no
# overlapip=yes # for SAref + MAST
# sareftrack=yes # for SAref + MAST
type=transport
left=193.110.157.148
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
配置xl2tpd

[global]
; you cannot leave out listen-addr, causes possible wrong src ip on return packets
listen-addr = 193.110.157.148
; ipsec saref = yes ; For SAref + MAST only
; debug tunnel = yes

[lns default]
ip range = 10.254.253.128-10.254.253.250
local ip = 10.254.253.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = OpenswanVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

配置PPP两部分

/etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 193.110.157.123
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

账户部分

root@localhost ppp]# vi chap-secrets
# client server secret IP addresses
test * "test" 10.254.253.128/25

系统配置 两种方法
手动添加
# /etc/sysct.conf
# only values specific for ipsec/l2tp functioning are shown here. merge with existing file
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

自动添加

[root@localhost ~]# sysctl -a |egrep “ipv4.*(accept|send)_redirects” |awk -F “=” ‘{print $1″= 0″}’ >> /etc/sysctl.conf

[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: “net.bridge.bridge-nf-call-ip6tables” is an unknown key
error: “net.bridge.bridge-nf-call-iptables” is an unknown key
error: “net.bridge.bridge-nf-call-arptables” is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
[root@localhost ~]#

开放防火墙及设置转发

i
iptables -I INPUT -p udp –dport 500 -j ACCEPT
iptables -I INPUT -p udp –dport 4500 -j ACCEPT
iptables -I INPUT -p udp –dport 1701 -j ACCEPT
iptables -I INPUT -p esp -j ACCEPT

iptables -I FORWARD -s 10.254.253.0/24 -j ACCEPT
iptables -I FORWARD -d 10.254.253.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.254.253.0/24 -o eth0 -j MASQUERADE
检测状态

[root@localhost ~]# ipsec verify
 Checking your system to see if IPsec got installed and started correctly:
 Version check and ipsec on-path [OK]
 Linux Openswan U2.6.32/K(no kernel code presently loaded)
 Checking for IPsec support in kernel [FAILED]
 SAref kernel support [N/A]
 Checking that pluto is running [FAILED]
 whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
 Checking for 'ip' command [OK]
 Checking /bin/sh is not /bin/dash [OK]
 Checking for 'iptables' command [OK]
 Opportunistic Encryption Support [DISABLED]
[root@localhost ~]#

123