L2TP/IPSEC搭建VPN详细教程
亲自动手搭建,附带效果一张:
1.预装环境准备
#yum -y install make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
2.安装所需要的软件包
#yum -y install openswan ppp xl2tpd
3.配置相关服务
(1)配置ipsec,编辑 /etc/ipsec.conf
#vim /etc/ipsec.conf
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file: /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual: ipsec.conf.5
# basic configuration
config setup
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
force_keepalive=yes
keep_alive=1800
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
.
4.配置密钥
L2TP比PPTP多了一个密钥项,这也是它比PPTP更安全的原因之一。这个密钥其实就是一个密码,不同于用户的登录密码,它相当于一个设备之间通信的密钥。
#vim /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
这里是你的公网IP %any: PSK "这里是密钥"
启动服务
#systemctl start ipsec
#systemctl enable ipsec
5.修改内核支持
#Vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.rp_filter=0
生效配置
#sysctl -p
6.检查ipsec服务配置
#ipsec setup start
#Ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U/K3.10.0-957.10.1.el7.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding[OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500[NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco)
[NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
启动ipsec 服务
#systemctl start ipsec
#systemctl enable ipsec
7.修改Xl2tpd主配置文件
#vim /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 172.31.43.192-172.31.43.254 #本机内网ip的网段
local ip = 172.31.43.113 #本机内网
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
8.修改xl2tpd属性文件
#vim /etc/ppp/options.xl2tpd
#re-pap
#require-chap
#require-mschap
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1400
noccp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\VPN Users"'
# You need to join the domain on the server, for example using samba:
#http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
9.建立用户名和密码
#vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
用户名 * 密码 *
启动及开机自启xl2tpd服务
#systemctl start xl2tpd
#systemctl enable xl2tpd
10.配置防火墙规则
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1723 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 内网网段 -j SNAT --to-source 外网IP
iptables -t nat -A POSTROUTING -s 内网网段4 -o eth0 -j MASQUERADE
#注:看清楚自己的网卡对应的IP网段
Windows10 设置:
(1)单击“开始”,单击“运行”,键入“regedit”然后单击“确定”,并找到
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters里面的 AllowL2TPWeakCrypto,AllowPPTPWeakCrypto 将数值改为1,然后右击新建 DWORD 命名为ProhibitIPSec 数值改为1.
打开防火墙——>高级设置——>出站规则——> 添加 1723,1701端口,重启计算机
