l2tp ipsec ***
1、安裝軟件
yum -y install epel-release
yum -y install openswan ppp xl2tpd
2、修改ipsec的配置文件
# cd /etc/ipsec.d/
# ls ./*.conf|xargs -I {} mv {} {}.bak
# vim L2TP.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.10.10 #本機的真實IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
3、配置ipsec祕鑰
vim /etc/ipsec.d/L2TP.secrets
192.168.10.10 %any: PSK "YourPsk"
#YourPsk 爲域共享祕鑰
4、修改forward轉發
編輯文件
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
# sysctl -p
執行命令
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
並將此命令寫入rc.local文件
5、確認ipsec狀態
service ipsec start
ipsec verify
# 確保沒有failed
# 如果出現nss 錯誤,執行以下命令
certutil -N -d /etc/ipsec.d
ipsec newhostkey --output my.secrets --bits 2192 --verbose --configdir /etc/pki/nssdb/
6、編輯/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = 192.168.10.10 #本機的真實IP
[lns default]
ip range = 192.168.20.128-192.168.20.254 #分給***客戶端的ip地址池
local ip = 192.168.20.99 #本機的*** IP
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = y
7、編輯 /etc/ppp/options.xl2tpdrequire-mschap-v2
ms-dns 223.5.5.5
ms-dns 114.114.114.114
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4*
8、編輯 /etc/ppp/chap-secrets (此配置文件是設置***的用戶名,密碼)
Secrets for authentication using CHAP
# client server secret IP addresses
admin * admin *
9、啓動相應的服務:
service xl2tpd start
service ipsec start
10、iptables修改:
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -j SNAT --to-source 192.168.10.10
iptables -I INPUT -p udp -m udp -m state --state NEW --dport 1701 -j ACCEPT
iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
iptables -I INPUT -p esp -j ACCEPT
/etc/init.d/iptables save
/etc/init.d/iptables restart
pptp ***
據經驗ipsec l2tp *** 比較慢,還有反應ios設備不能連,所以可以選用pptp ***,配置方便,連接速度快
1、安裝pptp
yum install -y pptpd
2、編輯/etc/ppp/options.pptpd 設置自己的dns
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
ms-dns 8.8.8.8
ms-dns 8.8.4.4
3、編輯/etc/ppp/chap-secrets,設置***賬號密碼
vultr1 pptpd P@$$w0rd *
vultr2 pptpd P@$$w0rd2 *
4、編輯/etc/pptpd.conf,配置分配給客戶端的ip
option /etc/ppp/options.pptpd
logwtmp
localip 192.168.80.1
remoteip 192.168.80.101-200
5、編輯/etc/sysctl.conf
sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
6、設置防火牆轉發
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.0/24 -j MASQUERADE#或者使用iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -j SNAT --to-source 192.168.10.10
service iptables save
service iptables start
7、啓動服務
service pptpd start
chkconfig pptpd on
訪問在nat設備後搭建的***服務器
1、***服務器的搭建跟正常的無異,nat設備上要開啓相應的服務端口,如l2tp需要映射500,4500,1701
2、windows 系統 需要設置註冊表以訪問在nat設備後的***服務器
* 找到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
* 右鍵編輯,新建DWORD (32-bit) Value,命名爲AssumeUDPEncapsulationContextOnSendRule
* 修改值爲2
* 重啓電腦