一、配置前操作
之前由於公司重新裝修,公司網絡重新部署了。網絡劃分了多個VLAN。公網也是分幾個IP出口的。由於我不是windows專業。對於網絡也不是很熟悉,所以也不太會(現在在努力學習網絡方面的知識)。公司網絡部署好以後,肯定是需要***服務的。這個是處於安全考慮必須的問題。但是網絡的具體配置是有設備提供商來操作的,路由具體是如何走的,這些都是無法及時溝通的。導致那時候***服務器一直沒有配置好。也很鬱悶,最後是在硬件設備上實現的。
這段時間空閒下來了,決定還是要研究下當時到底是哪裏的問題。
於是重新配置了一遍。安裝環境就是CentOS 6.2 64位。一些開發包組安裝完全。pptp這些都是yum使用epel源安裝的:
# yum -y install dkms ppp pptpd
安裝完這三個包,查看mppe模塊是否裝載。
[root@localhost ppp]# lsmod | grep mppe ppp_mppe 6404 0 ppp_generic 25379 2 ppp_async,ppp_mppe # 如果沒有裝載,使用命令裝載 # modprobe ppp-compress-18 # lsmod | grep mppe # 再次查看
以上裝載完成後,打開內核轉發功能:
# grep "^[^#]" /etc/sysctl.conf net.ipv4.ip_forward = 1 # 這個的值改爲1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 # 執行下面命令生效 # sysctl -p
二、配置PPTP
1、安裝pptp生成以下文件:
# rpm -ql pptpd /etc/ppp/options.pptpd # 配置文件 /etc/pptpd.conf # 配置文件 /etc/rc.d/init.d/pptpd # 啓動腳本 /etc/sysconfig/pptpd # 腳本配置文件 /usr/bin/***stats.pl /usr/bin/***user /usr/lib64/pptpd /usr/lib64/pptpd/pptpd-logwtmp.so /usr/sbin/bcrelay /usr/sbin/pptp-portslave /usr/sbin/pptpctrl /usr/sbin/pptpd ...... # 安裝ppp生成的以下文件 # rpm -ql ppp /etc/logrotate.d/ppp /etc/pam.d/ppp /etc/ppp /etc/ppp/chap-secrets # 主要這個是pptpd的賬號認證文件 /etc/ppp/options /etc/ppp/pap-secrets .......
2、有了以上這些,我們來直接配置:
1、配置pptpd.conf # grep "^[^#]" /etc/pptpd.conf option /etc/ppp/options.pptpd localip 192.168.0.1 remoteip 192.168.0.2-20 2、配置options.pptpd # grep "^[^#]" /etc/ppp/options.pptpd name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 proxyarp debug # 這兩項是調試排錯啓用的選項 dump # lock nobsdcomp novj novjccomp nologfd idle 2592000 ms-dns 114.114.114.114 # DNS ms-dns 8.8.8.8 3、認證賬號 # cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses test pptpd test * # 配置很簡單。 # 啓動服務 # service pptpd start # ss -tunl | grep 1723 tcp 0 3 *:1723 *:*
3、配置iptables對pptpd放行
# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Wed Jan 21 11:25:45 2015 *nat :PREROUTING ACCEPT [5:539] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 10.95.10.105 # 地址轉換 COMMIT # Completed on Wed Jan 21 11:25:45 2015 # Generated by iptables-save v1.4.7 on Wed Jan 21 11:25:45 2015 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [223:27476] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p gre -j ACCEPT # 放行47端口 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 1723 -j ACCEPT # 放行1723端口 -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 9000 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited #-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Jan 21 11:25:45 2015 # 由於我使用的是默認策略,所以不符合規則的默認是DROP的,此時FORWARD鏈需要放行爲ACCEPT,默認是不符合規則的都DROP。
到此就可以在windows下測試連接了。
三、連接和排錯
配置好windows下的***連接後,測試連接是可以獲取到IP地址的,並且QQ等服務是正常的。但是出現了除了百度其他的網頁都可以訪問。唯獨百度域名的不能訪問。接着又出現第二個問題,就是***連接一端時間後,自動斷開。斷開後重新連接時反覆報錯,內容如下:
Jan 22 14:04:24 localhost pppd[22168]: nobsdcomp#011#011# (from /etc/ppp/options.pptpd) Jan 22 14:04:24 localhost pppd[22168]: require-mppe-128#011#011# (from /etc/ppp/options.pptpd) Jan 22 14:04:24 localhost pppd[22168]: pppd 2.4.5 started by root, uid 0 Jan 22 14:04:24 localhost pppd[22168]: Using interface ppp0 Jan 22 14:04:24 localhost pppd[22168]: Connect: ppp0 <--> /dev/pts/3 Jan 22 14:04:24 localhost pptpd[22167]: GRE: read(fd=7,buffer=60a400,len=8260) from network failed: status = -1 error = Protocol not available Jan 22 14:04:24 localhost pptpd[22167]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6) Jan 22 14:04:24 localhost pppd[22168]: Modem hangup Jan 22 14:04:24 localhost pppd[22168]: Connection terminated. Jan 22 14:04:25 localhost pppd[22168]: Exit. Jan 22 14:04:25 localhost pptpd[22167]: CTRL: Client 10.95.11.7 control connection finished Jan 22 14:04:25 localhost pptpd[22176]: CTRL: Client 10.95.11.7 control connection started Jan 22 14:04:25 localhost pptpd[22176]: CTRL: Starting call (launching pppd, opening GRE) Jan 22 14:04:25 localhost pppd[22177]: pppd options in effect: # ...... # 中間都是debug的一些信息 # ...... Jan 22 14:04:25 localhost pppd[22177]: 192.168.0.1:192.168.0.2#011#011# (from command line) Jan 22 14:04:25 localhost pppd[22177]: nobsdcomp#011#011# (from /etc/ppp/options.pptpd) Jan 22 14:04:25 localhost pppd[22177]: require-mppe-128#011#011# (from /etc/ppp/options.pptpd) Jan 22 14:04:25 localhost pppd[22177]: pppd 2.4.5 started by root, uid 0 Jan 22 14:04:25 localhost pppd[22177]: Using interface ppp0 Jan 22 14:04:25 localhost pppd[22177]: Connect: ppp0 <--> /dev/pts/3 Jan 22 14:04:25 localhost pptpd[22176]: GRE: read(fd=7,buffer=60a400,len=8260) from network failed: status = -1 error = Protocol not available Jan 22 14:04:25 localhost pptpd[22176]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6) Jan 22 14:04:25 localhost pppd[22177]: Modem hangup Jan 22 14:04:25 localhost pppd[22177]: Connection terminated. Jan 22 14:04:25 localhost pppd[22177]: Exit.
根據提示是GRE的問題,但是上述已經放行GRE端口。於是baidu、google很久,有說版本問題的,有說內核補丁(未測試)、iptables、gre內核模塊的。一一嘗試後都不行,於是請教大神。截圖過去後,大神說可能是MTU大小問題。於是再次連接後,查看ppp0的MTU,發現ppp0的MTU是1396,與eth0的和gre的確實不一樣。於是就動態改了下MTU測試:
1、查看mtu:
# ip a | grep mtu
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
254: gre0: <NOARP> mtu 1472 qdisc noop state DOWN
# 可以查看到所有網卡的mtu值,此處可以看到eth0的是1500,gre0的是1472
2、 查看某個網卡的MTU,ppp0的需要連接***後才能查看
# cat /sys/class/net/ppp0/mtu
#
# 更改其值
# echo "1472" > /sys/class/net/ppp0/mtu
# 改完以後測試立即就能訪問百度了。看來真的是這個問題。於是把它添加到連接自動設置其值。
3、配置***連接自動設置MTU的值
# 1. 網上有說放到options.pptpd配置文件中,但是測試寫到裏面還是不生效,不過我也寫上了。
# 在DNS下面添加:
ms-dns 114.114.114.114
ms-dns 8.8.8.8
mtu 1472
mru 1472
# 2. 寫到/etc/ppp/ip-up中
# vim /etc/ppp/ip-up
#!/bin/bash
# This file should not be modified -- make local changes to
# /etc/ppp/ip-up.local instead
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
LOGDEVICE=$6
REALDEVICE=$1
[ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post --realdevice ${REALDEVICE} ifcfg-${LOGDEVICE}
/etc/ppp/ip-up.ipv6to4 ${LOGDEVICE}
[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
/sbin/ifconfig ppp0 mtu 1472 # 添加到這裏
exit 0
# 斷開***後重新測試連接,發現一切正常。到目前測試都是正常的,如果還有問題,後續在補充......