【採坑】linux搭建ipsec/xl2tpd vpn

一、背景

二、步驟

1.先看看你的主機是否支持pptp，返回結果爲yes就表示通過

modprobe ppp-compress-18 && echo yes

2.是否開啓了TUN

cat /dev/net/tun
#返回結果爲cat: /dev/net/tun: File descriptor in bad state。就表示通過

3.安裝EPEL源

yum install -y epel-release

4.安裝xl2tpd和libreswan

yum install -y xl2tpd libreswan lsof

5.編輯xl2tpd配置文件

vim /etc/xl2tpd/xl2tpd.conf

;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
listen-addr = 192.168.11.95
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 10.0.0.2-10.0.254.254
local ip = 10.0.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

6.編輯pppoptfile文件

vim /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 202.101.172.35
ms-dns 114.114.114.114
ms-dns  8.8.8.8
name xl2tpd
noccp
auth
#crtscts
idle 1800
#mtu 1410
mru 1410
nodefaultroute
debug
#lock
proxyarp
connect-delay 5000
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
# To allow authentication against a Windows domain EXAMPLE, and require the
# # user to be in a group "VPN Users". Requires the samba-winbind package
# # require-mschap-v2
# # plugin winbind.so
# # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# # You need to join the domain on the server, for example using samba:
# # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html

7.編輯ipsec配置文件

vim /etc/ipsec.conf

# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/

config setup
        # Normally, pluto logs via syslog.
        #logfile=/var/log/pluto.log
        #
        # Do not enable debug options to debug configuration issues!
        #
        # plutodebug="control parsing"
        # plutodebug="all crypt"
        plutodebug=none
        #
        # NAT-TRAVERSAL support
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their wireless networks.
        # This range has never been announced via BGP (at least up to 2015)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf

8.編輯include的conn文件

vim /etc/ipsec.d/l2tp-ipsec.conf

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.11.95

    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

9.設置用戶名密碼

vim /etc/ppp/chap-secrets

vpnuser * pass * 
說明：用戶名[空格]service[空格]密碼[空格]指定IP

10.設置PSK

vim /etc/ipsec.d/default.secrets


192.168.11.95 %any: PSK "xxxxxxx"

11.CentOS7防火牆設置(重要)

firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

12.IP_FORWARD 設置

vim /etc/sysctl.d/60-sysctl_ipsec.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0

##重啓生效
systemctl restart network

13.ipsec啓動&檢查

systemctl enable ipsec
systemctl restart ipsec

14.檢查

ipsec verify

15.xl2tpd啓動

systemctl enable xl2tpd
systemctl restart xl2tpd

16.windows連接

https://ops.floa.vip/faq/pptp.html

17.mac連接

直接在網絡偏好設置裏添加。

三、問題總結

1.以上步驟搭建好，賬號密碼生成之後連接上，但是無法上外網，也無法上內網，只能ping通vpn所在內網服務器

注意第11步防火牆轉發，一定要執行。自作聰明把防火牆關閉了。具體可查看/var/log/messages