1. 先看看你的主機是否支持pptp,返回結果爲yes就表示通過。
modprobe ppp-compress-18 && echo yes
2.是否開啓了TUN,有的虛擬機主機需要開啓,返回結果爲cat: /dev/net/tun: File descriptor in bad state。就表示通過。
cat /dev/net/tun
3 安裝EPEL源(CentOS7官方源中已經去掉了xl2tpd)
yum install -y epel-release
4 安裝xl2tpd和libreswan(openswan已經停止維護)
yum install -y xl2tpd libreswan lsof
5 編輯xl2tpd配置文件
公司內網爲192.168.1.1的網段
vim /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.253
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
6 編輯pppoptfile文件
vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1 公司有內網域名.所以這裏DNS寫的192.168.1.1
name xl2tpd
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
proxyarp
connect-delay 5000
refuse-pap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
7 編輯ipsec配置文件
vim /etc/ipsec.conf # 只修改以下項,其他默認
8 編輯include的conn文件
vim /etc/ipsec.d/l2tp-ipsec.conf # 新建如下配置文文件,直接複製的話,前面是很多空格,在啓動的時候會報錯
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.1.253
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
9 設置用戶名密碼
vim /etc/ppp/chap-secrets
用戶名:qxtx 密碼:123456
10 設置預共享密鑰PSK
vim /etc/ipsec.d/default.secrets
: PSK "123456" 前面的冒號不能少
11 CentOS7 防火牆設置,如果防火牆關閉就不用管了
firewall-cmd --permanent --add-service=ipsec # 放行ipsec服務,安裝時會自定生成此服務
firewall-cmd --permanent --add-port=1701/udp # xl2tp 的端口,默認1701.
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade # 啓用NAT轉發功能。必須啓用此功能
firewall-cmd --reload # 重載配置
修改內核參數
vim /etc/sysctl.conf # 添加如下配置到文件中,參數後面不能有空格-net.ipv4.ip_forward = 1net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0 這裏網卡名不一定是eth0,根據實際網卡名改一下就好了,只需要改這一個地方
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0
sysctl -p # 加載內核參數使生效
上面的很多配置可能是無效的,不需要在乎
13 啓動ipsec
systemctl enable ipsec # 設爲開機啓動
systemctl start ipsec # 啓動服務
14 檢查配置
ipsec verify # 檢查命令
15 啓動xl2tp
systemctl enable xl2tpd # 設爲卡機啓動
systemctl start xl2tpd # 啓動xl2tp
16.路由器做端口映射(1701端口)
這個搭建完後我用手機可以連接,但是用電腦始終連不上。手機連接後內網域名打開都是正常的