yum install ppp xl2tp libreswan
/etc/ipsec.conf配置如下:
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 protostack=netkey logfile=/var/log/pluto.log dumpdir=/var/run/pluto/ conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no #esp=3des-sha1-96 auto=add #keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport dpddelay=15 dpdtimeout=30 dpdaction=clear keyingtries=%forever left=111.111.111.111 #换成自己的公网IP leftprotoport=17/1701 right=%any rightprotoport=17/%any
/etc/ipsec.secrets 配置如下
#include /etc/ipsec.d/*.secrets 111.111.111.111 %any: PSK "123456" #改为自己的IP,123456更改成为自己的秘钥 配置完成后启动ipsec ipsec start ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.25 (netkey) on 3.10.0-514.6.1.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD] Warning: ignored obsolete keyword 'nat_traversal'
确认都OK就没有问题。
设置系统
net.ipv4.ip_forward = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 然后执行 sysctl -p
/etc/xl2tp/xl2tp.conf配置如下:
[global] ipsec saref = yes listen-addr = 0.0.0.0 [lns default] ip range = 172.16.0.2 - 172.16.0.100 #分配IP local ip = 172.16.0.1 #本地IP require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
/etc/ppp/options.xl2tpd配置如下:
ipcp-accept-local ipcp-accept-remote ms-dns 223.5.5.5 ms-dns 114.114.114.114 # ms-dns 192.168.1.1 # ms-dns 192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 noauth noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
/etc/ppp/chap-secrets配置如下:
# Secrets for authentication using CHAP # client server secret IP addresses test * test * #账号和密码
设置iptables
允许500\4500\1701端口通过、NAT ,如下:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 172.16.0.0/24 -j ACCEPT -A FORWARD -s 172.16.0.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [831320:68105743] :POSTROUTING ACCEPT [1350:80883] :OUTPUT ACCEPT [1350:80883] -A POSTROUTING -s 172.16.0.0/24 -o enp2s0 -j MASQUERADE COMMIT
开启服务
systemctl enable ipsec systemctl enable xl2tp systemctl start ipsec systemctl start xl2tp