安装ppp
# yum -y install ppp
安装openswan
# yum -y install openswan
安装xl2tpd
# yum -y install xl2tpd
配置ipsec
# cd /etc/ipsec.d/ # vim l2tp_psk.conf
添加如下内容:(其中x.x.x.x是你服务器的真实ip地址)
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=x.x.x.x
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
配置预共享秘钥
# cd /etc/ipsec.d/ # vim l2tp.secrets
添加如下内容:(其中x.x.x.x是你服务器的真实ip地址,”passwd”修改为你想要的密钥)
x.x.x.x %any: PSK "passwd"
修改内核配置
执行下面的命令开启内核转发和禁止ICP redirects
# echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf # echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf # echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf # for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
然后运行sysctl -p使之生效
防止重启失效,请将如下命令加到开机启动项
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
设置ipsec开机启动
# chkconfig ipsec on
启动ipsec
# service ipsec start
验证ipsec运行状态
# ipsec verify
verify的内容如下所示
Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 2.6.32-573.el6.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [PRESENT] Checking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED]
配置xl2tp
编辑xl2tpd.conf配置文件
# vim /etc/xl2tpd/xl2tpd.conf
修改如下内容:
[global] ipsec saref = yes listen-addr = x.x.x.x;服务器地址 [lns default] ip range = 192.168.1.2-192.168.1.100;这里是VPN client的内网ip地址范围 local ip = 192.168.1.1 ;这里是VPN server的内网地址 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
编辑options.xl2tpd
# vim /etc/ppp/options.xl2tpd
增加一行内容如下,开启支持Windows
require-mschap-v2
设置xl2tp开机启动
# chkconfig xl2tpd on
启动xl2tp
# service xl2tpd start
iptables开启NAT转发
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
由于重启服务器,该配置会失效,所以需要保存配置
# service iptables save
或者将此命令加到开机启动项中
# echo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE >> /etc/rc.local
但是不建议采取这种方式,因为你有时候会修改iptables,重启iptables的话,就失效了,建议采用第一种。
防火墙添加如下规则
防火墙开放1701、500、4500三个udp端口
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
另外,默认的centos 6自带的防火墙规则中以下规则需要注释掉,不然连接上pptp上不了网
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
重启防火墙
# service iptables restart
配置客户端连接此pptp服务器
配置账号
# vim /etc/ppp/chap-secrets
如下示例
user * password *
或者
user * password 192.168.1.99
这两个区别在于,第一个是自动分配ip,第二个是固定ip
如果配置完成拨入后,访问外网速度很慢,可以运行如下指令
# iptables -I FORWARD -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1356 改变TCP最大分段值
错误信息:Failed to initialize nss database sql:/etc/ipsec.d
…. [FAILED]
解决方法:
# certutil -N -d /etc/ipsec.d
# ipsec newhostkey –configdir /etc/ipsec.d/ –output /etc/ipsec.d/keys.secrets –bits 2192