一、环境
CentOS6.6 x64
EPEL扩展源
二、安装PPTP
1、加载支持模块
#modprobe ppp-compress-18 && echo MPPE is ok
2、安装epel源
#rpm -ivh http://mirrors.yun-idc.com/epel/6/x86_64/epel-release-6-8.noarch.rpm 或 #yum install epel-release
3、开启包转发
#sysctl -w net.ipv4.ip_forward=1
4、安装pptpd软件包
#yum install pptpd -y
5、修改pptpd中dns配置
#vim /etc/ppp/options.pptpd
ms-dns 8.8.8.8
ms-dns 8.8.4.4
6、添加用户名及密码
vim /etc/ppp/chap-secrets
username1 pptpd passwd1 *
username2 pptpd passwd2 *
说明:
其中第一第三列分别是用户名和密码;第二列应该和上面的文件/etc/ppp/options.pptpd中name后指定的服务名称一致;最后一列限制客户端IP地址,星号表示没有限制。
7、修改pptpd.conf
#vim /etc/pptpd.conf
option /etc/ppp/options.pptpd #指定使用/etc/ppp/options.pptpd中的配置
logwtmp # #表示使用WTMP日志
localip 10.10.20.1 #可以随意填写IP,此处将是网关
remoteip 10.10.20.200-210 #分配给客户端的一段ip
listen 172.16.16.93 #侦听的ip
8、启动守护进程
#service pptpd start
9、针对pptpd服务iptables规则
iptables -A INPUT -i eth1 -p gre -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
9、重启防火墙
#service iptables restart
三、安装L2TP
1、安装依赖包
#yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
2、下载并安装openswan扩展包
#wget https://download.openswan.org/openswan/openswan-2.6.47.1.tar.gz #如果没有请下载最近的软件包 #tar zxvf openswan-2.6.47.1.tar.gz #cd openswan-2.6.47.1 #make programs install
2、安装xl2tpd
#yum install xl2tpd -y
3、修改ipsec.conf
ipsec.conf配置文件以下是我的ip 172.16.16.93(请换上你的公网ip)
cat /etc/ipsec.conf
-----------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.10.20.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=172.16.16.93
leftprotoport=17/1701
right=%any
---------------------
4、设置ipsec预共享密钥
#vim /etc/ipsec.secrets
172.16.16.93 %any: PSK "123.com"
172.16.16.93改成你的公网ip,没有固定ip,用攻击动态域名 "123.c0m"换成你自己的
5、修改内核配置文件
#/etc/sysctl.conf中添加如下
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
#sysctl -p
6、启动ipsec服务
#service ipsec start
7、检查ipsec服务
#ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.47.1/K2.6.32-573.26.1.el6.x86_64 (netkey)
See `ipsec --copyright‘ for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking ‘ip‘ command [IP XFRM BROKEN]
Checking ‘iptables‘ command [OK]
ipsec verify: encountered errors
说明:出现以信息表示正常
8、配置xl2tpd.conf
#vim /etc/xl2tpd/xl2tpd.conf
--------------------
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
[global]
listen-addr = 1172.16.16.93
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes
[lns default]
ip range = 10.10.20.100-10.10.20.120 #客户端获取的ip地址范围
local ip = 10.10.20.1 #网关ip
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
9、修改options.xl2tpd
#vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 114.114.114.114
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/xl2tpd.log
10、添加L2TP账号
#vim /etc/ppp/chap-secrets
username * passwd *
第一个*表示既支持L2TP 也可以支持PPTP 第二个*既可以指定 ip也可以不指定ip
四、防火墙规则
#cat /etc/sysconfig/iptabels
# Generated by iptables-save v1.4.7 on Tue Apr 11 18:22:14 2017
*filter
:INPUT DROP [144:39853]
:FORWARD DROP [13:520]
:OUTPUT DROP [4:478]
-A INPUT -i eth1 -p gre -j ACCEPT
-A INPUT -s 10.168.118.0/24 -j ACCEPT
-A INPUT -s 10.10.20.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 1701 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -s 10.10.20.0/24 -j ACCEPT
-A FORWARD -d 10.10.20.0/24 -j ACCEPT
-A FORWARD -i ppp+ -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o ppp+ -j ACCEPT
-A OUTPUT -d 10.168.118.0/24 -j ACCEPT
-A OUTPUT -d 10.10.20.0/24 -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Apr 11 18:22:14 2017
# Generated by iptables-save v1.4.7 on Tue Apr 11 18:22:14 2017
*nat
:PREROUTING ACCEPT [22:1140]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -s 10.10.20.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Apr 11 18:22:14 2017
五、说明
苹果手机使用l2tp时记得填写预共享密钥123.com(本例);ubuntu 上建立点到点协议pptp时需要在高级中启用MPPE加密
六、参考文档:
http://wzlinux.blog.51cto.com/8021085/1735374
http://dingxuan.info/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php