Centos
配置文件目录
vi /etc/ipsec.conf
vi /etc/ipsec.secrets
vi /etc/xl2tpd/xl2tpd.conf
vi /etc/ppp/options.xl2tpd
vi /etc/ppp/chap-secrets
安装
1. yum 更新
yum upgrade
1.2安装 bind-utiles 开发包
yum install wget bind-utils
1.2添加EPEL源
wget http://mirror.nl.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -ivh ./epel-release-6-8.noarch.rpm
2.安装penswan xl2tpd ppp lsof
注意:如果要iphone ipad支持,安装前需要坚持 openswan版本。默认源如果版本过低,请不要安装,直接到官网下载安装高版本
yum install openswan xl2tpd ppp lsof
2.1 检查openswan 版本号
yum list |grep openswan
版本号2.6.37以上版本才可以支持ISO 拨L2TP +IPSEC(iphone ipad)
如果版本号过底可以通过官方安装包,安装高版本的openswan
yum install https://download.openswan.org/openswan/binaries/rhel/6/openswan-2.6.38dr2-9.el6.x86_64.rpm
配置
3.网络与防火墙配置 Firewall and sysctl
iptables --table nat --append POSTROUTING --jump MASQUERADE
service iptables save
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p
也可以vi打开进行编辑
使用下面命令生效配置
service iptables restart
注意:
默认iptables防火墙,会拒绝所有input,和forward
[[email protected] ~]# service iptables status表格:filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT)num target prot opt source destination1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination 表格:nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination
需要删除table filter下面的Chain INPUT第5条记录和Chain FORWARD 1
iptables -t filter -D INPUT 5
iptables -t filter -D FORWARD 1
4、配置 Openswan (IPSEC)
vi /etc/ipsec.conf
version 2 # conforms to second version of ipsec.conf specification config setup nat_traversal=yes #NAT转换 ROS不支持 virtual_private=%v4:172.16.0.0/12 #虚拟子网,可以更多%v4:10.0.0.0/8;分号分割 protostack=netkey #决定要使用的协议栈。 force_keepalive=yes keep_alive=60 #发送心跳包间隔时间 conn L2TP-PSK-noNAT #链接时间 authby=secret #与共享密钥.使用rsasig为证书. pfs=no #Disable pfs. Perfect Forward Secrecy auto=add #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts. keyingtries=3 #Only negotiate a conn. 3 times. ikelifetime=8h keylife=1h phase2alg=aes256-sha1,3des-sha1 #esp属性过期,新的名字叫phase2alg ike=aes256-sha1;modp1024,3des-sha1;modp1024 keyexchange=ike type=transport #客户端方式,也可为tunnel模式 left=11.11.11.11 #服务器IP地址,一般为公网IP地址 leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=40 # Dead Peer Dectection (RFC 3706) keepalives delay dpdtimeout=130 # length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply. dpdaction=clear # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared. |
5、配置共享密钥
vi /etc/ipsec.secrets
%SERVERIP% %any: PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"
6、开启ipsec 服务并验证
service ipsec start
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for ‘ip‘ command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for ‘iptables‘ command [OK]
Opportunistic Encryption Support [DISABLED]
如果出现fault之类的提示,请检测配置。或者Google
7、配置 xl2tpd
vi /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
force userspace = yes
[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
8、配置PPP
vi /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
name l2tpd: pptpd server 的名称。
refuse-pap : 拒绝 pap 身份验证模式。
refuse-chap : 拒绝 chap 身份验证模式。
refuse-mschap : 拒绝 mschap 身份验证模式。
require-mschap-v2 : 在端点进行连接握手时需要使用微软的 mschap-v2 进行自身验证。
require-mppe-128 : MPPE 模块使用 128 位加密。
ms-dns 8.8.8.8
ms-dns 8.8.4.4 : ppp 为 Windows 客户端提供 DNS 服务器 IP 地址,第一个 ms-dns 为 DNS Master,第二个为 DNS Slave。
proxyarp : 建立 ARP 代理键值。
debug : 开启调试模式,相关信息同样记录在 /var/logs/message 中。
lock : 锁定客户端 PTY 设备文件。
nobsdcomp : 禁用 BSD 压缩模式。
novj
novjccomp : 禁用 Van Jacobson 压缩模式。
9、添加用户
vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# username server password IP addresses
alice l2tpd 0F92E5FC2414101EA *
bob l2tpd DF98F09F74C06A2F *
10、启动服务
/etc/init.d/ipsec restart;
/etc/init.d/xl2tpd restart
routers
配置
1. PPP Client配置
/interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=11.11.11.11 dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 mrru=disabled name=l2tp-hk user=alice password=0F92E5FC2414102EA profile=default
2、IPSec 配置
/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer add address=11.11.11.11/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 lifetime=1d nat-traversal=no proposal-check=obey secret=69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44 send-initial-contact=yes
调试
tail -f /var/log/secure tail -f /var/log/auth.log //可以在用此命令察看IPSec的协商过程 tail -f /var/log/syslog //可以用此命令察看L2TP及PPP的协商过程
出现下面日志表示加密方式不匹配,加密不成功
Jun 14 09:52:53 ubuntu pluto[2062]: packet from 27.154.56.18:500: initial Main Mode message received on 58.23.17.102:500 but no connection has been authorized with policy=PSK
参考
https://alhafoudh.wordpress.com/2009/12/23/ipsec-between-linux-openswan-and-mikrotik-routeros/
http://wiki.mikrotik.com/wiki/L2TP_%2B_IPSEC_between_2_Mikrotik_routers
http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php
http://superuser.com/questions/740545/l2tp-ipsec-stopped-working-after-openssl-upgrade