L2tp/Ipsec的搭建与使用
1.直接上活,如果看到了这篇文章肯定兜了解了是干嘛的,不懂得直接百度吧!这里主要用来在家办公使用。
2.主机是否支持pptp,返回结果为yes就表示通过。
modprobe ppp-compress-18 && echo yes
3.是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过。
cat /dev/net/tun
4.安装EPEL源(CentOS7官方源中已经去掉了xl2tpd)
yum install -y epel-release
5.安装xl2tpd和libreswan(openswan已经停止维护)
yum install -y xl2tpd libreswan lsof
6.编辑xl2tpd配置文件并修改
[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf
;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes
[lns default]
ip range = 192.168.x.xxx-192.168.x.xxx
local ip = 192.168.x.xxx
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
7.编辑pppoptfile文件
[root@localhost ~]# cat /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 202.106.0.20
ms-dns 114.114.114.114
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
name xl2tpd
#noccp
auth
#crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#lock
proxyarp
connect-delay 5000
refuse-pap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
8.编辑ipsec配置文件并修改
[root@localhost ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
# Normally, pluto logs via syslog.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
plutodebug=netkey
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
dumpdir=/var/run/pluto/
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
9.编辑l2tp-ipsec.conf配置文件并修改
[root@localhost ~]# cat /etc/ipsec.d/l2tp-ipsec.conf
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.5.111
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
10.设置预共享密钥PSK
[root@localhost ~]# cat /etc/ipsec.d/default.secrets
%any %any : PSK "xxxxxxxxx"
11.设置用户名密码
[root@localhost ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
用户名 * 密码 *
12.CentOS7 防火墙设置
firewall-cmd --permanent --add-service=ipsec # 放行ipsec服务,安装时会自定生成此服务
firewall-cmd --permanent --add-port=1701/udp # xl2tp 的端口,默认1701.
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade # 启用NAT转发功能。必须启用此功能
firewall-cmd --reload # 重载配置
13.系统内核设置
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0
sysctl -p # 加载内核参数使生效
14.启动ipsec服务
systemctl enable ipsec.service # 设为开机启动
systemctl start ipsec.service # 启动服务
15.ipsec verify # 检查命令
遇到问题解决办法(灵活运用)
echo 0 > /proc/sys/net/ipv4/conf/eth3/rp_filter 我这里是eth3
16.启动xl2tp服务
systemctl enable xl2tpd.service # 设为卡机启动
systemctl start xl2tpd.service # 启动xl2tp
17.l2tp搭建完毕 至于客户端连接 遇到问题百度即可 哈哈
18.脚本下载地址https://blog.51cto.com/5001660/2296490
L2tp/Ipsec的搭建与使用相关推荐
- L2TP/IPSEC搭建详细步骤
背景:长沙分公司访问北京总公司的办公OA业务,目前的方法是通过在北京总公司出口防火墙上配置OA业务的端口映射,然后在长沙分公司通过输入北京总部给的域名带上映射的端口即可访问,但该访问过程经过公网,存在 ...
- 配置×××服务器使用L2TP/IPSEC协议
配置×××服务器使用L2TP/IPSEC协议<?XML:NAMESPACE PREFIX = O /> 在ISA2006中配置了×××地址池,选择了×××协议,创建了防火墙策略,检 ...
- 阿里云ECS部署L2TP/IPSEC,访问服务器内网
阿里云ECS部署L2TP/IPSEC,访问服务器内网 准备工作 自建NAT网关 添加路由 地址转换 部署xl2tpd 安装服务 修改配置 将vpn网段添加到白名单 win10连接vpn 完成 参考链接 ...
- usg防火墙l2tp ipsec安全策略
按华为usg使用手册配置好l2tp ipsec后,没有提到外网对防火墙的开发端口,经过测试发现,untrust到local需开放udp 1701(l2tp),udp 500,udp 4500及esp协 ...
- L2TP/IPSec 服务端安装
非常感谢!L2TP/IPSec一键安装脚本 | 秋水逸冰 (teddysun.com) 用这个安装
- ROS+L2TP+IPSEC
在WIN7X64,WIN8.1,WIN10,MACBOOK和苹果的IOS10调试L2TP/IPSEC通过 请注意IPSEC,要求客户端IP必须唯一,不可以有重复,那么访问VPN服务器的客户端IP,就不 ...
- android l2tp 失败,修理 Android ICS 上那个抽风止不住的 L2TP/IPSec 客户端
在这台服务器被墙的那两天里,我尝试了让手机连接备机上的 IPSec L2TP ,但是却发现无论如何连不上.本来以为是网络问题,结果却发现 iPad 可以很轻松地连上.回头一看服务器端的日志,果然发现了 ...
- win系统连接 l2tp/ipsec 连接失败 日志提示809 错误
系统中错误日志如下: CoId={A7012B8C-E2AA-4B3B-B9C9-6BFCCFCB5846}: 用户 WIN10\Administrator 已进行名为 jp 的拨号连接,该连接已失败 ...
- l2tp vpn server搭建教程
安装l2tp sudo apt install xl2tpd sudo apt install strongswan sudo add-apt-repository ppa:nm-l2tp/netwo ...
最新文章
- python推介系统方法_基于AutoRec 的推荐系统介绍与python实现
- Springboot 整合 Dubbo/ZooKeeper 详解 SOA 案例
- java 运算符_java 运算符
- 《深入理解Java虚拟机》笔记01 -- 运行时数据区
- java基本类型的面试,15、基本类型常见面试题
- 框架复习笔记-Java-案例:牛客网讨论社区
- 多线程的实现方式_一文搞懂Java多线程使用方式、实现原理以及常见面试题
- java动态代理_Java 动态代理 原理解析
- github网页链接
- Java 11 升级:“债务”“危机”
- 中国“互联网+酒店”专题研究报告2015
- 学生成绩管理系统(C语言版)
- 【CV2】Python中cv2使用小窗口显示高分辨率图片
- 树莓派装Aria2和YAAW实现无人值守远程离线下载服务
- 产品经理学习笔记-简约设计(1)
- 2022年蓝桥杯砍竹子
- nohup和的使用/21是什么意思/怎么关闭nohup挂起的程序
- CVPR小样本检测:蒸馏上下文助力小样本检测(代码已开源)
- 程序员去美国工作:工作在加州的华为
- 海康威视设备SDK调用,是否支持IP通道的思考