CentOS 配置 L2TP/IPSEC

安装ppp

# yum -y install ppp

安装openswan

# yum -y install openswan

安装xl2tpd

# yum -y install xl2tpd

配置ipsec

# cd /etc/ipsec.d/
# vim l2tp_psk.conf

添加如下内容:(其中x.x.x.x是你服务器的真实ip地址)

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=x.x.x.x
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

配置预共享秘钥

# cd /etc/ipsec.d/
# vim l2tp.secrets

添加如下内容:(其中x.x.x.x是你服务器的真实ip地址)

x.x.x.x  %any:  PSK "passwd"

修改内核配置

执行下面的命令开启内核转发和禁止ICP redirects

# echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
# echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
# echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
# for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

然后运行sysctl -p使之生效

防止重启失效,请将如下命令加到开机启动项

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP%

设置ipsec开机启动

# chkconfig ipsec on

启动ipsec

# service ipsec start

验证ipsec运行状态

# ipsec verify

verify的内容如下所示

Verifying installed system and configuration files

Version check and ipsec on-path                    [OK]
Libreswan 3.15 (netkey) on 2.6.32-573.el6.x86_64
Checking for IPsec support in kernel               [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects               [OK]
ICMP default/accept_redirects             [OK]
XFRM larval drop                          [OK]
Pluto ipsec.conf syntax                            [OK]
Hardware random device                             [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter                                 [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter         [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter              [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter            [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter            [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                     [OK]
Pluto listening for IKE on udp 500                [OK]
Pluto listening for IKE/NAT-T on udp 4500         [OK]
Pluto ipsec.secret syntax                         [OK]
Checking 'ip' command                              [OK]
Checking 'iptables' command                        [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options           [OK]
Opportunistic Encryption                           [DISABLED]

配置xl2tp

编辑xl2tpd.conf配置文件

# vim /etc/xl2tpd/xl2tpd.conf

修改如下内容:

[global]
ipsec saref = yes
listen-addr = x.x.x.x;服务器地址
[lns default]
ip range = 192.168.1.2-192.168.1.100;这里是VPN client的内网ip地址范围
local ip = 192.168.1.1 ;这里是VPN server的内网地址
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

编辑options.xl2tpd

# vim /etc/ppp/options.xl2tpd

增加一行内容如下,开启支持Windows

require-mschap-v2

设置xl2tp开机启动

# chkconfig xl2tpd on

启动xl2tp

# service xl2tpd start

iptables开启NAT转发

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

由于重启服务器,该配置会失效,所以需要保存配置

# service iptables save

或者将此命令加到开机启动项中

# echo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE >> /etc/rc.local

但是不建议采取这种方式,因为你有时候会修改iptables,重启iptables的话,就失效了,建议采用第一种。

防火墙添加如下规则

防火墙开放1701、500、4500三个udp端口

-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT

另外,默认的centos 6自带的防火墙规则中以下规则需要注释掉,不然连接上pptp上不了网

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

重启防火墙

# service iptables restart

配置客户端连接此pptp服务器
配置账号

# vim /etc/ppp/chap-secrets

如下示例

user *   password    *

或者

user *   password    192.168.1.99

这两个区别在于,第一个是自动分配ip,第二个是固定ip

如果配置完成拨入后,访问外网速度很慢,可以运行如下指令

# iptables -I FORWARD -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1356
改变TCP最大分段值