CentOS 5.5 安装 IPSEC- L2TP VPN

CentOS 5.5 安装IPSEC / L2TP VPN

分类:vps相关,代理相关评论:No Comments作者:bake日期:发布时间:April 2, 2011

继续折腾Linode VPS , 上次成功的学会了Linode VPS (LAMP+ PPTP VPN)配置笔记,更进一步,学习安装ipsec / L2TP VPN 。在这里记录一下安装过程、与遇到的问题。已经安装的工作环境为Linode VPS + CentOS 5.5 32 bit

一、部署IPSEC、安装 open swan

1、关联包

yum install make gcc gmp-devel bison flex

2、编译安装

cd /usr/src

wget http://m.wendangku.net/doc/a96280492b160b4e767fcf44.html/download/openswan-2.6.24.tar.gz

tar zxvf openswan-2.6.24.tar.gz

cd openswan-2.6.24

make programs install

3、配置

vi /etc/ipsec.conf

config setup

nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off

protostack=netkey

conn L2TP-PSK-NAT

rightsubnet=vhost:%priv

also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret

pfs=no

auto=add

keyingtries=3

rekey=no

ikelifetime=8h

keylife=1h

type=transport

left=YOUR.SERVER.IP.ADDRESS

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

4、设置Shared Key

vi /etc/ipsec.secrets

YOUR.SERVER.IP.ADDRESS %any: PSK “YourSharedSecret”

5、修改包转发设置

for each in /proc/sys/net/ipv4/conf/* do

echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done

6、重启IPSec ,测试

/etc/init.d/ipsec restart

ipsec verify

.

二、安装 L2TP

1、关联包

CentOS 5.5 安装 IPSEC- L2TP VPN

2、编译安装

cd /usr/src

wget http://m.wendangku.net/doc/a96280492b160b4e767fcf44.html/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz tar zxvf rp-l2tp-0.4.tar.gz

cd rp-l2tp-0.4

./configure

make

cp handlers/l2tp-control /usr/local/sbin/

mkdir /var/run/xl2tpd/

ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control

cd /usr/src

wget http://m.wendangku.net/doc/a96280492b160b4e767fcf44.html/software/xl2tpd/xl2tpd-1.2.4.tar.gz

tar zxvf xl2tpd-1.2.4.tar.gz

cd xl2tpd-1.2.4

make install

3、配置

mkdir /etc/xl2tpd

vi /etc/xl2tpd/xl2tpd.conf [global]

ipsec saref = yes

[lns default]

ip range = 10.1.2.2-10.1.2.254

local ip = 10.1.2.1

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

4、修改ppp 配置

vi /etc/ppp/options.xl2tpd require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

asyncmap 0

auth

crtscts

lock

hide-password

modem

debug

name l2tpd

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

5、添加用户名/密码

vi /etc/ppp/chap-secrets

# user server password ip

username l2tpd userpass *

6、启用包转发

iptables --table nat --append POSTROUTING --jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward

7、修改/etc/sysctl.conf

vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

8、启动xl2tpd

/usr/local/sbin/xl2tpd

.

三、扫尾

设置开机自动运行

vi /etc/rc.local

iptables --table nat --append POSTROUTING --jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward

for each in /proc/sys/net/ipv4/conf/*

do

echo 0 > $each/accept_redirects

echo 0 > $each/send_redirects

done

/etc/init.d/ipsec restart

/usr/local/sbin/xl2tpd

.

四、已知问题

1、长宽之下连接不成功。IP 地址被干扰了。就如同去长宽用户在http://m.wendangku.net/doc/a96280492b160b4e767fcf44.html 查不到实际ip ( 但Gmail 确能记录真实ip )。

服务器端错误日志

the peer proposed: 服务器ip/32:17/1701 -> 175.189.178.120/32:17/0

peer proposal was reject in a virtual connection policy because

a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)

补记1:

错怪长宽了。其实出现上面这句话,并不能代表是长宽设备IP 分配的问题导致连结不成功。昨晚查了很多资料,然后发现不少同学出现这个问题。原因在于openswan 本身的bug 。最后重新编译安装openswan-2.6.28 取代openswan-2.6.24 ,问题华丽的解决了。能成功连接l2tp 后,secure 日志记录中还是可以有上面一段迷惑人的纪录。

补记2:

Linode VPS + CentOS 5.5 成功安装IPSEC/ L2TP VPN 后的状态

2、L2TP VPN 768 错误

IPSEC services 被关掉了。“运行”“services.msc”然后在服务中启用“IPSEC services” 即可。

.

以上内容90%抄自Linode CentOS / Debian 部署ipsec+l2tpd 简要笔记,部分参考自CentOS安装L2TP/IPSEC 与简单故障处理。

相关推荐
相关主题
热门推荐