L2tp/Ipsec 配置
L2tp/Ipsec vpn
# modprobe ppp-compress-18 && echo yes \\ 查看主机否支持pptp,返回结果为yes就表示通过
# cat /dev/net/tun \\ 返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过。
# yum install epel-release \\ epel源
# yum install xl2tpd libreswan \\ libreswan 提供ipsec xl2tpd提供l2tp
# vim /etc/xl2tpd/xl2tpd.conf \\ l2tp 主配置文件 替换即可
[global]
port = 1701
[lns default]
ip range = 172.16.10.201-172.16.10.250
local ip = 172.16.10.254
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
# vim /etc/ppp/options.xl2tpd \\ 替换即可
+mschap-v2
ipcp-accept-local
ipcp-accept-remote
noccp
auth
mtu 1280
mru 1280
proxyarp
lcp-echo-failure 4
lcp-echo-interval 30
connect-delay 5000
ms-dns 8.8.8.8
ms-dns 8.8.4.4
# vim /etc/ipsec.conf \\ ipsec主配置文件 此文件前面不能有空格 必须有缩进 注意格式 leftid是外网ip 替换即可
version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.10.0/24,%v4:!172.16.10.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no
conn shared
left=%defaultroute
leftid=47.91.219.64
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikev2=never
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
sha2-truncbug=no
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=172.16.10.201-172.16.10.250
modecfgdns="8.8.8.8 8.8.4.4"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
cisco-unity=yes
also=shared
# vim /etc/ppp/chap-secrets \\ 密码文件
admin * Teo@123 *
# vim /etc/ipsec.secrets \\ 秘钥文件
%any %any : PSK "Teo@1234"
# vim /etc/sysctl.conf \\ 追加 注意网卡名字
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.ens33.send_redirects = 0
net.ipv4.conf.ens33.rp_filter = 0
net.ipv4.conf.virbr0.accept_redirects = 0
net.ipv4.conf.virbr0.rp_filter = 0
net.ipv4.conf.virbr0.send_redirects = 0
net.ipv4.conf.virbr0-nic.accept_redirects = 0
net.ipv4.conf.virbr0-nic.rp_filter = 0
net.ipv4.conf.virbr0-nic.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
# sysctl -p
# systemctl restart ipsec \\ 500 4500 udp端口被监控 需要放行 否则手机端连接不上
# systemctl restart xl2tpd \\ 1701 udp端口被监控
# systemctl enable ipsec
# systemctl enable xl2tpd
# ipsec verify
# iptables -I INPUT 4 -m state --state NEW -p udp --dport 1701 -j ACCEPT
# iptables -I FORWARD -s 172.16.10.0/24 -j ACCEPT
# iptables -I FORWARD -d 172.16.10.0/24 -j ACCEPT
# iptables -t nat -I POSTROUTING -s 172.16.10.0/24 -o ens33 -j MASQUERADE \\ 注意 网卡名字
注:
1 Windows 连接 l2tp/ipsec 需要修改注册表 保存.reg导入即可 需重启电脑
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters]
"ProhibitIpSec"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
2 如使用firewalld防火墙 可关闭 换成iptables 命令如下
# systemctl disable firewalld.service \\ 关闭firewalld 开机启动
# systemctl stop firewalld.service \\ 停止服务 停止后iptables会被清空
# yum install iptables-services \\ 安装iptables防火墙
# systemctl restart iptables
# iptables-restore < /data/iptables.bak \\ 导入已保存的 iptables规则文件
# systemctl enable iptables \\ 开机启动
3 日志文件位置
# tail /var/log/message
