CentOS L2TP/IPSEC服务搭建

L2TP Layer 2 Tunneling Protocol

在CentOS 7虚拟机环境中，搭建一个L2TP服务。

设置虚拟机网络

VMware连接方式改为桥接模式，并设定IP地址为静态方式。

vi /etc/sysconfig/network-scripts/ifcfg-ens33

修改如下内容：

BOOTPROTO由之前的dhcp改为static

IPADDR就填自己的内网地址

DNS改为宿主机的DNS

ping www.163.com如果通的，表示可以联网了。

安装软件包

清缓存

# yum clean all

建缓存

# yum makecache

# yum install -y make gcc gmp-devel xmlto bison flex libpcap-devel
# yum install -y epel-release
# yum install xl2tpd
# yum install libreswan

# vi /etc/ipsec.conf

config setup
        # Normally, pluto logs via syslog.
        #logfile=/var/log/pluto.log
        #
        # Do not enable debug options to debug configuration issues!
        #
        # plutodebug="control parsing"
        # plutodebug="all crypt"
        plutodebug=none
        #
        # NAT-TRAVERSAL support
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their wireless networks.
        # This range has never been announced via BGP (at least up to 2015)
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

新建文件

# vi /etc/ipsec.d/l2tp_psk.conf

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    # 192.168.1.40 服务器内网网卡IP地址, ens33的地址
    left=192.168.1.40
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

新建预共享密钥

# vi /etc/ipsec.d/ipsec.secrets

服务器内网网卡IP地址, ens33的地址

#include /etc/ipsec.d/*.secrets
192.168.1.40 %any: PSK "123456"

启动加密服务

systemctl enable ipsec
systemctl start ipsec

# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.25 (netkey) on 3.10.0-862.el7.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects            	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Two or more interfaces found, checking IP forwarding	[OK]
Checking rp_filter                                	[ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter            	[ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter        	[ENABLED]
 /proc/sys/net/ipv4/conf/ens33/rp_filter          	[ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter        	[ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OBSOLETE]
  003 WARNING: using a weak secret (PSK)
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OBSOLETE KEYWORD]
 Warning: ignored obsolete keyword 'nat_traversal'

ipsec verify: encountered 11 errors - see 'man ipsec_verify' for help

修改内核

# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.ens33.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filte = 0

# sysctl -p

再ipsec verify时，已经成功生效

修改l2tp配置文件

# vi /etc/xl2tpd/xl2tpd.conf

[global]
; 服务器内网网卡IP地址, ens33的地址
listen-addr = 192.168.1.40
ipsec saref = yes

[lns default]
; ip range 客户端连接到此服务器后分配为客户端的ip地址范围
ip range = 192.168.1.50-192.168.1.60
local ip = 192.168.1.99

修改xl2tpd属性配置文件

# vi /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns  192.168.1.1

添加用户名

# vi /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
test            *       111111                  *

启动xl2tpd

# systemctl start xl2tpd
# systemctl enable xl2tpd

安装iptables

# yum install iptables
# yum install iptables-services

禁用firewalld

systemctl stop firewalld
systemctl mask firewalld

设置iptables规则

查看现有规则

iptables -L -n

允许所有

iptables -P INPUT ACCEPT

清空所有默认规则

iptables -F

清空所有自定义规则

iptables -X

所有计数器清零

iptables -Z

开启地址转换
172.16.0.0/12

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ens33 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
 
iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
 
iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

service iptables save
systemctl restart iptables
systemctl enable iptables

如果要使用云服务器，阿里云的防火墙需要开通除了基础端口以外的1701, 500, 4500的udp端口。