0%

CentOS L2TP/IPSEC服务搭建

L2TP Layer 2 Tunneling Protocol

在CentOS 7虚拟机环境中,搭建一个L2TP服务。

设置虚拟机网络

VMware连接方式改为桥接模式,并设定IP地址为静态方式。

1
vi /etc/sysconfig/network-scripts/ifcfg-ens33

修改如下内容:

BOOTPROTO由之前的dhcp改为static

IPADDR就填自己的内网地址

DNS改为宿主机的DNS

ping www.163.com如果通的,表示可以联网了。

安装软件包

清缓存

1
# yum clean all

建缓存

1
# yum makecache
1
2
3
4
# yum install -y make gcc gmp-devel xmlto bison flex libpcap-devel
# yum install -y epel-release
# yum install xl2tpd
# yum install libreswan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# vi /etc/ipsec.conf

config setup
# Normally, pluto logs via syslog.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
plutodebug=none
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

新建文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# vi /etc/ipsec.d/l2tp_psk.conf

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
# 192.168.1.40 服务器内网网卡IP地址, ens33的地址
left=192.168.1.40
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

新建预共享密钥

1
# vi /etc/ipsec.d/ipsec.secrets

服务器内网网卡IP地址, ens33的地址

1
2
#include /etc/ipsec.d/*.secrets
192.168.1.40 %any: PSK "123456"

启动加密服务

1
2
systemctl enable ipsec
systemctl start ipsec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-862.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

ICMP default/accept_redirects [NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ens33/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OBSOLETE]
003 WARNING: using a weak secret (PSK)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Warning: ignored obsolete keyword 'nat_traversal'

ipsec verify: encountered 11 errors - see 'man ipsec_verify' for help

修改内核

1
2
3
4
5
6
7
8
9
10
11
# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.ens33.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filte = 0
1
# sysctl -p

再ipsec verify时,已经成功生效

修改l2tp配置文件

1
2
3
4
5
6
7
8
9
10
11
# vi /etc/xl2tpd/xl2tpd.conf

[global]
; 服务器内网网卡IP地址, ens33的地址
listen-addr = 192.168.1.40
ipsec saref = yes

[lns default]
; ip range 客户端连接到此服务器后分配为客户端的ip地址范围
ip range = 192.168.1.50-192.168.1.60
local ip = 192.168.1.99

修改xl2tpd属性配置文件

1
2
3
4
# vi /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 192.168.1.1

添加用户名

1
# vi /etc/ppp/chap-secrets
1
2
3
# Secrets for authentication using CHAP
# client server secret IP addresses
test * 111111 *

启动xl2tpd

1
2
# systemctl start xl2tpd
# systemctl enable xl2tpd

安装iptables

1
2
# yum install iptables
# yum install iptables-services

禁用firewalld

1
2
systemctl stop firewalld
systemctl mask firewalld

设置iptables规则

查看现有规则

1
iptables -L -n

允许所有

1
iptables -P INPUT ACCEPT

清空所有默认规则

1
iptables -F

清空所有自定义规则

1
iptables -X

所有计数器清零

1
iptables -Z

开启地址转换
172.16.0.0/12

1
2
3
4
5
6
7
8
9
10
11
12
13
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ens33 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT

iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT

iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

1
2
3
service iptables save
systemctl restart iptables
systemctl enable iptables

如果要使用云服务器,阿里云的防火墙需要开通除了基础端口以外的1701, 500, 4500的udp端口。