下面文章来自shiyiwen:
https://www.cnblogs.com/shiyiwen/p/5826412.html
-----------------------------------------------------------------------
废话不多说直接上步骤。
server
|
1
2
3
4
5
|
#epel仓库愿安装
rpm -ivh http:
//mirrors
.ustc.edu.cn
/fedora/epel/6/x86_64/epel-release-6-8
.noarch.rpm
#l2tp程序安装
yum
install
openswan ppp xl2tpd -y
|
vim /etc/ipsec.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
config setup
nat_traversal=
yes
virtual_private=%v4:10.0.0.0
/8
,%v4:192.168.0.0
/16
,%v4:172.16.0.0
/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type
=transport
left=192.168.42.191
#换成自己的公网ip,由于我这里测试所以是内网
leftprotoport=17
/1701
right=%any
rightprotoport=17/%any
|
vim /etc/ipsec.secrets
|
1
|
192.168.42.191 %any: PSK
"shiyiwen"
#修改ip 和 密码
|
把如下添加进 /etc/sysctl.conf #注意顺序
|
1
2
3
4
5
6
7
8
9
10
|
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
sysctl -p 刷新
启动ipsec 和xl2tpd 应用
|
1
2
3
4
5
|
ipsec restart
/etc/init
.d
/xl2tpd
start
chkconfig xl2tpd on
chkconfig ipsec on
|
使用ipsec verify查看状态 (关闭selinux 和iptables 如果要开iptables 本文下面有全的)
enabled 没有管,因为后面也可以连接成功,内核参数也是设置对的。有知道的通知望告诉我。
/etc/xl2tpd/xl2tpd.conf 这里的配置文件可以配置分配的网段还有一些其他参数。默认可以不配置。
接下来配置ppp协议
vim /etc/ppp/chap-secrets #配置用户名和密码其实还有权限。
|
1
2
3
|
# Secrets for authentication using CHAP
# client server secret IP addresses
admin *
"yingzi"
*
|
重启xl2tpd 服务
===============================================================
client:
|
1
2
3
|
#安装epel源
#安装客户端l2tpd 这里我们还是用xl2tpd,当然2边都需要ppp协议
yum
install
xl2tpd ppp
|
vim /etc/xl2tpd/xl2tpd.conf
|
1
2
3
4
5
|
[lac sywvpn]
name = admin;
lns = 192.168.42.191;
pppoptfile =
/etc/ppp/peers/sywvpn
.l2tpd;
ppp debug =
yes
;
|
vim /etc/ppp/peers/sywvpn.l2tpd
|
1
2
3
4
5
6
7
8
9
10
11
12
|
#下面对应的参数是服务端配置过的<br>remotename sywvpn
user
"admin"
password
"yingzi"
unit 0
lock
nodeflate
nobsdcomp
noauth
persist
nopcomp
noaccomp
debug
|
#启动客户端
|
1
|
/etc/init
.d
/xl2tpd
start
|
# 启动还没开始拨号。
开始拨号
|
1
|
echo
'c sywvpn'
>
/var/run/xl2tpd/l2tp-control
|
# 查看client拨号日志
|
1
2
3
4
5
6
7
8
9
10
11
|
Aug 31 15:38:59 app7 xl2tpd[3464]: Connecting to host 192.168.42.191, port 1701
Aug 31 15:38:59 app7 xl2tpd[3464]: Connection established to 192.168.42.191, 1701. Local: 52638, Remote: 44491 (ref=0
/0
).
Aug 31 15:38:59 app7 xl2tpd[3464]: Calling on tunnel 52638
Aug 31 15:38:59 app7 xl2tpd[3464]: Call established with 192.168.42.191, Local: 28263, Remote: 3204, Serial: 2 (ref=0
/0
)
Aug 31 15:38:59 app7 pppd[4629]: pppd 2.4.5 started by root, uid 0
Aug 31 15:38:59 app7 pppd[4629]: Using interface ppp0
Aug 31 15:38:59 app7 pppd[4629]: Connect: ppp0 <-->
/dev/pts/2
Aug 31 15:39:02 app7 pppd[4629]: CHAP authentication succeeded: Access granted
Aug 31 15:39:02 app7 pppd[4629]: CHAP authentication succeeded
Aug 31 15:39:02 app7 pppd[4629]:
local
IP address 192.168.1.128
Aug 31 15:39:02 app7 pppd[4629]: remote IP address 192.168.1.99
|
#查看server端日志
|
1
2
3
4
5
6
7
8
9
|
Aug 31 15:38:41 Monitor xl2tpd[30013]: control_finish: Connection closed to 172.16.38.7, port 1701 (Goodbye!), Local: 63296, Remote: 51768
#之前断的
Aug 31 15:38:59 Monitor xl2tpd[30013]: Connection established to 172.16.38.7, 1701. Local: 44491, Remote: 52638 (ref=0
/0
). LNS session is
'default'
Aug 31 15:38:59 Monitor xl2tpd[30013]: Call established with 172.16.38.7, Local: 3204, Remote: 28263, Serial: 2
Aug 31 15:38:59 Monitor pppd[30138]: pppd 2.4.5 started by root, uid 0
Aug 31 15:38:59 Monitor pppd[30138]: Using interface ppp0
Aug 31 15:38:59 Monitor pppd[30138]: Connect: ppp0 <-->
/dev/pts/1
Aug 31 15:39:02 Monitor pppd[30138]: Cannot determine ethernet address
for
proxy ARP
Aug 31 15:39:02 Monitor pppd[30138]:
local
IP address 192.168.1.99
Aug 31 15:39:02 Monitor pppd[30138]: remote IP address 192.168.1.128
|
#ifconfig 客户端
|
1
2
3
4
5
6
7
|
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.1.128 P-t-P:192.168.1.99 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1
RX packets:1341 errors:0 dropped:0 overruns:0 frame:0
TX packets:1341 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:112434 (109.7 KiB) TX bytes:112440 (109.8 KiB)
|
#ping 服务端
|
1
2
3
4
5
6
7
|
[root@app7 var]
# ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99) 56(84) bytes of data.
64 bytes from 192.168.1.99: icmp_seq=1 ttl=64
time
=4.26 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=64
time
=4.01 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=64
time
=3.88 ms
64 bytes from 192.168.1.99: icmp_seq=4 ttl=64
time
=3.91 ms
64 bytes from 192.168.1.99: icmp_seq=5 ttl=64
time
=3.86 m
|
#断开拨号
|
1
|
echo
'd sywvpn'
>
/var/run/xl2tpd/l2tp-control
|
#查看该文件应该属于数据库过度文件
|
1
|
prw------- 1 root root 0 Aug 31 15:38
/var/run/xl2tpd/l2tp-control
|
# 网上解释如下
管道(FIFO,pipe)
用来解决多个程序同时访问一个文件所造成的错误问题,first-in-first-out(FIFO),第一属性为
(p)。
=================================================配置 iptables 来自网络======服务端的哦===========
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.7.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.7.0/24 -j ACCEPT
iptables-save
service iptables restart
192.168.7.0/24根据实际情况替换。
vi /etc/sysconfig/iptables 看到的应该是类似这样。
最上面先是nat规则,下面是filter规则。
下面filter表里,先把VPN要用到的udp端口1701,500,4500都打开。要用openvp的话,还要开1194。
另外filter表里,一定要有FORWARD规则。这点在网上好几个教程里都没说!坑死人。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
#下面规则做参考啊,新手别完全照抄。
*nat
:PREROUTING ACCEPT [39:3503]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
# Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [121:13264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.7.0/24 -j ACCEPT
-A FORWARD -s 192.168.7.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
|
by:V
如果对你有帮助,微信扫码关注一下吧!
下面文章来自shiyiwen:
https://www.cnblogs.com/shiyiwen/p/5826412.html
-----------------------------------------------------------------------
废话不多说直接上步骤。
server
|
1
2
3
4
5
|
#epel仓库愿安装
rpm -ivh http:
//mirrors
.ustc.edu.cn
/fedora/epel/6/x86_64/epel-release-6-8
.noarch.rpm
#l2tp程序安装
yum
install
openswan ppp xl2tpd -y
|
vim /etc/ipsec.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
config setup
nat_traversal=
yes
virtual_private=%v4:10.0.0.0
/8
,%v4:192.168.0.0
/16
,%v4:172.16.0.0
/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type
=transport
left=192.168.42.191
#换成自己的公网ip,由于我这里测试所以是内网
leftprotoport=17
/1701
right=%any
rightprotoport=17/%any
|
vim /etc/ipsec.secrets
|
1
|
192.168.42.191 %any: PSK
"shiyiwen"
#修改ip 和 密码
|
把如下添加进 /etc/sysctl.conf #注意顺序
|
1
2
3
4
5
6
7
8
9
10
|
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
sysctl -p 刷新
启动ipsec 和xl2tpd 应用
|
1
2
3
4
5
|
ipsec restart
/etc/init
.d
/xl2tpd
start
chkconfig xl2tpd on
chkconfig ipsec on
|
使用ipsec verify查看状态 (关闭selinux 和iptables 如果要开iptables 本文下面有全的)
enabled 没有管,因为后面也可以连接成功,内核参数也是设置对的。有知道的通知望告诉我。
/etc/xl2tpd/xl2tpd.conf 这里的配置文件可以配置分配的网段还有一些其他参数。默认可以不配置。
接下来配置ppp协议
vim /etc/ppp/chap-secrets #配置用户名和密码其实还有权限。
|
1
2
3
|
# Secrets for authentication using CHAP
# client server secret IP addresses
admin *
"yingzi"
*
|
重启xl2tpd 服务
===============================================================
client:
|
1
2
3
|
#安装epel源
#安装客户端l2tpd 这里我们还是用xl2tpd,当然2边都需要ppp协议
yum
install
xl2tpd ppp
|
vim /etc/xl2tpd/xl2tpd.conf
|
1
2
3
4
5
|
[lac sywvpn]
name = admin;
lns = 192.168.42.191;
pppoptfile =
/etc/ppp/peers/sywvpn
.l2tpd;
ppp debug =
yes
;
|
vim /etc/ppp/peers/sywvpn.l2tpd
|
1
2
3
4
5
6
7
8
9
10
11
12
|
#下面对应的参数是服务端配置过的<br>remotename sywvpn
user
"admin"
password
"yingzi"
unit 0
lock
nodeflate
nobsdcomp
noauth
persist
nopcomp
noaccomp
debug
|
#启动客户端
|
1
|
/etc/init
.d
/xl2tpd
start
|
# 启动还没开始拨号。
开始拨号
|
1
|
echo
'c sywvpn'
>
/var/run/xl2tpd/l2tp-control
|
# 查看client拨号日志
|
1
2
3
4
5
6
7
8
9
10
11
|
Aug 31 15:38:59 app7 xl2tpd[3464]: Connecting to host 192.168.42.191, port 1701
Aug 31 15:38:59 app7 xl2tpd[3464]: Connection established to 192.168.42.191, 1701. Local: 52638, Remote: 44491 (ref=0
/0
).
Aug 31 15:38:59 app7 xl2tpd[3464]: Calling on tunnel 52638
Aug 31 15:38:59 app7 xl2tpd[3464]: Call established with 192.168.42.191, Local: 28263, Remote: 3204, Serial: 2 (ref=0
/0
)
Aug 31 15:38:59 app7 pppd[4629]: pppd 2.4.5 started by root, uid 0
Aug 31 15:38:59 app7 pppd[4629]: Using interface ppp0
Aug 31 15:38:59 app7 pppd[4629]: Connect: ppp0 <-->
/dev/pts/2
Aug 31 15:39:02 app7 pppd[4629]: CHAP authentication succeeded: Access granted
Aug 31 15:39:02 app7 pppd[4629]: CHAP authentication succeeded
Aug 31 15:39:02 app7 pppd[4629]:
local
IP address 192.168.1.128
Aug 31 15:39:02 app7 pppd[4629]: remote IP address 192.168.1.99
|
#查看server端日志
|
1
2
3
4
5
6
7
8
9
|
Aug 31 15:38:41 Monitor xl2tpd[30013]: control_finish: Connection closed to 172.16.38.7, port 1701 (Goodbye!), Local: 63296, Remote: 51768
#之前断的
Aug 31 15:38:59 Monitor xl2tpd[30013]: Connection established to 172.16.38.7, 1701. Local: 44491, Remote: 52638 (ref=0
/0
). LNS session is
'default'
Aug 31 15:38:59 Monitor xl2tpd[30013]: Call established with 172.16.38.7, Local: 3204, Remote: 28263, Serial: 2
Aug 31 15:38:59 Monitor pppd[30138]: pppd 2.4.5 started by root, uid 0
Aug 31 15:38:59 Monitor pppd[30138]: Using interface ppp0
Aug 31 15:38:59 Monitor pppd[30138]: Connect: ppp0 <-->
/dev/pts/1
Aug 31 15:39:02 Monitor pppd[30138]: Cannot determine ethernet address
for
proxy ARP
Aug 31 15:39:02 Monitor pppd[30138]:
local
IP address 192.168.1.99
Aug 31 15:39:02 Monitor pppd[30138]: remote IP address 192.168.1.128
|
#ifconfig 客户端
|
1
2
3
4
5
6
7
|
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.1.128 P-t-P:192.168.1.99 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1
RX packets:1341 errors:0 dropped:0 overruns:0 frame:0
TX packets:1341 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:112434 (109.7 KiB) TX bytes:112440 (109.8 KiB)
|
#ping 服务端
|
1
2
3
4
5
6
7
|
[root@app7 var]
# ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99) 56(84) bytes of data.
64 bytes from 192.168.1.99: icmp_seq=1 ttl=64
time
=4.26 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=64
time
=4.01 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=64
time
=3.88 ms
64 bytes from 192.168.1.99: icmp_seq=4 ttl=64
time
=3.91 ms
64 bytes from 192.168.1.99: icmp_seq=5 ttl=64
time
=3.86 m
|
#断开拨号
|
1
|
echo
'd sywvpn'
>
/var/run/xl2tpd/l2tp-control
|
#查看该文件应该属于数据库过度文件
|
1
|
prw------- 1 root root 0 Aug 31 15:38
/var/run/xl2tpd/l2tp-control
|
# 网上解释如下
管道(FIFO,pipe)
用来解决多个程序同时访问一个文件所造成的错误问题,first-in-first-out(FIFO),第一属性为
(p)。
=================================================配置 iptables 来自网络======服务端的哦===========
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.7.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.7.0/24 -j ACCEPT
iptables-save
service iptables restart
192.168.7.0/24根据实际情况替换。
vi /etc/sysconfig/iptables 看到的应该是类似这样。
最上面先是nat规则,下面是filter规则。
下面filter表里,先把VPN要用到的udp端口1701,500,4500都打开。要用openvp的话,还要开1194。
另外filter表里,一定要有FORWARD规则。这点在网上好几个教程里都没说!坑死人。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
#下面规则做参考啊,新手别完全照抄。
*nat
:PREROUTING ACCEPT [39:3503]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
# Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [121:13264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.7.0/24 -j ACCEPT
-A FORWARD -s 192.168.7.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
|
by:V