一、安装 openswan
1. 安装openswan
#yum install openswan
2. 配置ipsec.conf
#vi /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn %default
Forceencaps=yes
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT #定义一个×××的连接,L2TP-PSK-noNAT是这个连接的名字
authby=secret
pfs=no
auto=add #ipsec启动后,×××1连接处于等待状态
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=211.139.209.6 #***服务器ip
leftprotoport=17/1701 #***服务器端口
right=%any #我们目前这种方式***比较简单,所以只配置了一方
rightprotoport=17/%any
#enable DPD
dpddelay=40
dpdtimeout=130
dpdaction=clear
3. 设置IPSec预共享密钥
#vi /etc/ipsec.secrets
# include /etc/ipsec.d/*.secrets
YOUR.SERVER.IP.ADDRESS %any: PSK " YourSharedSecret "
#例:211.139.209.6 %any: PSK “password”
4. 修改包转发设置
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
5. 重启 IPSec ,验证
#service ipsec restart
[root@localhostconf]# ipsecverify
如果正常运行,将会得到类似下面的输出:
Versioncheck and ipsec on-path [OK]
LinuxOpenswan U2.6.09/K2.6.25-14.fc9.i686 (netkey)
Checkingfor IPsec support in kernel [OK]
NETKEYdetected, testing for disabled ICMP send_redirects [OK]
NETKEYdetected, testing for disabled ICMP accept_redirects [OK]
Checkingfor RSA private key (/etc/ipsec.secrets) [OK]
Checkingthat pluto is running [OK]
Twoor more interfaces found, checking IP forwarding [OK]
CheckingNAT and MASQUERADEing [N/A]
Checkingfor 'ip' command [OK]
Checkingfor 'iptables' command [OK]
OpportunisticEncryption DNS checks:
Looking for TXT in forward dns zone:localhost [MISSING]
Does the machine have at least onenon-private address? [FAILED]
#如果验证的结果如上,就可以了,后面这两个没有影响
验证失败解决办法
1.Two or more interfacesfound, checking IP forwarding [Failed]
解决方法:
执行:
#echo1 > /proc/sys/net/ipv4/ip_forward #不需要重启服务#
执行cat/proc/sys/net/ipv4/ip_forward,如果结果返回是1,就是正确的!
1.Checking that pluto isrunning [Failed]
解决方法:
在/var/run/pluto目录下执行ipsec pluto,系统会自动生成pluto.ctl文件。然后再执行ipsec verify即可。
二、安装 L2TP
1. 安装xl2tpd
#yum install xl2tpd
2.3、配置
#vi /etc/xl2tpd/xl2tpd.conf
[global]
[lns default]
ip range = 172.16.1.3-172.16.1.254#***连接成功之后,服务器给客户端分配的ip地址,这个不要与局域网ip段重合#
local ip = 172.16.1.2 #***服务器地址#
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
2.4、修改 ppp 配置
#vi/etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8 //分配给客户机的DNS地址
ms-dns 8.8.4.4
#ms-wins 192.168.1.2
#ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
2.5、添加用户名/密码
#vi/etc/ppp/chap-secrets
# user server password ip
username * userpass *
#设置连接***的用户名和密码
2.6、启用包转发
iptables --table nat --append POSTROUTING--jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
2.7、修改/etc/sysctl.conf
#vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route =0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
2.8、启动 xl2tpd
#service xl2tpd restart
三、设置开机自动运行
vi /etc/rc.local
iptables --table nat --append POSTROUTING--jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
四、测试拨号是否成功
win7下:L2TP客户端设置
1、右键选择创建好的×××连接属性,点击“安全”
2、×××类型:使用IPsec 的第2层隧道协议(L2TP/IPsec)
3、数据加密:需要加密(如果服务器拒绝将断开连接)
4、高级设置:使用预共享密钥作为身份验证
5.创建一条L2TP ××× tunnel
修改注册表:运行:regedit.exe
开始>>运行>>regedit.exe找到下面这个路径:
HEKY_LOCAL_MACHINE/SYTEM/CUrrentCOntrolSet/Services/RasMan/Parameters,新增或修改ProhibitIpSec的值(类型DWORD)为1
完成后测试连接是否正常,若仍提示连接不上,重启电脑再次尝试。