OS: CenotOS7 X86_64
1.安裝ipsec服務(wù)
1.1安裝openswan
1.yum安裝gmp
2.yum安裝flex
3.下載openswan(2.6.49)https://www.openswan.org/
4.make programs
5.make install
1.2修改/etc/ipsec.conf
1.將/etc/ipsec.d/examples/l2tp-psk.conf中conn L2TP-PSK-NAT和conn L2TP-PSK-noNAT直接拷貝至文件中
2.修改left=YourGatewayIP,將YourGatewayIP修改為服務(wù)器IP
1.3修改/etc/ipsec.secrets
1.添加如下內(nèi)容:
服務(wù)器IP ?%any: "連接秘鑰"
1.4修改/etc/sysctl.conf
1.內(nèi)容如下:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
2.執(zhí)行sysctl -p 命令讓配置生效
1.5驗(yàn)證ipsec服務(wù)
service ipsec restart
ipsec verify
查看是否有fail
2.安裝L2TP服務(wù)
2.1安裝軟件包
yum install -y epel-release
yum install -y xl2tpd ppp lsof
2.2修改/etc/xl2tpd/xl2tpd.conf
#修改如下配置
[global]
listen-addr = 服務(wù)器ip
ipsec saref = yes
force userspace = yes
2.3修改/etc/ppp/options.xl2tpd
#增加如下內(nèi)容
name l2tpd
require-mschap-v2
ms-dns? 8.8.4.4
2.4配置用戶名褐荷、密碼
編輯文件/etc/ppp/chap-secrets
# client? ? ? ? server? secret? ? ? ? ? ? ? ? ? IP addresses
username * password *
#server和IP address用*代替即可
2.5啟動(dòng)服務(wù)
service xl2tpd start
3防火墻修改
執(zhí)行如下命令:
iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -d 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
4開(kāi)機(jī)自動(dòng)啟動(dòng)
systemctl enable ipsec
systemctl enable xl2tpd
