CentOS6.8下搭建Ipsec+L2TP VPN服务

第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议，它使用UDP的1701端口进行通信。L2TP本身并没有任何加密，但是我们可以使用IPSec对L2TP包进行加密。

l2tp就用xl2tpd，官网：http://www.xelerance.com/services/software/xl2tpd/

IPSec就是openswan，提供IPSec加密，官网是：http://www.openswan.org/code/ ，在centos7 版本后， 提供ipsec 服务包由libreswan替代了openswan。

1、环境准备

服务器外网地址eth1：10.15.44.132/24

服务器内网地址eth2：192.168.184.128/24

VPN:10.0.0.0/16

[root@L2TP-VPN~]#yuminstall-ymakegccgmp-develxmltobisonflexxmltolibpcap-devellsofvim-enhancedman

一、安装lsof：用于数据访问，没有安装下面配置完openswan验证时会报错

[root@L2TP-VPN~]#yuminstalllsofCy

二、安装 配置openswan

1、安装

[root@L2TP-VPN~]#yum-yinstallopenswan

2、配置

修改ipsec 主配置文件：

[root@localhost~]#cp/etc/ipsec.conf{,.20161207bak}
[root@localhost~]#vim/etc/ipsec.conf#注意格式对齐
configsetup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn%default
Forceencaps=yes
connL2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
connL2TP-PSK-noNAT#定义一个VPN的连接，L2TP-PSK-noNAT是这个连接的名字
authby=secret
pfs=no
auto=add#ipsec启动后，VPN1连接处于等待状态
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=10.15.44.132#vpn服务器外网ip
leftprotoport=17/1701#vpn服务器端口，17指协议号UDP协议1701指端口号
right=%any#我们目前这种方式vpn比较简单，所以只配置了一方
rightprotoport=17/%any
#enableDPD
dpddelay=40
dpdtimeout=130
dpdaction=clear
#leftnexthop=%defaultroute	
#rightnexthop=%defaultroute
[root@localhost~]#cp/etc/ipsec.secrets{,.20161207bak}
[root@localhost~]#vim/etc/ipsec.secrets#设置IPSec预共享密钥
include/etc/ipsec.d/*.secrets
10.15.44.132%any:PSK"PASSWORD"
#外网IP地址%any:PSK“预共享密钥”
[root@localhost~]#foreachin/proc/sys/net/ipv4/conf/*
>do
>echo0>$each/accept_redirects
>echo0>$each/send_redirects
>done
[root@localhost~]#serviceipsecrestart#重启IPSec，此步同ipsecrestart，验证
Missingcontrolfile/var/run/pluto/pluto.ctl-isplutorunning?
StartingplutoIKEdaemonforIPsec:.[OK]
[root@localhost~]#ipsecrestart
Redirectingto:serviceipsecstop
ShuttingdownplutoIKEdaemon
002shuttingdown

Redirectingto:serviceipsecstart
StartingplutoIKEdaemonforIPsec:.[OK]
[root@localhost~]#ipsecverify#如果正常运行，将会得到类似下面的输出：
Verifyinginstalledsystemandconfigurationfiles

Versioncheckandipsecon-path	[OK]
Libreswan3.15(netkey)on2.6.32-642.el6.x86_64
CheckingforIPsecsupportinkernel	[OK]
NETKEY:TestingXFRMrelatedprocvalues
ICMPdefault/send_redirects	[OK]
ICMPdefault/accept_redirects	[OK]
XFRMlarvaldrop	[OK]
Plutoipsec.confsyntax	[OK]
Hardwarerandomdevice	[N/A]
Checkingrp_filter	[ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter	[ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter	[ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter	[ENABLED]
rp_filterisnotfullyawareofIPsecandshouldbedisabled
Checkingthatplutoisrunning	[OK]
PlutolisteningforIKEonudp500	[OK]
PlutolisteningforIKE/NAT-Tonudp4500	[OK]
Plutoipsec.secretsyntax	[OK]
Checking'ip'command	[OK]
Checking'iptables'command	[OK]
Checking'prelink'commanddoesnotinterferewithFIPS	[PRESENT]
Checkingforobsoleteipsec.confoptions	[OK]
OpportunisticEncryption	[DISABLED]

ipsecverify:encountered7errors-see'manipsec_verify'forhelp
[root@localhost~]#chkconfigipsecon

遇到的问题：

1、Two or more interfacesfound,checking IP forwarding [Failed]

[root@localhost~]#vim/etc/sysctl.conf
net.ipv4.ip_forward=1
[root@localhost~]#sysctl-p

2、Checking that pluto isrunning [Failed]

[root@localhost~]#cd/var/run/pluto/
[root@localhostpluto]#ipsecpluto
[root@localhostpluto]#ls
pluto.ctlpluto.pid
[root@localhostpluto]#ipsecverify

三、安装 配置ppp：提供用户名、密码 认证

[root@localhost~]#yum-yinstallppp
[root@localhost~]#rpm-qa|grep-ippp
rp-pppoe-3.10-16.el6.x86_64
ppp-2.4.5-10.el6.x86_64
[root@localhost~]#vim/etc/ppp/options.xl2tpd#如果文件不存在直接新建就好了
require-mschap-v2
ms-dns192.168.100.189#分配给客户机的DNS地址
ms-dns202.96.209.133
#ms-wins192.168.1.2
#ms-wins192.168.1.4
noccp
#asyncmap0
auth
crtscts
#lock
#hide-password
#modem
idle1800
mtu1410
mru1410
nodefaultroute
debug
#namexl2tpd
lock
proxyarp
connect-delay5000
#lcp-echo-interval30
#lcp-echo-failure4
[root@localhost~]#vim/etc/ppp/chap-secrets#添加用户名/密码（客户端登陆时的用户名密码）

#SecretsforauthenticationusingCHAP
#clientserversecretIPaddresses
#userserverpasswordip
justin*51cto*
#justinxl2tpd51cto*
#上面的xl2tpd对应上面etc/ppp/options.xl2tpd文件中的namexl2tpd

/etc/ppp/options.xl2tpd 如果文件不存在直接新建或者cpxl2tpd-1.3.6/examples/ppp-options.xl2tpd

四、安装 配置L2TP：提供L2TP VPN服务

1、安装

[root@localhost~]#yum-yinstallxl2tpd
Loadedplugins:fastestmirror,refresh-packagekit,security
SettingupInstallProcess
Loadingmirrorspeedsfromcachedhostfile
*base:mirrors.aliyun.com
*extras:mirrors.aliyun.com
*updates:mirrors.tuna.tsinghua.edu.cn
base|3.7kB00:00
extras|3.4kB00:00
updates|3.4kB00:00
Nopackagexl2tpdavailable.
Error:Nothingtodo
[root@localhost~]#wget
[root@localhost~]#yuminstall-ylibpcap-devel^C#xl2tpd的一个依赖，不然编译会报错
[root@localhost~]#tarzxvfxl2tpd-1.3.6.tar.gz
[root@localhost~]#cdxl2tpd-1.3.6
[root@localhostxl2tpd-1.3.6]#make
[root@localhostxl2tpd-1.3.6]#makeinstall
[root@localhostxl2tpd-1.3.6]#mkdir/etc/xl2tpd
[root@localhostxl2tpd-1.3.6]#cpdoc/l2tpd.conf.sample/etc/xl2tpd/xl2tpd.conf
[root@localhostxl2tpd-1.3.6]#cpdoc/l2tp-secrets.sample/etc/xl2tpd/xl2tp-secrets
[root@localhostxl2tpd-1.3.6]#vim/etc/xl2tpd/xl2tpd.conf
[global]
;port=1701#这个在文件是被注释掉的意思，如果要改端口号，改成1723是不行的，l2tp客户端好像不能改端口
[lnsdefault]
iprange=10.0.0.2-10.0.255.254#vpn连接成功之后，服务器给客户端分配的ip地址，这个不要与局域网ip段重合
localip=10.0.0.1#不是外网地址，也不是内网地址，而是虚拟网关的IP地址，这个没有开启客户端连接时候会提示localhostpppd[3929]:CouldnotdeterminelocalIPaddress
lengthbit=yes
requirechap=yes
refusepap=yes
refuseauthentication=yes
pppdebug=yes
name=LinuxVPNserver
pppoptfile=/etc/ppp/options.xl2tpd
[root@localhostxl2tpd-1.3.6]#

xl2tpd.conf也可以使用默认示例配置文件examples/xl2tpd.conf，这个文件更加简洁

启用包转发

[root@localhost~]#vim/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.accept_source_route=0
kernel.sysrq=0
kernel.core_uses_pid=1
net.ipv4.tcp_syncookies=1
kernel.msgmnb=65536
kernel.msgmax=65536
kernel.shmmax=68719476736
kernel.shmall=4294967296
net.core.xfrm_larval_drop=1
[root@localhost~]#sysctl-p

防火墙配置

[root@localhost~]#iptables-AINPUT-pudp--destination-port1701-jACCEPT
[root@localhost~]#iptables-APOSTROUTING-tnat-s10.0.0.0/24-jMASQUERADE
[root@localhost~]#/etc/init.d/iptablessave
[root@localhost~]#/etc/init.d/iptablesrestart

启动

参数D表示让l2tpd在前台运行，显示整个l2tpd的运行信息，如果不加D，l2tpd在后台运行；其它参数查看目录下的README*/

[root@localhostxl2tpd-1.3.6]#./xl2tpd-D
xl2tpd[2144]:setsockoptrecvref[30]:Protocolnotavailable
xl2tpd[2144]:L2TPkernelsupportnotdetected(trymodprobingl2tp_pppandpppol2tp)
xl2tpd[2144]:open_controlfd:Unabletoopen/var/run/xl2tpd/l2tp-controlforreading.
[root@localhostxl2tpd-1.3.6]#mkdir/var/run/xl2tpd/
[root@localhostxl2tpd-1.3.6]#touch/var/run/xl2tpd/l2tp-control
[root@localhostxl2tpd-1.3.6]#./xl2tpd-D
xl2tpd[2275]:setsockoptrecvref[30]:Protocolnotavailable
xl2tpd[2275]:L2TPkernelsupportnotdetected(trymodprobingl2tp_pppandpppol2tp)
xl2tpd[2275]:xl2tpdversionxl2tpd-1.3.6startedonlocalhost.localdomainPID:2275
xl2tpd[2275]:WrittenbyMarkSpencer,Copyright(C)1998,Adtran,Inc.
xl2tpd[2275]:ForkedbyScottBalmosandDavidStipp,(C)2001
xl2tpd[2275]:InheritedbyJeffMcAdams,(C)2002
xl2tpd[2275]:ForkedagainbyXelerance(www.xelerance.com)(C)2006
xl2tpd[2275]:ListeningonIPaddress0.0.0.0,port1701
[root@localhostxl2tpd-1.3.6]#netstat-naptlu|grepxl2tpd
udp000.0.0.0:17010.0.0.0:*3695/./xl2tpd
[root@localhostxl2tpd-1.3.6]#vim/etc/init.d/xl2tpd
#!/bin/sh
#
#xl2tpdThisshellｓｃｒｉｐｔtakescareofstartingandstoppingl2tpd.
#
#chkconfig:-8030
#deｓｃｒｉｐｔion:Layer2TunnellingProtocolDaemon(RFC2661)
#
#processname:xl2tpd
#config:/etc/xl2tpd/xl2tpd.conf
#pidfile:/var/run/xl2tpd.pid
#Servicename
SERVICE=xl2tpd
#Sourcefunctionlibrary.
./etc/rc.d/init.d/functions
#Sourcenetworkingconfiguration.
./etc/sysconfig/network
if[${NETWORKING}="no"]
then
exit0
fi
[-x/usr/local/sbin/$SERVICE]||exit0
RETVAL=0
start(){
echo-n"Starting$SERVICE:"
if[!-d/var/run/xl2tpd]
then
mkdir/var/run/xl2tpd
fi
daemon/usr/local/sbin/$SERVICE
RETVAL=$?
[$RETVAL-eq0]&&touch/var/lock/subsys/$SERVICE
echo""
return$RETVAL
}
stop(){
echo-n"Stopping$SERVICE:"
killproc$SERVICE
RETVAL=$?
echo
[$RETVAL-eq0]&&rm-f/var/lock/subsys/$SERVICE
return$RETVAL
}
restart(){
stop
start
}
#Seehowwewerecalled.
case"$1"in
start)
start
;;
stop)
stop
;;
status)
status$SERVICE
RETVAL=$?
;;
restart|reload)
restart
;;
condrestart)
[-f/var/lock/subsys/$SERVICE]&&restart||:
;;
*)
echo"Usage:$SERVICE{start|stop|status|restart|reload|condrestart}"
exit1
esac
[root@localhostxl2tpd-1.3.6]#chmod+x/etc/init.d/xl2tpd
[root@localhostxl2tpd-1.3.6]#chkconfig--addxl2tpd
[root@localhostxl2tpd-1.3.6]#chkconfig--addpppoe-server
[root@localhostxl2tpd-1.3.6]#chkconfig--addipsec
[root@localhostxl2tpd-1.3.6]#chkconfigxl2tpdon
[root@localhostxl2tpd-1.3.6]#chkconfigpppoe-serveron
[root@localhostxl2tpd-1.3.6]#chkconfigipsecon
[root@localhostxl2tpd-1.3.6]#/etc/init.d/pppoe-serverrestart
[root@localhostxl2tpd-1.3.6]#/etc/init.d/ipsecrestart
[root@localhostxl2tpd-1.3.6]#/etc/init.d/xl2tpdrestart
[root@localhostxl2tpd-1.3.6]#/etc/rc.d/rc.local
/etc/init.d/xl2tpdstart
[root@localhostxl2tpd-1.3.6]#