linux 部署l2tp ipsec×××

阅读量：6247 次

发布时间：2019-06-22

本文共 6989 字，大约阅读时间需要 23 分钟。

linux 部署l2tp ipsec×××

L2TP是一种工业标准的Internet隧道协议，功能大致和PPTP协议类似，比如同样可以对网络数据流进行加密。不过也有不同之处，比如PPTP要求网络为IP网络，L2TP要求面向数据包的点对点连接；PPTP使用单一隧道，L2TP使用多隧道；L2TP提供包头压缩、隧道验证，而PPTP不支持。

L2TP自身不提供隧道验证，从L2TP的包头可以看出。隧道认证是由PPP（pap或chap）协议提供！而PPTP则支持隧道验证，PPTP自身就是PPP的扩展！但是当L2TP或PPTP与IPsec共同使用时，可以由IPsec提供隧道验证，不需要在第2层协议上验证隧道.

关闭selinux

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config重启生效reboot；setenforce 0 临时关闭selinux，这样就不用重启了。

停止NetworkManager

systemctl stop NetworkManagersystemctl disable NetworkManager

查看主机是否支持pptp

[root@localhost ~]# modprobe ppp-compress-18 && echo yesyes# 返回yes 代表支持

是否开启了TUN

[root@localhost ~]# cat /dev/net/tun cat: /dev/net/tun: File descriptor in bad state

yum安装epel

yum -y install epel-release

安装xl2tpd

yum install -y xl2tpd libreswanlibreswan提供ipsec服务以前是openswan提供ipsec服务。

编辑xl2tpd配置文件

[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf | grep -v "^;"[global][lns default]# 设置给***客户端分配的地址段ip range = 172.16.200.100-172.16.200.200# 设置***客户端分配的网关local ip = 172.16.200.1require chap = yesrefuse pap = yesrequire authentication = yesname = Linux×××serverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes

编辑pppoptfile options.xl2tpd文件

[root@localhost ~]# cat /etc/ppp/options.xl2tpd ipcp-accept-localipcp-accept-remote#设置dnsms-dns  119.29.29.29# ms-dns  192.168.1.1# ms-dns  192.168.1.3# ms-wins 192.168.1.2# ms-wins 192.168.1.4#noccpauth# crtsctsidle 1800mtu 1410mru 1410nodefaultroutedebug# lckproxyarpconnect-delay 5000# To allow authentication against a Windows domain EXAMPLE, and require the# user to be in a group "××× Users". Requires the samba-winbind package# require-mschap-v2# plugin winbind.so# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\××× Users"' # You need to join the domain on the server, for example using samba:# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html# 添加以下内容refuse-paprefuse-chaprefuse-mschaprequire-mschap-v2persist

编辑ipsec配置文件

[root@localhost ~]# cat /etc/ipsec.conf | grep -v "^#" | grep -v "^[[:space:]]#"config setup        virtual_private=%v4:172.16.200.0/24        # 主要指定拨号分配给客户端的私有地址include /etc/ipsec.d/*.conf

编辑include的conn文件

[root@localhost ~]# cat /etc/ipsec.d/l2tp-ipsec.conf conn L2TP-PSK-NAT    rightsubnet=0.0.0.0/0    dpddelay=10    dpdtimeout=20    dpdaction=clear    forceencaps=yes    also=L2TP-PSK-noNATconn L2TP-PSK-noNAT    authby=secret    pfs=no    auto=add    keyingtries=3    rekey=no    ikelifetime=8h    keylife=1h    type=transport    left=172.16.200.1   # 设置l2tp的内网网关地址    leftprotoport=17/1701  # 17代表协议号；1701代表udp端口号    right=%any    rightprotoport=17/%any

设置用户名密码

[root@localhost ~]# cat /etc/ppp/chap-secrets# Secrets for authentication using CHAP# client        server  secret                  IP addresses***2018 * Centos7 *用户名 空格 * 空格 密码 空格 *

linux 部署l2tp ipsec×××

设置IPSec预共享密钥PSK

[root@localhost ~]# cat /etc/ipsec.d/default.secrets : PSK "test***"

firewalld防火墙设置

1701 ：L2TP udp端口 (Virtual Private Networking)4500 ：IPSec NAT Traversal udp端口 ，是一种解决IP地址转换问题的方法500   ：isakmp udp端口，密钥交换协议（IKE）用于在两个通信实体协商和建立安全相关，交换密钥firewall-cmd --permanent --add-service=ipsecfirewall-cmd --permanent --add-port=1701/udpfirewall-cmd --permanent --add-port=4500/udpfirewall-cmd --permanent --add-masqueradefirewall-cmd --reload

路由转发设置

[root@localhost ~]# cat /etc/sysctl.d/60-sysctl_ipsec.conf net.ipv4.ip_forward = 1net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.all.rp_filter = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.eth0.rp_filter = 0net.ipv4.conf.eth0.send_redirects = 0net.ipv4.conf.eth1.accept_redirects = 0net.ipv4.conf.eth1.rp_filter = 0net.ipv4.conf.eth1.send_redirects = 0net.ipv4.conf.eth2.accept_redirects = 0net.ipv4.conf.eth2.rp_filter = 0net.ipv4.conf.eth2.send_redirects = 0net.ipv4.conf.ip_vti0.accept_redirects = 0net.ipv4.conf.ip_vti0.rp_filter = 0net.ipv4.conf.ip_vti0.send_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.lo.rp_filter = 0net.ipv4.conf.lo.send_redirects = 0net.ipv4.conf.ppp0.accept_redirects = 0net.ipv4.conf.ppp0.rp_filter = 0net.ipv4.conf.ppp0.send_redirects = 0

重启网卡服务生效

systemctl restart network

配置rsyslog转发xl2tpd日志

echo "xl2tpd;pppd                                             /var/log/xl2tpd.log" >> /etc/rsyslog.confsystemctl restart rsyslog

ipsec启动

systemctl enable ipsecsystemctl restart ipsec

ipsec检查

[root@localhost ~]# ipsec verify                    Verifying installed system and configuration filesVersion check and ipsec on-path                         [OK]Libreswan 3.23 (netkey) on 3.10.0-862.el7.x86_64Checking for IPsec support in kernel                    [OK] NETKEY: Testing XFRM related proc values         ICMP default/send_redirects                    [OK]         ICMP default/accept_redirects                  [OK]         XFRM larval drop                               [OK]Pluto ipsec.conf syntax                                 [OK]Two or more interfaces found, checking IP forwarding    [OK]Checking rp_filter                                      [ENABLED] /proc/sys/net/ipv4/conf/ens192/rp_filter               [ENABLED] /proc/sys/net/ipv4/conf/ens224/rp_filter               [ENABLED]  rp_filter is not fully aware of IPsec and should be disabledChecking that pluto is running                          [OK] Pluto listening for IKE on udp 500                     [OK] Pluto listening for IKE/NAT-T on udp 4500              [OK] Pluto ipsec.secret syntax                              [OBSOLETE]  003 WARNING: using a weak secret (PSK)Checking 'ip' command                                   [OK]Checking 'iptables' command                             [OK]Checking 'prelink' command does not interfere with FIPS [OK]Checking for obsolete ipsec.conf options                [OK]ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

启动xl2tpd

systemctl enable xl2tpdsystemctl restart xl2tpd

windows客户端连接

建立的网卡适配器属性修改内容：

安全 → 安全类型→选择ipsec L2tp 第2层隧道协议，勾选允许使用协议 pap、chap、chap version 2

linux 部署l2tp ipsec×××

网络→internet协议版本4→属性→高级→ 去掉在远程网络上使用默认网关的对勾（如果希望通过从l2tpd服务器端上网，可以不取消。）

linux 部署l2tp ipsec×××

最后点击连接，输入用户名和密码。

linux 部署l2tp ipsec×××

客户端验证：

linux 部署l2tp ipsec×××

查看xl2tpd日志

[root@localhost ~]# more /var/log/xl2tpd.log 类似...Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfAck id=0x1 
    
     ]Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfReq id=0x7 
      
       
       
        ]Aug 21 14:37:45 localhost pppd[8038]: sent [IPCP ConfNak id=0x7 
         
          
          
           ]Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfReq id=0x8 
            
             
             
              ]Aug 21 14:37:45 localhost pppd[8038]: sent [IPCP ConfAck id=0x8 
               
                
                
                 ]Aug 21 14:37:45 localhost pppd[8038]: Cannot determine ethernet address for proxy ARPAug 21 14:37:45 localhost pppd[8038]: local IP address 172.16.200.1Aug 21 14:37:45 localhost pppd[8038]: remote IP address 172.16.200.100...