Centos 6 L*2tp 配置实例

如何科学地使用互联网，一直是个蛋疼的问题。以前使用P*ptp，iOS 10之后P*ptp被苹果干了，用不了，说是安全性不好，简直有病，我的使用环境又没有那么高的安全要求。而s*ock的使用需要在客户端安装第三方客户端才行，iOS市场上好多s*ock客户端都被下架了，剩余一些不支持@L_616_3@配置的，或者是收费的，切换iOS市场可以找到一些可用的，可恶的是切换市场的时候Apple要求一定要提交信用卡等信息。现在只能改用L*2tp协议，本文讲述其在CentOS 6的配置方法，在CentOS 7应该也差不多，我没有实际尝试。

1.安装一堆乱七八糟的环境包

@H_403_5@yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man policycoreutil

2.安装openswan，ppp等

yum install openswan ppp xl2tpd

注意，以上openswan，xl2tpd如果找不到yum源，则需自行添加yum源，也可以直接wget下载后安装，具体如下：
a.openswan

wget https://download.openswan.org/openswan/old/openswan-2.6/openswan-2.6.38.tar.gz  
tar -zxvf openswan-2.6.38.tar.gz  
cd openswan-2.6.38  
make programs install  

b.xl2tpd

wget https://download.openswan.org/xl2tpd/xl2tpd-1.3.0.tar.gz  
tar zxf xl2tpd-1.3.0.tar.gz  
cd xl2tpd-1.3.0  
make && make install 

c.rp-l2tp，xl2tpd是新版的话，这玩意可以不安装。

wget http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz  
tar -zxvf rp-l2tp-0.4.tar.gz  
cd rp-l2tp-0.4  
./configure
make  
cp handlers/l2tp-control /usr/local/sbin/  
mkdir /var/run/xl2tpd/  
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control  

3.修改/etc/ipsec.conf内容如下：

# /etc/ipsec.conf - Openswan IPsec configuration file
# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all","none" or a combation from below:
        # "raw crypt parsing emitTing control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #

        # Enable core dumps (might require system changes,like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto wriTing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support,see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been Announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is Now off by default. Uncomment and change to on,to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey,then klips then mast

        protostack=netkey
        #这里如果是auto，改为netkey

        # Use this to log to a file,or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample V*PN connection
# for more examples,see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway,subnet behind it,nexthop toWARD right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway,nexthop toWARD left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection,but not actually start it,#               # at startup,uncomment this.
#               #auto=add

#以下为新增内容
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=103.74.195.xx #这里配置服务器公网IP
    leftprotoport=17/1701 #服务端口
    right=%any
    rightprotoport=17/%any
    dpddelay=40
    dpdtimeout=130
    dPDAction=clear
    leftnexthop=%defaultroute
    rightnexthop=%defaultroute

4.配置网络转发等，修改/etc/sysctl.conf内容如下：

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values,0 is disabled,1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forWARDing
net.ipv4.ip_forWARD = 1 #0改为1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 0 #1改为0

# Do not accept source routIng
net.ipv4.conf.default.accept_source_route = 0

# Controls the System request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-iP6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message,in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size,in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments,in pages
kernel.shmall = 4294967296

#以下为新增内容
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

执行以下命令令配置生效：
@H_696_41@sysctl -p

5.配置l*2tp网络参数，修改/etc/xl2tpd/xl2tpd.conf内容如下：

[global]
ipsec saref = yes
listen-addr = 103.74.195.xx #公网IP
[lns default]
ip range = 192.168.1.2-192.168.1.100 #l*2tp内网客户端IP端
local ip = 192.168.1.1 #l*2tp内网本地IP
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

修改/etc/ppp/options.xl2tpd内容如下：
@H_173_49@ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 require-mschap-v2

6.配置客户端预共享密码，编辑/etc/ipsec.secrets内容如下：

include /etc/ipsec.d/*.secrets
103.74.195.xx %any: PSK "password"

password为预共享密钥。

7.配置客户端用户名和密码，修改/etc/ppp/chap-secrets内容如下：

dancen l2tpd password *

dancen是用户名，password是密码。

8.验证ipsec运行状态

ipsec restart
ipsec verify

显示如下说明运行正常：

Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.15 (netkey) on 2.6.32-504.12.2.el6.x86_64
checking for IPsec support in kernel              	[OK]
 NETKEY: TesTing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf Syntax                           	[OK]
Hardware random device                            	[N/A]
checking rp_filter                                	[OK]
checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret Syntax                        	[OK]
checking 'ip' command                             	[OK]
checking 'iptables' command                       	[OK]
checking 'prelink' command does not interfere with FIPschecking for obsolete ipsec.conf options          	[OK]
Opportunistic Encryption                          	[DISABLED]

9.修改防火墙配置：

开放l*2tp对外网的访问，增加iptables的nat表规则：

iptables -t nat -A POSTRoutING -o eth1 -s 192.168.1.0/24 -j MASQUERADE #eth1为公网网卡
iptables -t nat -A POSTRoutING -s 192.168.1.0/24 -o eth0 -j MASQUERADE #eth0为私网网卡

开放udp协议的1701，500，4500端口，开放l*2tp内网forWARD，增加iptables的filter表规则：

iptables -t filter -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
iptables -t filter -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
iptables -t filter -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT

执行

service iptables save

或

iptables-save

保存防火墙配置
执行

service iptables restart

重启防火墙

也可以直接修改防火墙配置/etc/sysconfig/iptables的内容如下：

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
COMMIT
*nat
-A POSTRoutING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
-A POSTRoutING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT

10.重启xl2tp

service xl2tpd restart

没有配置服务的话，直接执行

xl2tp

运行即可。

11.添加自启动，需要把xl2tpd配置为服务：

chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on

12.客户端选择l*2tp协议，提交预共享密码以及用户名可密码即可建立连接，完毕。

@H_801_2@

大佬总结

以上是大佬教程为你收集整理的Centos 6 L*2tp 配置实例全部内容，希望文章能够帮你解决Centos 6 L*2tp 配置实例所遇到的程序开发问题。

如果觉得大佬教程网站内容还不错，欢迎将大佬教程推荐给程序员好友。

本图文内容来源于网友网络收集整理提供，作为学习参考使用，版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ：384754419，请注明来意。