Cetos7——L2TP搭建
yum网络源配置
下载阿里云 wget -O /etc/yum.repos.d/CentOS-Base-epel.repo http://mirrors.aliyun.com/repo/Centos-7.repo 清理缓存 yum clean all 重新生成缓存 yum makecache 升级yum源 yum uptade 或者 yum install -y epel-release
安装L2tp环境
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man yum install xl2tpd yum install libreswan yum install xl2tpd -y
修改ipsec的配置文件
[root@localhost ~]# vim /etc/ipsec.conf(只添加一行nat_traversal=yes即可)
[root@localhost ~]# vim /etc/ipsec.conf(只添加一行nat_traversal=yes即可) # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their wireless networks. # This range has never been announced via BGP (at least up to 2015) nat_traversal=yes ###在配置文件里加入这一行,充许传透nat 建立l2tp连接 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
建立ipsec 与 l2tp 服务关联的配置文件
#因为这个文件没有所以需要手动创建 [root@localhost ~]# vim /etc/ipsec.d/l2tp_psk.conf conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8h keylife=1h type=transport left=192.168.4.197 ###192.168.4.197 是自己的网卡Ip地址 leftprotoport=17/1701 right=%any rightprotoport=17/%any
当建立l2tp连接时,需要输入预共享密匙,以下为预共享密匙的配置文件
[root@localhost ~]# vim /etc/ipsec.d/ipsec.secrets #include /etc/ipsec.d/*.secrets 192.168.4.197 %any: PSK "123456789" #120.86.124.5 是外网网卡地址,PSK是预存共享密匙
修改内核支持,可以对照以下配置修改,修改完后运行sysctl -p 使配置生效
[root@localhost ~]# cat /etc/sysctl.conf vm.swappiness = 0 net.ipv4.ip_forward = 1 net.ipv4.neigh.default.gc_stale_time=120 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.all.arp_announce=2 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_synack_retries = 2 net.ipv4.conf.lo.arp_announce=2 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 [root@localhost ~]# sysctl -p
检验ipsec服务配置
#重启ipsec systemctl restart ipsec #检验ipsec服务配置 ipsec verify
启动服务
#启动ipsec systemctl start ipsec #设置为开机自启 systemctl enable ipsec
修改L2tp的配置文件
[root@localhost ~]# vim /etc/xl2tpd/xl2tpd.conf [global] listen-addr = 192.168.4.197 ###本机外网网卡IP ipsec saref = yes ###取消注释 [lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = yes name = Linux×××server ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
修改xl2tpd属性配置文件
[root@localhost ~]# vim /etc/ppp/options.xl2tpd require-mschap-v2 ###添加此行 ipcp-accept-local ipcp-accept-remote #dns 写自己的网卡DNS ,写成8.8.8.8也行 ms-dns 192.168.0.2 #ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
添加用户名和密码(**登录的用户名和密码)
vim /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses test * 123 *
iptables安装配置
安装iptable iptable-service
yum install -y iptables yum install iptables-service
禁用/停止自带的firewalld服务
systemctl stop firewalld
冻结firewalld服务
systemctl mask firewalld
设置现有规则
#查看iptables现有规则
iptables -L -n
#先允许所有,不然有可能会杯具
iptables -P INPUT ACCEPT
#清空所有默认规则
iptables -F
#清空所有自定义规则
iptables -X
#所有计数器归0
iptables -Z
开启地址转换(eth0为外网网卡,*根据实际情况替换。*)
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 192.168.0.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.0.0/24 -j ACCEPT iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT iptables -A INPUT -p esp -j ACCEPT iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT service iptables save /bin/systemctl restart iptables.service
完成服务配置
#启动xl2tp服务 systemctl start xl2tpd #设置开机自启 systemctl enable xl2tpd #查看状态 systemctl status xl2tpd
*如果启动失败,报错如下:*
Job for xl2tpd.service failed because the control process exited with error code. See "systemctl status xl2tpd.service" and "journalctl -xe" for details. # systemctl status xl2tpd.service xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP) Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; disabled; vendor preset: disabled) Active: failed (Result: start-limit) since Sat 2018-07-07 07:11:31 UTC; 12s ago Process: 3985 ExecStartPre=/sbin/modprobe -q l2tp_ppp (code=exited, status=1/FAILURE) Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: xl2tpd.service: control process exited, code=exited status=1 Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: Failed to start Level 2 Tunnel Protocol Daemon (L2TP). Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: Unit xl2tpd.service entered failed state. Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: xl2tpd.service failed. Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: xl2tpd.service holdoff time over, scheduling restart. Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: start request repeated too quickly for xl2tpd.service Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: Failed to start Level 2 Tunnel Protocol Daemon (L2TP). Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: Unit xl2tpd.service entered failed state. Jul 07 07:11:31 ip-192-168-4-197.ap-northeast-1.compute.internal systemd[1]: xl2tpd.service failed.
解决方法:
centos7 ,查看资料之后发现是内核重新挂载l2tp_ppp,在xl2tpd.service中删除掉“ExecStartPre=/sbin/modprobe -q l2tp_ppp”就可以,另外注意Restart项
systemctl daemon-reload systemctl start xl2tpd
来源:Beluga