1、查询操作系统版本
#cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core) 2、查询系统是否支持ppp,返回yes代表通过。
#modprobe ppp-compress-18 && echo yes3、查询系统是否开启了tun,返回File descriptor in bad state代表通过。
#cat /dev/net/tun4、安装epel源
#yum install epel-release -y5、安装xl2tpd和libreswan。centos7 版本,libreswan(ipsec)代替了openswan.
#yum install -y xl2tpd libreswan6、编辑ipsec.conf配置文件,保持默认配置吧
config setup
protostack=netkey
dumpdir=/var/run/pluto/
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf7、新建/etc/ipsec.d/l2tp-ipsec.conf文件
#vim /etc/ipsec.d/l2tp-ipsec.conf
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.10.9 #ppp接口的IP地址,对应下面的xl2tpd的配置文件
leftprotoport=17/1701
right=%any
rightprotoport=17/%any8、配置置预共享密钥PSK
#vim /etc/ipsec.d/default.secrets
: PSK "123A?a456"9、编辑xl2tpd配置文件
#vim /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 192.168.10.10-192.168.10.100
local ip = 192.168.10.9
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes10、编辑pppoptfile文件
#vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.10.3 #内部的DNS服务器
ms-dns 114.114.114.114
name xl2tpd
#noccp
auth
#crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#lock
proxyarp
connect-delay 5000
refuse-pap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log11、配置拨号用户名和密码
vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret
# 格式为:用户名 服务类型 密码 允许访问的ip
# *代表所有
aliyunvip * Abc?123 *12、配置CentOS7 防火墙
#firewall-cmd --permanent --add-service=ipsec #允许ipsec服务
#firewall-cmd --permanent --add-port=1701/udp #允许 xl2tp
#firewall-cmd --permanent --add-port=4500/udp #允许 xl2tp
#firewall-cmd --permanent --add-masquerade #启用nat转发
#firewall-cmd --reload #重新加载配置13、修改内核参数
#vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
#sysctl -p #修改内核生效14、启动ipsec服务
#systemctl enable ipsec # 设为开机自动启动
#systemctl start ipsec # 开启服务
#systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2019-10-25 17:28:56 CST; 3 days ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Main PID: 8831 (pluto)
Status: "Startup completed."
CGroup: /system.slice/ipsec.service
└─8831 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork15、检查ipsec状态
#ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-862.2.3.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]16、启动xl2tp
#systemctl enable xl2tpd #设置自启动
#systemctl start xl2tpd #启动xl2tp
