Centos 7安裝L2TP/IPSEC ***
Centos 7安裝L2TP/IPSEC ***
1、 安裝l2tp ipsec所須要的軟件包
yum install epel-releasehtml
yum install openswan xl2tpd ppp lsofnode
2、 設置ipsec
a. 編輯/etc/ipsec.conf(把下面xx.xxx.xxx.xxx換成你本身主機實際的外網固定IP。其餘的不動。)windows
config setupdom protostack=netkeytcp dumpdir=/var/run/pluto/ide nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10測試 conn L2TP-PSK-NATui rightsubnet=vhost:%privspa also=L2TP-PSK-noNAT.net conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8h keylife=1h type=transport left=xxx.xxx.xxx.xxx leftprotoport=17/1701 right=%any rightprotoport=17/%any |
b. 編輯/etc/ipsec.secrets
include /etc/ipsec.d/*.secrets xx.xxx.xxx.xxx %any: PSK "ZXkj8888" |
xx.xxx.xxx.xxx換成你本身VPS實際的外網固定IP, YourPsk你本身定一個,到時候連×××的時候用,就是預共享密鑰,好比能夠填csdn.net, 注意空格。
c. 修改/添加 /etc/sysctl.conf(sysctl -p)
net.ipv4.ip_forward = 1 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 d. |
e. 驗證ipsec運行狀態
ipsec setup start ipsec verify [root@localhost ~]# ipsec setup start Redirecting to: systemctl start ipsec.service [root@localhost ~]# ipsec verify Verifying installed system and configuration files
Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-514.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ens160/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED]
ipsec verify: encountered 7 errors - see 'man ipsec_verify' for help |
3、 設置 l2tp
a. 編輯/etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes listen-addr = xxx.xxx.xxx.xxx #這裏是你的主機外網ip地址
[lns default] ip range = 10.60.10.235-10.60.10.240 local ip = 10.60.10.1 require chap = yes refuse pap = yes require authentication = yes name = Linux×××server ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
|
b. 編輯/etc/ppp/options.xl2tpd
name l2tpd require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 ipcp-accept-local ipcp-accept-remote #ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 |
c. 配置用戶名,密碼:編輯 /etc/ppp/chap-secrets
# Secrets for authentication using CHAP # client server secret IP addresses "sun" * "123456" * |
設置完成,使用windows測試是否正常鏈接,以下爲win10設置:
4、 防禦牆設置
10、ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW 11、 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW 12、 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ctstate NEW 十3、 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:17328 ctstate NEW 十4、 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ctstate NEW |
上網設置
iptables -t nat -A POSTROUTING -s10.60.10.0/24 -j SNAT --to-source 45.77.133.69
firewall-cmd –reload
十5、 系統維護
啓動方式:
systemctl start xl2tpd
systemctl status xl2tpd
systemctl start ipsec
systemctl status ipsec
原文:http://www.cnblogs.com/vijayfly/p/6762911.html
- 1. CentOS 7安裝
- 2. 安裝CentOS 7
- 3. centos 7 安裝
- 4. CentOS 7安裝Tomcat 7
- 5. CentOS 7安裝tomcat 7
- 6. 【CentOS 7筆記1】,安裝CentOS 7#171016
- 7. CentOS -7 第一篇:VMware安裝CentOS -7
- 8. 【CentOS 7】CentOS 7安裝全過程
- 9. CentOS 7 安裝 MySQL
- 10. VirtualBox安裝Centos 7
- 更多相關文章...
- • Docker 安裝 CentOS - Docker教程
- • CentOS Docker 安裝 - Docker教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
-
每一个你不满意的现在,都有一个你没有努力的曾经。