linux 部署l2tp ipsec×××

linux 部署l2tp ipsec×××

L2TP是一種工業標準的Internet隧道協議，功能大體和PPTP協議相似，好比一樣能夠對網絡數據流進行加密。不過也有不一樣之處，好比PPTP要求網絡爲IP網絡，L2TP要求面向數據包的點對點鏈接；PPTP使用單一隧道，L2TP使用多隧道；L2TP提供包頭壓縮、隧道驗證，而PPTP不支持。

L2TP自身不提供隧道驗證，從L2TP的包頭能夠看出。隧道認證是由PPP（pap或chap）協議提供！而PPTP則支持隧道驗證，PPTP自身就是PPP的擴展！可是當L2TP或PPTP與IPsec共同使用時，能夠由IPsec提供隧道驗證，不須要在第2層協議上驗證隧道.

關閉selinux

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

重啓生效reboot；

setenforce 0 
臨時關閉selinux，這樣就不用重啓了。

中止NetworkManager

systemctl stop NetworkManager
systemctl disable NetworkManager

查看主機是否支持pptp

[root@localhost ~]# modprobe ppp-compress-18 && echo yes
yes
# 返回yes 表明支持

是否開啓了TUN

[root@localhost ~]# cat /dev/net/tun 
cat: /dev/net/tun: File descriptor in bad state

yum安裝epel

yum -y install epel-release

安裝xl2tpd

yum install -y xl2tpd libreswan

libreswan提供ipsec服務
之前是openswan提供ipsec服務。

編輯xl2tpd配置文件

[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf | grep -v "^;"

[global]

[lns default]
# 設置給***客戶端分配的地址段
ip range = 172.16.200.100-172.16.200.200
# 設置***客戶端分配的網關
local ip = 172.16.200.1
require chap = yes
refuse pap = yes
require authentication = yes
name = Linux×××server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

編輯pppoptfile options.xl2tpd文件

[root@localhost ~]# cat /etc/ppp/options.xl2tpd 
ipcp-accept-local
ipcp-accept-remote
#設置dns
ms-dns  119.29.29.29
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
#noccp
auth
# crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
# lck
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "××× Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\××× Users"' 
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
# 添加如下內容
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist

編輯ipsec配置文件

[root@localhost ~]# cat /etc/ipsec.conf | grep -v "^#" | grep -v "^[[:space:]]#"

config setup
        virtual_private=%v4:172.16.200.0/24
        # 主要指定撥號分配給客戶端的私有地址

include /etc/ipsec.d/*.conf

編輯include的conn文件

[root@localhost ~]# cat /etc/ipsec.d/l2tp-ipsec.conf 
conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.16.200.1   # 設置l2tp的內網網關地址
    leftprotoport=17/1701  # 17表明協議號；1701表明udp端口號
    right=%any
    rightprotoport=17/%any

設置用戶名密碼

[root@localhost ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
***2018 * Centos7 *
用戶名 空格 * 空格 密碼 空格 *

設置IPSec預共享密鑰PSK

[root@localhost ~]# cat /etc/ipsec.d/default.secrets 
: PSK "test***"

firewalld防火牆設置

1701 ：L2TP udp端口 (Virtual Private Networking)
4500 ：IPSec NAT Traversal udp端口 ，是一種解決IP地址轉換問題的方法
500   ：isakmp udp端口，密鑰交換協議（IKE）用於在兩個通訊實體協商和創建安全相關，交換密鑰

firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

路由轉發設置

[root@localhost ~]# cat /etc/sysctl.d/60-sysctl_ipsec.conf 
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0

重啓網卡服務生效

systemctl restart network

配置rsyslog轉發xl2tpd日誌

echo "xl2tpd;pppd                                             /var/log/xl2tpd.log" >> /etc/rsyslog.conf

systemctl restart rsyslog

ipsec啓動

systemctl enable ipsec
systemctl restart ipsec

ipsec檢查

[root@localhost ~]# ipsec verify                    
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.23 (netkey) on 3.10.0-862.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/ens192/rp_filter               [ENABLED]
 /proc/sys/net/ipv4/conf/ens224/rp_filter               [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OBSOLETE]
  003 WARNING: using a weak secret (PSK)
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

啓動xl2tpd

systemctl enable xl2tpd
systemctl restart xl2tpd

windows客戶端鏈接

創建的網卡適配器屬性修改內容：

安全 → 安全類型→選擇ipsec L2tp 第2層隧道協議，勾選容許使用協議 pap、chap、chap version 2

網絡→internet協議版本4→屬性→高級→ 去掉 在遠程網絡上使用默認網關的 對勾（若是但願經過從l2tpd服務器端上網，能夠不取消。）

最後點擊鏈接，輸入用戶名和密碼。

客戶端驗證：

查看xl2tpd日誌

[root@localhost ~]# more /var/log/xl2tpd.log 
相似...
Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfAck id=0x1 <addr 172.16.200.1>]
Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfReq id=0x7 <addr 0.0.0.0> <ms-dns1 0.0.0.
0> <ms-dns2 0.0.0.0>]
Aug 21 14:37:45 localhost pppd[8038]: sent [IPCP ConfNak id=0x7 <addr 172.16.200.100> <ms-dns1
 119.29.29.29> <ms-dns2 119.29.29.29>]
Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfReq id=0x8 <addr 172.16.200.100> <ms-dns1
 119.29.29.29> <ms-dns2 119.29.29.29>]
Aug 21 14:37:45 localhost pppd[8038]: sent [IPCP ConfAck id=0x8 <addr 172.16.200.100> <ms-dns1
 119.29.29.29> <ms-dns2 119.29.29.29>]
Aug 21 14:37:45 localhost pppd[8038]: Cannot determine ethernet address for proxy ARP
Aug 21 14:37:45 localhost pppd[8038]: local  IP address 172.16.200.1
Aug 21 14:37:45 localhost pppd[8038]: remote IP address 172.16.200.100
...