OS: CenotOS7 X86_64
1.安装ipsec服务
1.1安装openswan
1.yum安装gmp
2.yum安装flex
3.下载openswan(2.6.49)https://www.openswan.org/
4.make programs
5.make install
1.2修改/etc/ipsec.conf
1.将/etc/ipsec.d/examples/l2tp-psk.conf中conn L2TP-PSK-NAT和conn L2TP-PSK-noNAT直接拷贝至文件中
2.修改left=YourGatewayIP,将YourGatewayIP修改为服务器IP
1.3修改/etc/ipsec.secrets
1.添加如下内容:
服务器IP %any: "连接秘钥"
1.4修改/etc/sysctl.conf
1.内容如下:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
2.执行sysctl -p 命令让配置生效
1.5验证ipsec服务
service ipsec restart
ipsec verify
查看是否有fail
2.安装L2TP服务
2.1安装软件包
yum install -y epel-release
yum install -y xl2tpd ppp lsof
2.2修改/etc/xl2tpd/xl2tpd.conf
#修改如下配置
[global]
listen-addr = 服务器ip
ipsec saref = yes
force userspace = yes
2.3修改/etc/ppp/options.xl2tpd
#增加如下内容
name l2tpd
require-mschap-v2
ms-dns 8.8.4.4
2.4配置用户名、密码
编辑文件/etc/ppp/chap-secrets
# client server secret IP addresses
username * password *
#server和IP address用*代替即可
2.5启动服务
service xl2tpd start
3防火墙修改
执行如下命令:
iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -d 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart
4开机自动启动
systemctl enable ipsec
systemctl enable xl2tpd