openswan和xl2tpd搭建VPN以及使用

檢測是否支持

執行如下命令

cat /dev/net/tun

返回信息應該爲

cat: /dev/net/tun: File descriptor in bad state

再執行如下命令

cat /dev/ppp

返回信息應該爲

cat: /dev/ppp: No such device or address

如果返回信息不同 那麼請聯繫你的主機商開通TUN和PPP


軟件

1. openswan:提供IPSec加密

2. lsof:用於數據訪問  

3. ppp:提供用戶名、密碼 認證

4. xl2tp:提供L2TP VPN服務


安裝相關軟件

openswan

首先之前openswan 如果裝過 建議先刪除 刪除方法如下

yum remove openswan


依賴包

然後安裝一些需要的依賴包

yum install -y iptables make ppp gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof

其次yum安裝openwan

yum install openswan

 

編輯ipsec.conf

 

然後編輯 /etc/ipsec.conf 這文件對格式要求很嚴格 縮進問題都會導致出錯 所以這個下面的這個代碼僅供參考 如果直接複製出現問題 請編輯原來的配置文件 修改成這樣子

# /etc/ipsec.conf - Libreswan IPsec configuration file

 

# This file:  /etc/ipsec.conf

#

# Enable when using this configuration file with openswan instead of libreswan

#version 2

#

# Manual:     ipsec.conf.5

 

# basic configuration

config setup

        # which IPsec stack to use, "netkey" (the default), "klips" or "mast".

        # For MacOSX use "bsd"

        protostack=netkey

        #

        # Normally, pluto logs via syslog. If you want to log to a file,

        # specify below or to disable logging, eg for embedded systems, use

        # the file name /dev/null

        # Note: SElinux policies might prevent pluto writing to a log file at

        #       an unusual location.

        #logfile=/var/log/pluto.log

        #

        # The interfaces= line is only required for the klips/mast stack

        #interfaces="%defaultroute"

        #interfaces="ipsec0=eth0 ipsec1=ppp0"

        #

        # If you want to limit listening on a single IP - not required for

        # normal operation

        #listen=127.0.0.1

        #

        # Do not set debug options to debug configuration issues!

        #

        # plutodebug / klipsdebug = "all", "none" or a combation from below:

        # "raw crypt parsing emitting control kernel pfkey natt x509 dpd

        #  private".

        # Note: "crypt" is not included with "all", as it can show confidential

        #       information. It must be specifically specified

        # examples:

        # plutodebug="control parsing"

        # plutodebug="all crypt"

        # Again: only enable plutodebug or klipsdebug when asked by a developer

        #plutodebug=none

        #klipsdebug=none

        #

        # Enable core dumps (might require system changes, like ulimit -C)

        # This is required for abrtd to work properly

        # Note: SElinux policies might prevent pluto writing the core at

        #       unusual locations

        dumpdir=/var/run/pluto/

        #

        # NAT-TRAVERSAL support

        # exclude networks used on server side by adding %v4:!a.b.c.0/24

        # It seems that T-Mobile in the US and Rogers/Fido in Canada are

        # using 25/8 as "private" address space on their wireless networks.

        # This range has never been announced via BGP (at least upto 2015)

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

        oe=off

        nat_traversal=yes

# For example connections, see your distribution's documentation directory,

# or https://libreswan.org/wiki/

#

# There is also a lot of information in the manual page, "man ipsec.conf"

#

# It is best to add your IPsec connections as separate files in /etc/ipsec.d/

#include /etc/ipsec.d/*.conf

conn L2TP-PSK-NAT

    rightsubnet=vhost:%priv

    also=L2TP-PSK-noNAT

 

conn L2TP-PSK-noNAT

    authby=secret

    pfs=no

    auto=add

    keyingtries=3

    rekey=no

    ikelifetime=8h

    keylife=1h

    type=transport

    left=107.19.15.162  ###設備公網IP

    leftprotoport=17/1701

    right=%any

    rightprotoport=17/%any

設置預共享密鑰(PSK)

vim /etc/ipsec.secrets

上面的文件應該要自己建立,內容編輯成這樣
SERVER-IP:服務器的IP地址
SharedKey:你自己設置的PSK

SERVER-IP%any: PSK"SharedKey"

線上配置:

#include /etc/ipsec.d/*.secrets

107.19.15.162 %any: PSK "vpn"

設置完畢以後ipsec就搞定了

修改/添加 /etc/sysctl.conf

vim /etc/sysctl.conf

確保下面的字段都有,對應的值或下面一樣。省事的話直接在/etc/sysctl.conf的末尾直接把下面內容的粘過去。

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.default.log_martians = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.icmp_ignore_bogus_error_responses = 1

 

讓修改後的sysctl.conf生效:

sysctl -p

有可以報一些關於ipv6的error,不要管它,繼續下一步。

驗證ipsec的運行狀態

    service ipsec start

# ipsec verify

Verifying installed system and configuration files

 

Version check and ipsec on-path                    [OK]

Libreswan 3.15 (netkey) on 2.6.32-573.el6.x86_64

Checking for IPsec support in kernel               [OK]

 NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects               [OK]

         ICMP default/accept_redirects             [OK]

         XFRM larval drop                          [OK]

Pluto ipsec.conf syntax                            [OK]

Hardware random device                             [N/A]

Two or more interfaces found, checking IP forwarding [OK]

Checking rp_filter                                 [ENABLED]

 /proc/sys/net/ipv4/conf/lo/rp_filter              [ENABLED]

 /proc/sys/net/ipv4/conf/em1/rp_filter             [ENABLED]

  rp_filter is not fully aware of IPsec and should be disabled

Checking that pluto is running                     [OK]

 Pluto listening for IKE on udp 500                [OK]

 Pluto listening for IKE/NAT-T on udp 4500         [OK]

 Pluto ipsec.secret syntax                         [OK]

Checking 'ip' command                              [OK]

Checking 'iptables' command                        [OK]

Checking 'prelink' command does not interfere with FIPS [PRESENT]

Checking for obsolete ipsec.conf options           [OK]

Opportunistic Encryption                           [DISABLED]

 

ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

 

安裝依賴(xl2tpd)

查看系統是否安裝epel-release及其版本
rpm -q epel-release
正確返回的是6.8
epel-release-6-8.noarch

如無返回安裝對應版本的epel源
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
安裝完成後安裝xl2tpd
yum install xl2tpd -y

cd /etc/

mkdir xl2tpd/

cd xl2tpd/

touch xl2tpd.conf

chmod 666 xl2tpd.conf

編輯xl2tpd.conf成下面這個樣子設置以下你想分配給客戶端的地址以及虛擬服務器的IP

vim /etc/xl2tpd/xl2tpd.conf

[lns default]

ip range = 192.168.1.128-192.168.1.254  #這裏是VPN client的內網ip地址範圍

local ip = 192.168.1.99  #這裏是VPN server的內網地址

require chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPNserver

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

[global]

ipsec saref = no

修改xl2tp配置

vim /etc/ppp/options.xl2tpd

編輯成這樣

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

asyncmap 0

auth

crtscts

lock

hide-password

modem

debug

name l2tpd

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

mtu 1400

noccp

connect-delay 5000

上面的noccp用來解決IOS連接問題

 

添加賬號密碼

vim /etc/ppp/chap-secrets

格式如下

賬號 l2tp密碼 *

賬號密碼用英文和數字 *可以改爲指定使用上面IP段中的IP地址

線上配置:

# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

admin         *       admin                    *

test1            *       test1                      *

 

此設置表示,vpn的賬戶爲admin 密碼爲admin,可以在任何可以上網的客機上登陸此vpn賬戶,類似創建test1賬號,密碼爲test1,每次添加後重啓xl2tpd即可。

 

啓動 xl2tpd 服務

   service xl2tpd start

 

開放端口及轉發

iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE

iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED    -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o em1 -j MASQUERADE

iptables -I INPUT -p udp -m multiport --dport 1701,4500,500 -j ACCEPT

iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT

iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT

 

vim /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Thu Sep  1 17:02:17 2016

*nat

:PREROUTING ACCEPT [10:418]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -m policy --dir out --pol none -j MASQUERADE

-A POSTROUTING -s 192.168.1.0/24 -o em1 -j MASQUERADE

COMMIT

# Completed on Thu Sep  1 17:02:17 2016

# Generated by iptables-save v1.4.7 on Thu Sep  1 17:02:17 2016

*filter

:INPUT ACCEPT [23:1576]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [22:2834]

-A INPUT -p tcp -m state --state NEW -m tcp --dport 23432 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p udp -m multiport --dports 1701,4500,500 -j ACCEPT

-A FORWARD -d 192.168.1.0/24 -j ACCEPT

-A FORWARD -s 192.168.1.0/24 -j ACCEPT

-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Thu Sep  1 17:02:17 2016

 

保存規則

service iptables save  


 

IPsec/xl2tpd VPN 已全部配置完成

下面就可以測試了。

service xl2tpd restart

service iptables restart

chkconfig xl2tpd on

chkconfig iptables on

chkconfig ipsec on

下面我們直接創建VPN賬號開始登陸:


至此,VPN搭建和使用完成!

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章