1、查詢作業系統版本
#cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core) 2、查詢系統是否支援ppp,傳回yes代表通過。
#modprobe ppp-compress-18 && echo yes 3、查詢系統是否開啟了tun,傳回File descriptor in bad state代表通過。
#cat /dev/net/tun 4、安裝epel源
#yum install epel-release -y 5、安裝xl2tpd和libreswan。centos7 版本,libreswan(ipsec)代替了openswan.
#yum install -y xl2tpd libreswan 6、編輯ipsec.conf配置檔案,保持預設配置吧
config setup
protostack=netkey
dumpdir=/var/run/pluto/
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf 7、建立/etc/ipsec.d/l2tp-ipsec.conf檔案
#vim /etc/ipsec.d/l2tp-ipsec.conf
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.10.9 #ppp接口的IP位址,對應下面的xl2tpd的配置檔案
leftprotoport=17/1701
right=%any
rightprotoport=17/%any 8、配置置預共享密鑰PSK
#vim /etc/ipsec.d/default.secrets
: PSK "123A?a456" 9、編輯xl2tpd配置檔案
#vim /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 192.168.10.10-192.168.10.100
local ip = 192.168.10.9
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes 10、編輯pppoptfile檔案
#vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.10.3 #内部的DNS伺服器
ms-dns 114.114.114.114
name xl2tpd
#noccp
auth
#crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#lock
proxyarp
connect-delay 5000
refuse-pap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log 11、配置撥号使用者名和密碼
vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret
# 格式為:使用者名 服務類型 密碼 允許通路的ip
# *代表所有
aliyunvip * Abc?123 * 12、配置CentOS7 防火牆
#firewall-cmd --permanent --add-service=ipsec #允許ipsec服務
#firewall-cmd --permanent --add-port=1701/udp #允許 xl2tp
#firewall-cmd --permanent --add-port=4500/udp #允許 xl2tp
#firewall-cmd --permanent --add-masquerade #啟用nat轉發
#firewall-cmd --reload #重新加載配置 13、修改核心參數
#vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
#sysctl -p #修改核心生效 14、啟動ipsec服務
#systemctl enable ipsec # 設為開機自動啟動
#systemctl start ipsec # 開啟服務
#systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2019-10-25 17:28:56 CST; 3 days ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Main PID: 8831 (pluto)
Status: "Startup completed."
CGroup: /system.slice/ipsec.service
└─8831 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 15、檢查ipsec狀态
#ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-862.2.3.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK] 16、啟動xl2tp
#systemctl enable xl2tpd #設定自啟動
#systemctl start xl2tpd #啟動xl2tp ![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)