联系方式

电话:150-02886853

 

 点击这里给我发消息      点击这里给我发消息

 

QQ: 358207017

 

网址: www.dcwlkj.cn

 

Email: dcwlkj@dcwlkj.cn

 

首 页>技术信息>解决方案解决方案

CentOS6.5部署L2TP over IPSec
作者: QQ:86698456  点击次数:   添加时间: 2017-03-15

 

一、环境介绍:
  1、CentOS 6.5 (要求双网卡做软路由,如果只是做VPN可以单网卡)
    a、外网IP:192.168.0.133/24    b、内网IP:10.10.10.1/8
 
  2、Window 10 主机一台做为一台内网测试软路由使用;
    a、内网IP:10.10.10.10/8
 
二、开始前的网络测试:
  1、CentOS 6.5(以下简称VPN-Server)测试:
    a、测试外网网络是否联通;
1
# ping www.baidu.com
    b、测试内网网络:
1
# ping 10.10.10.10
  2、Windows 10 (以下简称Client)测试:
    a、测试是否可以联通VPN-Server:
1
# ping 10.10.10.1
    b、测试是否可以上网(现在不能上网):
1
# ping www.baidu.com
 
三、开始安装部署:
  以下操作在VPN-Server上操作:
  1、安装epel源:
1
2
3
# cd /etc/yum.repos.d/    
# wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
# yum -y install epel-release
  2、安装必须的软件(openswan、ppp、xl2tpd);
    openswan:提供IPSec加密
    ppp:提供密码认证
    xl2tpd:提供VPN服务
1
# yum -y install openswan ppp xl2tpd
  3、修改ipsec的配置文件:  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# cd /etc/ipsec.d/
# ls ./*.conf|xargs -I {} mv {} {}.bak
# vim L2TP.conf
 
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
  
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.0.133
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
  
  4、配置ipsec的密钥:
1
2
3
# vim /etc/ipsec.d/L2TP.secrets
 
192.168.0.133 %any: PSK "YourPsk"
  注:IP为你的服务器外网IP,“YourPsk”修改为你想要的密钥
 
 
  5、修改Forward转发:
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# vim /etc/sysctl.conf
 
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
# sysctl -p
 
 
  6、验证ipsec的运行状态
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# service ipsec start
# ipsec verify
 
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
  注:只要没有Faild就可以了
  
    一、错误信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Starting pluto IKE daemon for IPsec: Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password
 
certutil - Utility to manipulate NSS certificate databases
 
Usage:  certutil <command> -d <database-directory> <options>
 
Valid commands:
-A              Add a certificate to the database        (create if needed)
-B              Run a series of certutil commands from a batch file
-E              Add an Email certificate to the database (create if needed)
-C              Create a new binary certificate from a BINARY cert request
-G              Generate a new key pair
-D              Delete a certificate from the database
-F              Delete a key from the database
-U              List all modules
-K              List all private keys
-L              List all certs, or print out a single named cert
-M              Modify trust attributes of certificate
-N              Create a new certificate database
-T              Reset the Key database or token
-O              Print the chain of a certificate
-R              Generate a certificate request (stdout)
-V              Validate a certificate
-W              Change the key database password
--upgrade-merge Upgrade an old database and merge it into a new one
--merge         Merge source database into the target database
-S              Make a certificate and add to database
 
certutil -H <command> : Print available options for the given command
certutil -H : Print complete help output of all commands and options
certutil --syntax : Print a short summary of all commands and options
Failed to initialize nss database sql:/etc/ipsec.d
.Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password
 
certutil - Utility to manipulate NSS certificate databases
 
Usage:  certutil <command> -d <database-directory> <options>
 
Valid commands:
-A              Add a certificate to the database        (create if needed)
-B              Run a series of certutil commands from a batch file
-E              Add an Email certificate to the database (create if needed)
-C              Create a new binary certificate from a BINARY cert request
-G              Generate a new key pair
-D              Delete a certificate from the database
-F              Delete a key from the database
-U              List all modules
-K              List all private keys
-L              List all certs, or print out a single named cert
-M              Modify trust attributes of certificate
-N              Create a new certificate database
-T              Reset the Key database or token
-O              Print the chain of a certificate
-R              Generate a certificate request (stdout)
-V              Validate a certificate
-W              Change the key database password
--upgrade-merge Upgrade an old database and merge it into a new one
--merge         Merge source database into the target database
-S              Make a certificate and add to database
 
certutil -H <command> : Print available options for the given command
certutil -H : Print complete help output of all commands and options
certutil --syntax : Print a short summary of all commands and options
Failed to initialize nss database sql:/etc/ipsec.d
....                                                       [FAILED]
 
    解决方法:
    
1
2
# certutil -N -d /etc/ipsec.d
#  ipsec newhostkey --configdir /etc/ipsec.d/  --output /etc/ipsec.d/keys.secrets --bits 2192
 
    二、错误信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)
Checking for IPsec support in kernel                           [OK]
 SAref kernel support                                         [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects             [FAILED]
 
  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!
 
NETKEY detected, testing for disabled ICMP accept_redirects  [FAILED]
 
  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!
 
Checking that pluto is running                                [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                         [OK]
Checking for 'ip' command                                     [OK]
Checking /bin/sh is not /bin/dash                            [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                              [DISABLED]
 
    解决方法:
1
2
3
4
5
6
7
8
9
10
11
12
# vim /etc/sysctl.conf
 
在任意位置添加以下:
 
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
 
# sysctl -p
 
# ipsec verify
  
    7、编辑/etc/xl2tpd/xl2tpd.conf
 
# vim /etc/xl2tpd/xl2tpd.conf
 
[global]
ipsec saref = yes
listen-addr = 192.168.0.133
[lns default]
ip range = 10.10.10.100-10.10.10.200
local ip = 10.10.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = y
 
  8、编辑 /etc/ppp/options.xl2tpd
 
# vim /etc/ppp/options.xl2tpd
 
require-mschap-v2
ms-dns 223.5.5.5
ms-dns 114.114.114.114
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
 
 
  9、编辑 /etc/ppp/chap-secrets  (此配置文件是设置VPN的用户名,密码)
# vim /etc/ppp/chap-secrets
 
# Secrets for authentication using CHAP
# client        server    secret                  IP addresses
    admin         *         admin                    *
 
 
  10、启动相应的服务:
# service xl2tpd start
# service ipsec start
  
  11、iptables修改:
 
 
# iptables -A FORWARD -s 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356
# iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.0.133
# iptables -I INPUT -p udp -m udp -m state --state NEW --dport 1701 -j ACCEPT
# iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
# iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
# iptables -I INPUT -p esp -j ACCEPT
# /etc/init.d/iptables save
# /etc/init.d/iptables restart
 
  修改后的iptables 例子:
# Generated by iptables-save v1.4.7 on Tue Jan 19 06:18:56 2016*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [12:720]
:OUTPUT ACCEPT [25:2380]-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356COMMIT
# Completed on Tue Jan 19 06:18:56 2016
# Generated by iptables-save v1.4.7 on Tue Jan 19 06:18:56 2016*nat
:PREROUTING ACCEPT [55:8845]
:POSTROUTING ACCEPT [1:108]
:OUTPUT ACCEPT [1:108]
-A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.0.133COMMIT
# Completed on Tue Jan 19 06:18:56 2016
 
 
  到此VPN-Server的部署已经全部完成;可以在Client机器上测试是否可以上网,然后在其它要中拨号试下是否成功!祝大家成功!