xl2tp 备份
程序员文章站
2022-07-09 22:18:04
...
2019年9月24日更新:
注意,需要开启firewalld防火墙和NetworkManager
systemctl enable firewalld
systemctl enable NetworkManager
systemctl start firewalld
systemctl start NetworkManager
否则会有“ state change: unmanaged -> unavailable (reason 'connection-assumed')”
等错误
aws的ip为13.231.152.*
如果内网是 172.31.39.*
ios按照如下
如果是mac:
就不用xl2tp了
直接ssh
ssh -o TCPKeepAlive=yes -qTfnN -D 0.0.0.0:7070 root@13.231.152.*
chrome 用 SwitchyOmega 用本地 7070端口即可
然后按照
http://blog.csdn.net/kitvv/article/details/50696585 这个不存在了,如下
操作
密码为:
/etc/ppp/chap-secrets
配置的
root * pass *
不是真实root密码!!!
秘钥为:
/etc/ipsec.d/default.secrets
配置的
: PSK "密码要有复杂度"
检查udp端口不能用telnet,
需要用
l2tp原理 http://www.h3c.com/cn/d_200805/605932_30003_0.htm
############################################################
CentOS7架设L2TP实现VPN
1.先看看你的主机是否支持pptp,返回结果为yes就表示通过。
modprobe ppp-compress-18 && echo yes
2 .是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过。
cat /dev/net/tun
虚拟机和aws 上可能没有,可以忽略
3.更新一下再安装
yum install update
yum update -y
4.安装EPEL源(CentOS7官方源中已经去掉了xl2tpd)
yum install -y epel-release
5.安装xl2tpd和libreswan(openswan已经停止维护)
yum install -y xl2tpd libreswan lsof
6.编辑xl2tpd配置文件
vim /etc/xl2tpd/xl2tpd.conf
修改内容如下:
7.编辑pppoptfile文件
vim /etc/ppp/options.xl2tpd
修改内容如下:
8.编辑ipsec配置文件(默认就好)
vim /etc/ipsec.conf
9.编辑include的conn文件
vim /etc/ipsec.d/l2tp-ipsec.conf
修改内容如下:
注意
left=172.31.39.212 #service/VPS的外网地址,某些vps只有eth0一块网卡的,
#就填内网地址,内核开启nat转发就可以了,
#CentOS7以下的用iptables定义转发规则
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
10.设置用户名密码
vim /etc/ppp/chap-secrets
修改内容:
不是用户密码哟。。
说明:用户名[空格]service[空格]密码[空格]指定IP
11.设置PSK秘钥
vim /etc/ipsec.d/default.secrets
12.CentOS7防火墙设置(7以下的用iptables)
13. IP_FORWARD 设置
vim /etc/sysctl.d/60-sysctl_ipsec.conf
vim /etc/sysctl.conf
保证net.ipv4.ip_forward = 1 转发生效
重启生效
systemctl restart network
13. ipsec启动&检查
检查:ipsec verify
正常输出:
14.xl2tpd启动
ios 配置后连接
查看日志
tailf /var/log/messages
注意,需要开启firewalld防火墙和NetworkManager
systemctl enable firewalld
systemctl enable NetworkManager
systemctl start firewalld
systemctl start NetworkManager
否则会有“ state change: unmanaged -> unavailable (reason 'connection-assumed')”
等错误
aws的ip为13.231.152.*
如果内网是 172.31.39.*
#!/bin/sh iptables -t nat -A POSTROUTING -s 172.31.39.0/24 -o eth0 -j MASQUERADE systemctl restart ipsec systemctl restart xl2tpd #cat /proc/sys/net/ipv4/ip_forward #firewall-cmd --permanent --add-service=ipsec #firewall-cmd --permanent --add-port=1701/udp #firewall-cmd --permanent --add-port=4500/udp #firewall-cmd --permanent --add-masquerade #firewall-cmd --reload #firewall-cmd --permanent --add-port=5060/tcp
ios按照如下
如果是mac:
就不用xl2tp了
直接ssh
ssh -o TCPKeepAlive=yes -qTfnN -D 0.0.0.0:7070 root@13.231.152.*
chrome 用 SwitchyOmega 用本地 7070端口即可
然后按照
http://blog.csdn.net/kitvv/article/details/50696585 这个不存在了,如下
操作
密码为:
/etc/ppp/chap-secrets
配置的
root * pass *
不是真实root密码!!!
秘钥为:
/etc/ipsec.d/default.secrets
配置的
: PSK "密码要有复杂度"
检查udp端口不能用telnet,
需要用
nc -vuz 13.231.152.* 1701
l2tp原理 http://www.h3c.com/cn/d_200805/605932_30003_0.htm
############################################################
CentOS7架设L2TP实现VPN
1.先看看你的主机是否支持pptp,返回结果为yes就表示通过。
modprobe ppp-compress-18 && echo yes
2 .是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过。
cat /dev/net/tun
虚拟机和aws 上可能没有,可以忽略
3.更新一下再安装
yum install update
yum update -y
4.安装EPEL源(CentOS7官方源中已经去掉了xl2tpd)
yum install -y epel-release
5.安装xl2tpd和libreswan(openswan已经停止维护)
yum install -y xl2tpd libreswan lsof
6.编辑xl2tpd配置文件
vim /etc/xl2tpd/xl2tpd.conf
修改内容如下:
[global] [lns default] ip range = 172.100.1.100-172.100.1.150 #分配给客户端的地址池 local ip = 172.100.1.1 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
7.编辑pppoptfile文件
vim /etc/ppp/options.xl2tpd
修改内容如下:
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 name xl2tpd #noccp auth #crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug #lock proxyarp connect-delay 5000 refuse-pap refuse-chap refuse-mschap require-mschap-v2 persist #logfile /var/log/xl2tpd.log
8.编辑ipsec配置文件(默认就好)
vim /etc/ipsec.conf
config setup protostack=netkey dumpdir=/var/run/pluto/ virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 include /etc/ipsec.d/*.conf
9.编辑include的conn文件
vim /etc/ipsec.d/l2tp-ipsec.conf
修改内容如下:
conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 dpddelay=10 dpdtimeout=20 dpdaction=clear forceencaps=yes also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=172.31.39.212 leftprotoport=17/1701 right=%any rightprotoport=17/%any
注意
left=172.31.39.212 #service/VPS的外网地址,某些vps只有eth0一块网卡的,
#就填内网地址,内核开启nat转发就可以了,
#CentOS7以下的用iptables定义转发规则
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
10.设置用户名密码
vim /etc/ppp/chap-secrets
修改内容:
root * pass *
不是用户密码哟。。
说明:用户名[空格]service[空格]密码[空格]指定IP
11.设置PSK秘钥
vim /etc/ipsec.d/default.secrets
: PSK "testvpn"
12.CentOS7防火墙设置(7以下的用iptables)
firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-port=1701/udp firewall-cmd --permanent --add-port=4500/udp firewall-cmd --permanent --add-masquerade firewall-cmd --reload
13. IP_FORWARD 设置
vim /etc/sysctl.d/60-sysctl_ipsec.conf
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth1.accept_redirects = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.eth1.send_redirects = 0 net.ipv4.conf.eth2.accept_redirects = 0 net.ipv4.conf.eth2.rp_filter = 0 net.ipv4.conf.eth2.send_redirects = 0 net.ipv4.conf.ip_vti0.accept_redirects = 0 net.ipv4.conf.ip_vti0.rp_filter = 0 net.ipv4.conf.ip_vti0.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.ppp0.accept_redirects = 0 net.ipv4.conf.ppp0.rp_filter = 0 net.ipv4.conf.ppp0.send_redirects = 0
保证net.ipv4.ip_forward = 1 转发生效
重启生效
systemctl restart network
13. ipsec启动&检查
systemctl enable ipsec systemctl restart ipsec
检查:ipsec verify
正常输出:
Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.25 (netkey) on 3.10.0-957.12.1.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OBSOLETE] 003 WARNING: using a weak secret (PSK) Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK]
14.xl2tpd启动
systemctl enable xl2tpd systemctl restart xl2tpd
ios 配置后连接
查看日志
tailf /var/log/messages