aws搭建xl2tp给iphone使用
程序员文章站
2022-07-10 22:28:35
...
2019年12月26日
可以参考原来的配置
https://haoningabc.iteye.com/blog/2147783
有点太乱了,重新整理,客户端的配置可以参考上面的
aws申请免费vm搭建自己的呵呵哒
最后有个关键操作
iptables -t nat -A POSTROUTING -s 172.31.39.0/24 -o eth0 -j MASQUERADE
如果自己vm的内网ip是172.31.39.123
在aws的redhat7.6上
参考
#######https://blog.csdn.net/kitvv/article/details/50696585
https://www.linuxprobe.com/centos7-install-l2tp.html
yum install -y epel-release 通不过
cat /etc/xl2tpd/xl2tpd.conf
cat /etc/ppp/options.xl2tpd
crtscts 和lock 在启动的时候报错所以去掉了
加了
name xl2tpd
#noccp
#比原来默认的配置多了这几项
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
查看log开始如果这里没有,可以先去看/var/log/messages
cat /etc/ipsec.conf
注释掉了# plutodebug=none
加了
protostack=netkey
dumpdir=/var/run/pluto/
virtual_private 里面的172.100.0.0
对应
/etc/xl2tpd/xl2tpd.conf 中的ip range
cat /etc/ipsec.d/l2tp-ipsec.conf
left 为:
#service/VPS的外网地址,某些vps只有eth0一块网卡的,
#就填内网地址,内核开启nat转发就可以了,
#CentOS7以下的用iptables定义转发规则
[root@aws ~]# cat /etc/ppp/chap-secrets
[root@aws ~]# cat /etc/ipsec.d/default.secrets
[root@aws ~]# cat /etc/sysctl.d/60-sysctl_ipsec.conf
重启网络
systemctl restart network
安装配置防火墙
systemctl enable ipsec
systemctl enable xl2tpd
最后不要忘了那个 最开始的iptables
可以参考原来的配置
https://haoningabc.iteye.com/blog/2147783
有点太乱了,重新整理,客户端的配置可以参考上面的
aws申请免费vm搭建自己的呵呵哒
最后有个关键操作
iptables -t nat -A POSTROUTING -s 172.31.39.0/24 -o eth0 -j MASQUERADE
如果自己vm的内网ip是172.31.39.123
在aws的redhat7.6上
参考
#######https://blog.csdn.net/kitvv/article/details/50696585
https://www.linuxprobe.com/centos7-install-l2tp.html
yum install -y epel-release 通不过
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install epel-release-latest-7.noarch.rpm yum install -y xl2tpd libreswan lsof
cat /etc/xl2tpd/xl2tpd.conf
[global] ; listen-addr = 192.168.1.98 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes [lns default] ip range = 172.100.1.100-172.100.1.150 local ip = 172.100.1.1 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
cat /etc/ppp/options.xl2tpd
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 #ms-dns 172.31.0.2 # ms-dns 192.168.1.1 # ms-dns 192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 name xl2tpd #noccp auth #crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug #lock proxyarp connect-delay 5000 refuse-pap refuse-chap refuse-mschap require-mschap-v2 persist logfile /var/log/xl2tpd.log
crtscts 和lock 在启动的时候报错所以去掉了
加了
name xl2tpd
#noccp
#比原来默认的配置多了这几项
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
查看log开始如果这里没有,可以先去看/var/log/messages
cat /etc/ipsec.conf
config setup # Normally, pluto logs via syslog. #logfile=/var/log/pluto.log # # Do not enable debug options to debug configuration issues! # # plutodebug="control parsing" # plutodebug="all crypt" protostack=netkey dumpdir=/var/run/pluto/ # plutodebug=none # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their wireless networks. # This range has never been announced via BGP (at least up to 2015) # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
注释掉了# plutodebug=none
加了
protostack=netkey
dumpdir=/var/run/pluto/
virtual_private 里面的172.100.0.0
对应
/etc/xl2tpd/xl2tpd.conf 中的ip range
cat /etc/ipsec.d/l2tp-ipsec.conf
conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 dpddelay=10 dpdtimeout=20 dpdaction=clear forceencaps=yes also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=172.31.39.212 leftprotoport=17/1701 right=%any rightprotoport=17/%any
left 为:
#service/VPS的外网地址,某些vps只有eth0一块网卡的,
#就填内网地址,内核开启nat转发就可以了,
#CentOS7以下的用iptables定义转发规则
[root@aws ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP # client server secret IP addresses root * haha *
[root@aws ~]# cat /etc/ipsec.d/default.secrets
: PSK "testvpn"
[root@aws ~]# cat /etc/sysctl.d/60-sysctl_ipsec.conf
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth1.accept_redirects = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.eth1.send_redirects = 0 net.ipv4.conf.eth2.accept_redirects = 0 net.ipv4.conf.eth2.rp_filter = 0 net.ipv4.conf.eth2.send_redirects = 0 net.ipv4.conf.ip_vti0.accept_redirects = 0 net.ipv4.conf.ip_vti0.rp_filter = 0 net.ipv4.conf.ip_vti0.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.ppp0.accept_redirects = 0 net.ipv4.conf.ppp0.rp_filter = 0 net.ipv4.conf.ppp0.send_redirects = 0
重启网络
systemctl restart network
安装配置防火墙
yum install firewalld systemctl enable firewalld systemctl status firewalld firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-port=1701/udp firewall-cmd --permanent --add-port=4500/udp firewall-cmd --permanent --add-masquerade firewall-cmd --reload
systemctl enable ipsec
systemctl enable xl2tpd
systemctl restart ipsec systemctl restart xl2tpd
最后不要忘了那个 最开始的iptables
iptables -t nat -A POSTROUTING -s 172.31.39.0/24 -o eth0 -j MASQUERADE