欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

xl2tp redhat8

程序员文章站 2022-07-14 15:23:50
...
#######
例子

################# snat原理:https://blog.csdn.net/jk110333/article/details/8229828


aws:
eth0:172.31.33.238

ppp0:192.168.3.99---------172.17.0.13


tx:
eth0: 172.17.0.13

ppp0: 172.17.0.13-------- 192.168.3.99

ppp1:192.168.2.99---------192.168.2.128

手机 192.168.2.128

tx:
iptables -t nat -A POSTROUTING -s 192.168.2.0/24  -o ppp0  -j MASQUERADE

route add default dev ppp0



#iptables -t nat -A POSTROUTING -s 192.168.3.0/24  -o ppp1  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o ppp0  -j MASQUERADE


#iptables -t nat -A POSTROUTING -s 192.168.2.0/20  -o ppp0  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.3.0/24  -o ppp0  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o eth0  -j MASQUERADE

aws:
iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o eth0  -j MASQUERAD


#route add -net  223.104.3.0 netmask 255.255.255.0 dev eth0
#route add 223.104.3.157  gw 172.17.0.1 eth0







###########
2020-04-04在60上连这台的脚本
startv.sh
#!/bin/sh
#systemctl start NetworkManager
#systemctl start firewalld
#systemctl start ipsec
#systemctl start xl2tpd

#route add 118.25.212.122 gw 172.17.0.1 eth0
#route add 212.129.249.212 gw 172.17.0.1 eth0
#route add 13.114.212.191 gw 172.17.0.1 eth0

echo 'c testvpn' > /var/run/xl2tpd/l2tp-control

route del default
route add default dev ppp0

#echo 'd testvpn' > /var/run/xl2tpd/l2tp-control
#route del default
#route add default dev eth0

#/etc/resolv.conf
#cp /root/back_config/resolv.conf.8 /etc/resolv.conf

checkppp0.sh
#!/bin/sh
ppp0=`ifconfig |grep ppp0`
if [ ! -n "$ppp0" ] ;then
	a="will start vpn"
	echo 'c testvpn' > /var/run/xl2tpd/l2tp-control
	sleep 5
	#route del default
	ip link set ppp0 up
	/usr/sbin/route add default dev ppp0
	touch /opt/c
else
	ip link set ppp0 up
	/usr/sbin/route add default dev ppp0
	a="noting to do"
fi
/usr/sbin/ifconfig ppp0

echo $a


2019-12-10 新建aws redhat8

主要内容:
#!/bin/sh
#cat /proc/sys/net/ipv4/ip_forward
#for each in /proc/sys/net/ipv4/conf/*
#do
#    echo 0 > $each/accept_redirects
#    echo 0 > $each/send_redirects
#done

#firewall-cmd --permanent --add-service=ipsec
#firewall-cmd --permanent --add-port=1701/udp
#firewall-cmd --permanent --add-port=4500/udp
#firewall-cmd --permanent --add-masquerade
#firewall-cmd --reload

#iptables -t nat -A POSTROUTING -s 172.31.37.0/24  -o eth0  -j MASQUERADE

systemctl start ipsec
xl2tpd -D > /dev/null 2>&1 &

注意,xl2tp用systemctl启动有问题,所以直接执行xl2tpd -D
安装:
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
yum install firewalld
dnf install screen
dnf install libreswan xl2tpd  NetworkManager-l2tp -y


libreswan 中有ipsec

sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0


systemctl start ipsec

#systemctl start xl2tpd
可能有问题
https://github.com/hwdsl2/setup-ipsec-vpn/issues/506
xl2tpd -D > /dev/null 2>&1 &


要修改的几个配置文件
vim /etc/xl2tpd/xl2tpd.conf 注意global 下面 加了ipsec saref = no 和 force userspace = yes
其他默认

[global]
ipsec saref = no
force userspace = yes

[lns default]
ip range = 192.168.1.100-192.168.1.150
local ip = 192.168.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

vim  /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
name xl2tpd
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
proxyarp
connect-delay 5000


vim /etc/ipsec.d/l2tp-ipsec.conf
这个是新加的
conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.31.37.13
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any


注意left是内网ip 172.31.37.13 还要设置转发
iptables -t nat -A POSTROUTING -s 172.31.37.0/24  -o eth0  -j MASQUERADE 


vim /etc/ppp/chap-secrets
[root@rbredhat8 ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client	server	secret			IP addresses
root	*	密码!	*



vim /etc/ipsec.d/default.secrets
: PSK "密码!"




检查
ipsec verify
看是否ok
tail -f /var/log/messages

Sep 22 09:11:47 awsrb libipsecconf[11344]: Warning: obsolete keyword 'forceencaps' ignored
vim /etc/ipsec.d/l2tp-ipsec.conf

lsof -i:1701


nc -vuz 13.231.219.45  1701

telnet 不了udp

systemctl start ipsec
systemctl start xl2tpd

直接xl2tpd -D 看报错信息,不用 > /dev/null 2>&1



























相关标签: xl2tp