xl2tp redhat8
程序员文章站
2022-07-14 15:23:50
...
#######
例子
###########
2020-04-04在60上连这台的脚本
startv.sh
checkppp0.sh
2019-12-10 新建aws redhat8
主要内容:
注意,xl2tp用systemctl启动有问题,所以直接执行xl2tpd -D
安装:
libreswan 中有ipsec
sysctl -p /etc/sysctl.conf
#systemctl start xl2tpd
可能有问题
https://github.com/hwdsl2/setup-ipsec-vpn/issues/506
要修改的几个配置文件
vim /etc/xl2tpd/xl2tpd.conf 注意global 下面 加了ipsec saref = no 和 force userspace = yes
其他默认
vim /etc/ppp/options.xl2tpd
vim /etc/ipsec.d/l2tp-ipsec.conf
这个是新加的
注意left是内网ip 172.31.37.13 还要设置转发
vim /etc/ppp/chap-secrets
vim /etc/ipsec.d/default.secrets
检查
ipsec verify
看是否ok
tail -f /var/log/messages
Sep 22 09:11:47 awsrb libipsecconf[11344]: Warning: obsolete keyword 'forceencaps' ignored
vim /etc/ipsec.d/l2tp-ipsec.conf
lsof -i:1701
nc -vuz 13.231.219.45 1701
telnet 不了udp
systemctl start ipsec
systemctl start xl2tpd
直接xl2tpd -D 看报错信息,不用 > /dev/null 2>&1
例子
################# snat原理:https://blog.csdn.net/jk110333/article/details/8229828 aws: eth0:172.31.33.238 ppp0:192.168.3.99---------172.17.0.13 tx: eth0: 172.17.0.13 ppp0: 172.17.0.13-------- 192.168.3.99 ppp1:192.168.2.99---------192.168.2.128 手机 192.168.2.128 tx: iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o ppp0 -j MASQUERADE route add default dev ppp0 #iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ppp1 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -o ppp0 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 192.168.2.0/20 -o ppp0 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -o eth0 -j MASQUERADE aws: iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -o eth0 -j MASQUERAD #route add -net 223.104.3.0 netmask 255.255.255.0 dev eth0 #route add 223.104.3.157 gw 172.17.0.1 eth0
###########
2020-04-04在60上连这台的脚本
startv.sh
#!/bin/sh #systemctl start NetworkManager #systemctl start firewalld #systemctl start ipsec #systemctl start xl2tpd #route add 118.25.212.122 gw 172.17.0.1 eth0 #route add 212.129.249.212 gw 172.17.0.1 eth0 #route add 13.114.212.191 gw 172.17.0.1 eth0 echo 'c testvpn' > /var/run/xl2tpd/l2tp-control route del default route add default dev ppp0 #echo 'd testvpn' > /var/run/xl2tpd/l2tp-control #route del default #route add default dev eth0 #/etc/resolv.conf #cp /root/back_config/resolv.conf.8 /etc/resolv.conf
checkppp0.sh
#!/bin/sh ppp0=`ifconfig |grep ppp0` if [ ! -n "$ppp0" ] ;then a="will start vpn" echo 'c testvpn' > /var/run/xl2tpd/l2tp-control sleep 5 #route del default ip link set ppp0 up /usr/sbin/route add default dev ppp0 touch /opt/c else ip link set ppp0 up /usr/sbin/route add default dev ppp0 a="noting to do" fi /usr/sbin/ifconfig ppp0 echo $a
2019-12-10 新建aws redhat8
主要内容:
#!/bin/sh #cat /proc/sys/net/ipv4/ip_forward #for each in /proc/sys/net/ipv4/conf/* #do # echo 0 > $each/accept_redirects # echo 0 > $each/send_redirects #done #firewall-cmd --permanent --add-service=ipsec #firewall-cmd --permanent --add-port=1701/udp #firewall-cmd --permanent --add-port=4500/udp #firewall-cmd --permanent --add-masquerade #firewall-cmd --reload #iptables -t nat -A POSTROUTING -s 172.31.37.0/24 -o eth0 -j MASQUERADE systemctl start ipsec xl2tpd -D > /dev/null 2>&1 &
注意,xl2tp用systemctl启动有问题,所以直接执行xl2tpd -D
安装:
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm yum install firewalld dnf install screen dnf install libreswan xl2tpd NetworkManager-l2tp -y
libreswan 中有ipsec
sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.send_redirects = 0
systemctl start ipsec
#systemctl start xl2tpd
可能有问题
https://github.com/hwdsl2/setup-ipsec-vpn/issues/506
xl2tpd -D > /dev/null 2>&1 &
要修改的几个配置文件
vim /etc/xl2tpd/xl2tpd.conf 注意global 下面 加了ipsec saref = no 和 force userspace = yes
其他默认
[global] ipsec saref = no force userspace = yes [lns default] ip range = 192.168.1.100-192.168.1.150 local ip = 192.168.1.1 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
vim /etc/ppp/options.xl2tpd
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 name xl2tpd auth idle 1800 mtu 1410 mru 1410 nodefaultroute debug proxyarp connect-delay 5000
vim /etc/ipsec.d/l2tp-ipsec.conf
这个是新加的
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=172.31.37.13
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
注意left是内网ip 172.31.37.13 还要设置转发
iptables -t nat -A POSTROUTING -s 172.31.37.0/24 -o eth0 -j MASQUERADE
vim /etc/ppp/chap-secrets
[root@rbredhat8 ~]# cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses root * 密码! *
vim /etc/ipsec.d/default.secrets
: PSK "密码!"
检查
ipsec verify
看是否ok
tail -f /var/log/messages
Sep 22 09:11:47 awsrb libipsecconf[11344]: Warning: obsolete keyword 'forceencaps' ignored
vim /etc/ipsec.d/l2tp-ipsec.conf
lsof -i:1701
nc -vuz 13.231.219.45 1701
telnet 不了udp
systemctl start ipsec
systemctl start xl2tpd
直接xl2tpd -D 看报错信息,不用 > /dev/null 2>&1
上一篇: 算法系列之KMP算法
下一篇: HIVE json格式数据的处理