linux 部署l2tp ipsec×××

linux 部署l2tp ipsec×××

L2TP是一种工业标准的Internet隧道协议，功能大体和PPTP协议相似，好比一样能够对网络数据流进行加密。不过也有不一样之处，好比PPTP要求网络为IP网络，L2TP要求面向数据包的点对点链接；PPTP使用单一隧道，L2TP使用多隧道；L2TP提供包头压缩、隧道验证，而PPTP不支持。

L2TP自身不提供隧道验证，从L2TP的包头能够看出。隧道认证是由PPP（pap或chap）协议提供！而PPTP则支持隧道验证，PPTP自身就是PPP的扩展！可是当L2TP或PPTP与IPsec共同使用时，能够由IPsec提供隧道验证，不须要在第2层协议上验证隧道.

关闭selinux

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

重启生效reboot；

setenforce 0 
临时关闭selinux，这样就不用重启了。

中止NetworkManager

systemctl stop NetworkManager
systemctl disable NetworkManager

查看主机是否支持pptp

[root@localhost ~]# modprobe ppp-compress-18 && echo yes
yes
# 返回yes 表明支持

是否开启了TUN

[root@localhost ~]# cat /dev/net/tun 
cat: /dev/net/tun: File descriptor in bad state

yum安装epel

yum -y install epel-release

安装xl2tpd

yum install -y xl2tpd libreswan

libreswan提供ipsec服务
之前是openswan提供ipsec服务。

编辑xl2tpd配置文件

[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf | grep -v "^;"

[global]

[lns default]
# 设置给***客户端分配的地址段
ip range = 172.16.200.100-172.16.200.200
# 设置***客户端分配的网关
local ip = 172.16.200.1
require chap = yes
refuse pap = yes
require authentication = yes
name = Linux×××server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

编辑pppoptfile options.xl2tpd文件

[root@localhost ~]# cat /etc/ppp/options.xl2tpd 
ipcp-accept-local
ipcp-accept-remote
#设置dns
ms-dns  119.29.29.29
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
#noccp
auth
# crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
# lck
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "××× Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\××× Users"' 
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
# 添加如下内容
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist

编辑ipsec配置文件

[root@localhost ~]# cat /etc/ipsec.conf | grep -v "^#" | grep -v "^[[:space:]]#"

config setup
        virtual_private=%v4:172.16.200.0/24
        # 主要指定拨号分配给客户端的私有地址

include /etc/ipsec.d/*.conf

编辑include的conn文件

[root@localhost ~]# cat /etc/ipsec.d/l2tp-ipsec.conf 
conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.16.200.1   # 设置l2tp的内网网关地址
    leftprotoport=17/1701  # 17表明协议号；1701表明udp端口号
    right=%any
    rightprotoport=17/%any

设置用户名密码

[root@localhost ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
***2018 * Centos7 *
用户名 空格 * 空格 密码 空格 *

设置IPSec预共享密钥PSK

[root@localhost ~]# cat /etc/ipsec.d/default.secrets 
: PSK "test***"

firewalld防火墙设置

1701 ：L2TP udp端口 (Virtual Private Networking)
4500 ：IPSec NAT Traversal udp端口 ，是一种解决IP地址转换问题的方法
500   ：isakmp udp端口，密钥交换协议（IKE）用于在两个通讯实体协商和创建安全相关，交换密钥

firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

路由转发设置

[root@localhost ~]# cat /etc/sysctl.d/60-sysctl_ipsec.conf 
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0

重启网卡服务生效

systemctl restart network

配置rsyslog转发xl2tpd日志

echo "xl2tpd;pppd                                             /var/log/xl2tpd.log" >> /etc/rsyslog.conf

systemctl restart rsyslog

ipsec启动

systemctl enable ipsec
systemctl restart ipsec

ipsec检查

[root@localhost ~]# ipsec verify                    
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.23 (netkey) on 3.10.0-862.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/ens192/rp_filter               [ENABLED]
 /proc/sys/net/ipv4/conf/ens224/rp_filter               [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OBSOLETE]
  003 WARNING: using a weak secret (PSK)
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

启动xl2tpd

systemctl enable xl2tpd
systemctl restart xl2tpd

windows客户端链接

创建的网卡适配器属性修改内容：

安全 → 安全类型→选择ipsec L2tp 第2层隧道协议，勾选容许使用协议 pap、chap、chap version 2

网络→internet协议版本4→属性→高级→ 去掉 在远程网络上使用默认网关的 对勾（若是但愿经过从l2tpd服务器端上网，能够不取消。）

最后点击链接，输入用户名和密码。

客户端验证：

查看xl2tpd日志

[root@localhost ~]# more /var/log/xl2tpd.log 
相似...
Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfAck id=0x1 <addr 172.16.200.1>]
Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfReq id=0x7 <addr 0.0.0.0> <ms-dns1 0.0.0.
0> <ms-dns2 0.0.0.0>]
Aug 21 14:37:45 localhost pppd[8038]: sent [IPCP ConfNak id=0x7 <addr 172.16.200.100> <ms-dns1
 119.29.29.29> <ms-dns2 119.29.29.29>]
Aug 21 14:37:45 localhost pppd[8038]: rcvd [IPCP ConfReq id=0x8 <addr 172.16.200.100> <ms-dns1
 119.29.29.29> <ms-dns2 119.29.29.29>]
Aug 21 14:37:45 localhost pppd[8038]: sent [IPCP ConfAck id=0x8 <addr 172.16.200.100> <ms-dns1
 119.29.29.29> <ms-dns2 119.29.29.29>]
Aug 21 14:37:45 localhost pppd[8038]: Cannot determine ethernet address for proxy ARP
Aug 21 14:37:45 localhost pppd[8038]: local  IP address 172.16.200.1
Aug 21 14:37:45 localhost pppd[8038]: remote IP address 172.16.200.100
...