Centos L2tp Vpn 配置实例

有时候我们需要使用vpn,来建立私有专用网络,完成一些外部办公、代理访问等工作,这篇文章介绍如何在Linux(Centos)下配置L2tp Vpn。
1.安装环境包

yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man

2.安装

yum install openswan ppp xl2tpd

3.配置
(1)编辑 /etc/ipsec.conf

vi /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=114.114.114.114 (服务器公网IP)
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

(2)编辑/etc/ipsec.secrets

vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
114.114.114.114 %any: PSK "YourPsk"
###YourPsk为预共享密钥。

(3) 修改/添加 /etc/sysctl.conf并生效

vim /etc/sysctl.conf
在/etc/sysctl.conf的末尾加上如下内容。
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

生效上面的修改使用如下命令

sysctl -p

(4)验证ipsec运行状态

ipsec restart
ipsec verify
[root@server17 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.23.3.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

(5) 编辑 /etc/xl2tpd/xl2tpd.conf 这一步可以跳过
ip range 客户端获取的IP范围,local ip VPN服务器端的IP

vim /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 192.168.100.10-192.168.100.200
local ip = 192.168.100.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

(6)配置用户名,密码:编辑 /etc/ppp/chap-secrets

vim /etc/ppp/chap-secrets

username 写登录vpn的用户名,userpass 写登录vpn的密码
# Secrets for authentication using CHAP
# client server secret IP addresses
username * "userpass" *

(7)重启xl2tp

service xl2tpd restart

(8)添加自启动

chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on

设置完成。

Windows下设置VPN连接客户端

拨入后,服务器可以看到ppp0接口


额外需求:
1、配置单独的l2tp日志记录
这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-xl2tpd.conf文件,内容如下:

[root@server17 rsyslog.d]# cat 20-xl2tpd.conf
if $programname == 'xl2tpd' then /var/log/xl2tpd.log
&~

这里可以利用syslog来配置,在/etc/rsyslog.d/ 下新建20-pptpd.conf文件,内容如下:

[root@server17 rsyslog.d]# cat 20-pptpd.conf
if $programname == 'pppd' then /var/log/xl2tpd.log
&~

但是这样只能在日志中看到客户端的公网IP地址、私网IP等信息,却无法看到是哪个用户登录的,这不利于做审计工作,所以需要能将连接用户的信息也写入到日志中,解决方法如下:

在/etc/ppp/ip-up 脚本中加入

echo "Start_Time: `date -d today +%F_%T`" >> /var/log/xl2tpd.log  ##登录时间戳
echo "username: $PEERNAME" >> /var/log/xl2tpd.log  ##用户名

在/etc/ppp/ip-down 脚本中加入

echo "Stop_Time: `date -d today +%F_%T`" >> /var/log/xl2tpd.log  ##断开时间戳
echo "username: $PEERNAME" >> /var/log/xl2tpd.log  ##用户名

重启rsyslog服务

service rsyslog restart

最终的日志信息如下,客户端的公网IP、获取的内网IP、用户名、时间等重要信息都被记录下来了。

cat /var/log/xl2tpd.log

Nov  5 13:47:57 server17 xl2tpd[24509]: control_finish: Peer requested tunnel 29 twice, ignoring second one.
Nov  5 13:47:58 server17 xl2tpd[24509]: Connection established to 202.202.202.202, 1701.  Local: 36071, Remote: 29 (ref=0/0).  LNS session is 'default'
Nov  5 13:47:58 server17 xl2tpd[24509]: result_code_avp: result code not appropriate for Incoming-Call-Request.  Ignoring.
Nov  5 13:47:58 server17 xl2tpd[24509]: Call established with 202.202.202.202, Local: 3764, Remote: 1, Serial: 0
Nov  5 13:47:58 server17 pppd[16218]: pppd 2.4.5 started by root, uid 0
Nov  5 13:47:58 server17 pppd[16218]: using channel 28
Nov  5 13:47:58 server17 pppd[16218]: Using interface ppp0
Nov  5 13:47:58 server17 pppd[16218]: Connect: ppp0  /dev/pts/0
Nov  5 13:47:58 server17 pppd[16218]: sent [LCP ConfReq id=0x1      ]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfReq id=0x0     ]
Nov  5 13:47:58 server17 pppd[16218]: sent [LCP ConfRej id=0x0 ]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfAck id=0x1      ]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP ConfReq id=0x1    ]
Nov  5 13:47:58 server17 pppd[16218]: sent [LCP ConfAck id=0x1    ]
Nov  5 13:47:58 server17 pppd[16218]: sent [CHAP Challenge id=0xfd , name = "LinuxVPNserver"]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x2 magic=0x5597000a "MSRASV5.20"]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x3 magic=0x5597000a "MSRAS-0-WWW-PC"]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [LCP Ident id=0x4 magic=0x5597000a "\3777777774012@?\37777777642\37777777705A\37777777642\37777777623\021\37777777764\37777777656;t$"]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [CHAP Response id=0xfd , name = "wujr"]
Nov  5 13:47:58 server17 pppd[16218]: sent [CHAP Success id=0xfd "Access granted"]
Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfReq id=0x1  ]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPV6CP ConfReq id=0x5 ]
Nov  5 13:47:58 server17 pppd[16218]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Nov  5 13:47:58 server17 pppd[16218]: sent [LCP ProtRej id=0x2 80 57 01 05 00 0e 01 0a b8 71 8f aa 3d c3 d8 78]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x6     ]
Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfRej id=0x6  ]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfRej id=0x1 ]
Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfReq id=0x2 ]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x7   ]
Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfNak id=0x7   ]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfAck id=0x2 ]
Nov  5 13:47:58 server17 pppd[16218]: rcvd [IPCP ConfReq id=0x8   ]
Nov  5 13:47:58 server17 pppd[16218]: sent [IPCP ConfAck id=0x8   ]
Nov  5 13:47:58 server17 pppd[16218]: Cannot determine ethernet address for proxy ARP
Nov  5 13:47:58 server17 pppd[16218]: local  IP address 192.168.100.1
Nov  5 13:47:58 server17 pppd[16218]: remote IP address 192.168.100.10
Nov  5 13:47:58 server17 pppd[16218]: Script /etc/ppp/ip-up started (pid 16225)
Start_Time: 2015-11-05_13:47:58
username: test
Nov  5 13:47:58 server17 pppd[16218]: Script /etc/ppp/ip-up finished (pid 16225), status = 0x0

2、使用VPN服务器公网做为客户端互联网出口(跳板机、代理)
使用iptables实现,增加规则

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100.0/24 -j MASQUERADE (eth1为公网网卡)

3、访问VPN服务器所在的内网其它服务器
使用iptables实现,增加规则

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE (eth0为私网网卡)

参考文献:
Linux自带ipsec手册
man ipsec.conf
Iptables详解
http://www.360doc.com/content/11/0506/09/706976_114731108.shtml

发表评论