centos7 配置PPTP、L2TP、IPSec服务

首先，推荐跑下面的脚本：

https://github.com/BoizZ/PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7

这个脚本将pptp l2tp  ipsec都按照，并且配置好，当然很多配置不准确

跑脚本的时候配置好ip规划，PPsk共享秘钥（这个后面客户端连接需要用到） 用户名 ，密码 （后面连接都需要用到）  

PSK共享秘钥在/etc/ipsec.secrets可以找到和配置

用户名密码在/etc/ppp/chap-secrets 可以找到配置

下面的简单修改流程：

vim /etc/ipsec.conf

config setup     # NAT-TRAVERSAL support, see README.NAT-Traversal     #nat_traversal=yes     # exclude networks used on server side by adding %v4:!a.b.c.0/24     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12     # OE is now off by default. Uncomment and change to on, to enable.     #oe=off     # which IPsec stack to use. auto will try netkey, then klips then mast     protostack=netkey     #force_keepalive=yes     keep_alive=1800  conn L2TP-PSK-NAT     rightsubnet=vhost:%priv     also=L2TP-PSK-noNAT  conn L2TP-PSK-noNAT     authby=secret     pfs=no     auto=add     keyingtries=3     rekey=no     ikelifetime=8h     keylife=1h     type=transport     left=47.52.219.118  #这里要写外网ip     leftid=47.52.219.118  #id随便填     leftprotoport=17/1701 #端口     right=%any     rightprotoport=17/%any     dpddelay=40     dpdtimeout=130     dpdaction=clear     leftnexthop=%defaultroute     rightnexthop=%defaultroute     ike=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256     phase2alg=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256     sha2-truncbug=yes

vim /etc/xl2tpd/xl2tpd.conf

[global] ; ipsec saref = yes listen-addr = 外网ip auth file = /etc/ppp/chap-secrets   (用户名密码文件） port = 1701 [lns default] ip range = 10.81.24.100-10.81.24.199  （这个根据自己的内网网段和需要的ip数配置) local ip = 10.81.24.1  (分配给自己的ip) refuse chap = yes refuse pap = yes require authentication = yes name = L2TPVPN ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd  这里有xl2tpd的一些配置 length bit = yes

vim /etc/ppp/options.xl2tpd

#require-pap #require-chap #require-mschap ipcp-accept-local ipcp-accept-remote require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth #crtscts  #这几个注释的是新的配置里面没有，原来有的，注释掉就正常了 #lock hide-password #modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 mtu 1400 noccp connect-delay 5000

vim /etc/pptpd.conf

#ppp /usr/sbin/pppd option /etc/ppp/options.pptpd  pptpd的一些配置 #debug # stimeout 10 #noipparam logwtmp #vrf test #bcrelay eth1 #delegate #connections 100 localip 10.81.24.2 remoteip 10.81.24.200-254

系统配置/etc/sysctl.conf文件：

net.ipv4.ip_forward = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0   这个允许转发的接口要配置好 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0

防火墙配置

创建文件/usr/lib/firewalld/services/pptpd.xml并修改：

<?xml version="1.0" encoding="utf-8"?> <service>   <short>pptpd</short>   <description>PPTP</description>   <port protocol="tcp" port="1723"/> </service>

创建文件/usr/lib/firewalld/services/l2tpd.xml并修改：

<?xml version="1.0" encoding="utf-8"?> <service>   <short>l2tpd</short>   <description>L2TP IPSec</description>   <port protocol="udp" port="500"/>   <port protocol="udp" port="4500"/>   <port protocol="udp" port="1701"/> </service>

执行命令：

firewall-cmd --reload firewall-cmd --permanent --add-service=pptpd firewall-cmd --permanent --add-service=l2tpd firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356 firewall-cmd --reload

开机启动设置：

systemctl enable pptpd ipsec xl2tpd systemctl restart pptpd ipsec xl2tpd

ipsec检查：全部ok ，碰到不是ok的，就看报错来解决，很多配置以及去掉了  会报错

Verifying installed system and configuration files  Version check and ipsec on-path                       [OK] Libreswan 3.25 (netkey) on 3.10.0-514.26.2.el7.x86_64 Checking for IPsec support in kernel                  [OK]  NETKEY: Testing XFRM related proc values          ICMP default/send_redirects                  [OK]          ICMP default/accept_redirects                [OK]          XFRM larval drop                             [OK] Pluto ipsec.conf syntax                               [OK] Two or more interfaces found, checking IP forwarding    [OK] Checking rp_filter                                    [OK] Checking that pluto is running                        [OK]  Pluto listening for IKE on udp 500                   [OK]  Pluto listening for IKE/NAT-T on udp 4500            [OK]  Pluto ipsec.secret syntax                            [OK] Checking 'ip' command                                 [OK] Checking 'iptables' command                           [OK] Checking 'prelink' command does not interfere with FIPS    [OK] Checking for obsolete ipsec.conf options              [OK]

 

来源：博客园

作者：LeeQi92

链接：https://www.cnblogs.com/lee-qi/p/11417939.html