首先,推荐跑下面的脚本:
https://github.com/BoizZ/PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7
这个脚本将pptp l2tp ipsec都按照,并且配置好,当然很多配置不准确
跑脚本的时候配置好ip规划,PPsk共享秘钥(这个后面客户端连接需要用到) 用户名 ,密码 (后面连接都需要用到)
PSK共享秘钥在/etc/ipsec.secrets可以找到和配置
用户名密码在/etc/ppp/chap-secrets 可以找到配置
下面的简单修改流程:
vim /etc/ipsec.conf
config setup # NAT-TRAVERSAL support, see README.NAT-Traversal #nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # OE is now off by default. Uncomment and change to on, to enable. #oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey #force_keepalive=yes keep_alive=1800 conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=47.52.219.118 #这里要写外网ip leftid=47.52.219.118 #id随便填 leftprotoport=17/1701 #端口 right=%any rightprotoport=17/%any dpddelay=40 dpdtimeout=130 dpdaction=clear leftnexthop=%defaultroute rightnexthop=%defaultroute ike=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256 phase2alg=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256 sha2-truncbug=yes
vim /etc/xl2tpd/xl2tpd.conf
[global] ; ipsec saref = yes listen-addr = 外网ip auth file = /etc/ppp/chap-secrets (用户名密码文件) port = 1701 [lns default] ip range = 10.81.24.100-10.81.24.199 (这个根据自己的内网网段和需要的ip数配置) local ip = 10.81.24.1 (分配给自己的ip) refuse chap = yes refuse pap = yes require authentication = yes name = L2TPVPN ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd 这里有xl2tpd的一些配置 length bit = yes
vim /etc/ppp/options.xl2tpd
#require-pap #require-chap #require-mschap ipcp-accept-local ipcp-accept-remote require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth #crtscts #这几个注释的是新的配置里面没有,原来有的,注释掉就正常了 #lock hide-password #modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 mtu 1400 noccp connect-delay 5000
vim /etc/pptpd.conf
#ppp /usr/sbin/pppd option /etc/ppp/options.pptpd pptpd的一些配置 #debug # stimeout 10 #noipparam logwtmp #vrf test #bcrelay eth1 #delegate #connections 100 localip 10.81.24.2 remoteip 10.81.24.200-254
系统配置/etc/sysctl.conf文件:
net.ipv4.ip_forward = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0 这个允许转发的接口要配置好 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0
防火墙配置
创建文件/usr/lib/firewalld/services/pptpd.xml
并修改:
<?xml version="1.0" encoding="utf-8"?> <service> <short>pptpd</short> <description>PPTP</description> <port protocol="tcp" port="1723"/> </service>
创建文件/usr/lib/firewalld/services/l2tpd.xml
并修改:
<?xml version="1.0" encoding="utf-8"?> <service> <short>l2tpd</short> <description>L2TP IPSec</description> <port protocol="udp" port="500"/> <port protocol="udp" port="4500"/> <port protocol="udp" port="1701"/> </service>
执行命令:
firewall-cmd --reload firewall-cmd --permanent --add-service=pptpd firewall-cmd --permanent --add-service=l2tpd firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356 firewall-cmd --reload
开机启动设置:
systemctl enable pptpd ipsec xl2tpd systemctl restart pptpd ipsec xl2tpd
ipsec检查:全部ok ,碰到不是ok的,就看报错来解决,很多配置以及去掉了 会报错
Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.25 (netkey) on 3.10.0-514.26.2.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK]