生產環境l2tp/ipsec配置
阿新 • • 發佈:2020-12-11
- 安裝軟體
yum install ppp xl2tp libreswan - /etc/ipsec.conf
config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey logfile=/var/log/pluto/pluto.log #dumpdir=/var/run/pluto conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret #sha2-truncbug=yes pfs=no auto=add keyingtries=3 #keyingtries=%forever rekey=no ikelifetime=8h keylife=1h type=transport left=139.196.190.88 # 自己的公網IP leftprotoport=17/1701 right=%any rightprotoport=17/%any #dpddelay=15 #dpdtimeout30 #dpdaction=clear - /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets 139.196.190.88 %any: PSK "cjml" - ipsec
ipsec start ipsec verify - /etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = yes listen-addr = 139.196.190.8 [lns default] ip range = 192.168.1.2-192.168.1.100 local ip = 192.168.1.1 refuse chap = yes refuse pap = yes require authentication = yes #name = l2tp/ipsec VPN ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes - /etc/ppp/options.xl2tpd
require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 #ipcp-accept-local #ipcp-accept-remote #noauth #nocpp #crtscts #idle 1800 #mtu 1410 #mru 1410 #nodefaultroute #debug #lock #proxyarp #connect-delay 5000 - /etc/ppp/chap-secrets
chenwk * SUt5MeOF * chenw * YAGKcmVS * sales * vq6RP0um * data * rD4217lb * personnel * AzTxPBzz * operation * PZbzIFx6 * tech * Rdev67K4 * dinghh * uC9oIMij * unary * unary * - configuration iptables
#filter iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p ah -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -d 172.16.0.0/24 -j ACCEPT iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited #nat iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE - 啟動服務
systemctl start ipsec systemctl start xl2tpd - 定期更改密碼指令碼
#!/bin/env sh account_list=('chenwk' 'chenw' 'sales' 'data' 'personnel' 'operation' 'tech' 'dinghh') mail_list=('[email protected]' '[email protected]' '[email protected]' '[email protected]' '[email protected]'\ '[email protected]' '[email protected]' '[email protected]') declare -A dict function make_dict(){ for ((i=0;i<${#account_list[*]};i++));do dict[${account_list[$i]}]=${mail_list[$i]} done } make_dict #for b in ${!dict[*]};do # echo $b = ${dict[$b]} #done function genpass(){ pass=$(tr -dc '[:digit:][:lower:]' < /dev/urandom | head --bytes 8) echo $pass } function changepass(){ pass=`genpass` account=$1 sed -i "/^$account / s#[ ][[:alnum:]]\{8\}[ ]# $pass #" /root/chap-secrets echo $pass } function send_mail(){ mail=$1 pass=$2 mailx -s '認證中心VPN密碼變更郵件通知' $mail <<-mark ################測試郵件,請勿理會#################### 您好,賬號${mail%%@*}的VPN密碼已變更為$pass 密碼的格式為小寫字母和數字的組合,一共8位 請及時通知部門內相關人員,如有問題請及時聯絡管理員 mark } function main(){ for account in ${account_list[*]};do pass=$(changepass $account) mail=${dict[$account]} echo '$pass:' $pass echo '$mail:' $mail send_mail $mail $pass sleep 30 done } main - /etc/mail.rc
set from=[email protected] set smtp=smtps://smtp.qiye.163.com:465 set smtp-auth-user=[email protected] set smtp-auth-password=edification0! set smtp-auth=login set smtp-verify=ignore set nss-config-dir=/root/.certs