利用IPSec/L2TP代理上網
阿新 • • 發佈:2019-01-31
編輯ipsec配置檔案:———————————————————————————————————————————————————————
執行命令:
vim /etc/ipsec.conf
內容如下:
# /etc/ipsec.conf - Libreswan IPsec configuration file# This file: /etc/ipsec.conf## Enable when using this configuration file with openswan instead of libreswan#version 2## Manual: ipsec.conf.5# basic configurationconfig setup # which IPsec stack to use, "netkey" (the default), "klips" or "mast". # For MacOSX use "bsd" protostack=netkey # # Normally, pluto logs via syslog. If you want to log to a file, # specify below or to disable logging, eg for embedded systems, use # the file name /dev/null # Note: SElinux policies might prevent pluto writing to a log file at # an unusual location. #logfile=/var/log/pluto.log # # The interfaces= line is only required for the klips/mast stack #interfaces="%defaultroute" #interfaces="ipsec0=eth0 ipsec1=ppp0" # # If you want to limit listening on a single IP - not required for # normal operation
#listen=127.0.0.1 # # Do not set debug options to debug configuration issues! # # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control kernel pfkey natt x509 dpd # private". # Note: "crypt" is not included with "all", as it can show confidential # information. It must be specifically specified # examples: # plutodebug="control parsing" # plutodebug="all crypt" # Again: only enable plutodebug or klipsdebug when asked by a developer #plutodebug=none #klipsdebug=none # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: SElinux policies might prevent pluto writing the core at # unusual locations dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their wireless networks. # This range has never been announced via BGP (at least upto 2015) nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24
# For example connections, see your distribution's documentation directory,## There is also a lot of information in the manual page, "man ipsec.conf"## It is best to add your IPsec connections as separate files in /etc/ipsec.d/#include /etc/ipsec.d/*.confconn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no auto=add rekey=no type=transport dpddelay=15 dpdtimeout=30 dpdaction=clear left=%eth2 leftprotoport=17/1701 right=%any rightprotoport=17/%any forceencaps=yes #此項必須開啟,否則NAT裝置無法上網
設定PSK金鑰:
———————————————————————————————————————————————————————
執行命令
vim /etc/ipsec.secrets
內容如下:
#include /etc/ipsec.d/*.secrets此處填寫外網IP %any : PSK "此處填寫金鑰"
例如:#include /etc/ipsec.d/*.secrets192.168.1.2 %any : PSK "123456"
開啟路由功能: ———————————————————————————————————————————————————————
執行命令:
vim /etc/sysctl.conf
將下面兩項:net.ipv4.ip_forward = 0net.ipv4.conf.default.rp_filter = 1
改為:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
執行命令:
sysctl -p啟動並測試IPSec:———————————————————————————————————————————————————————
執行命令:service ipsec startipsec verify執行ipsec verify返回如下資訊,不報錯則正常,報錯自行百度。
Verifying installed system and configuration filesVersion check and ipsec on-path [OK]Libreswan 3.15 (netkey) on 2.6.32-696.23.1.el6.x86_64Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK]Pluto ipsec.conf syntax [OK]Hardware random device [N/A]Two or more interfaces found, checking IP forwarding [OK]Checking rp_filter [OK]Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK]Checking 'ip' command [OK]Checking 'iptables' command [OK]Checking 'prelink' command does not interfere with FIPSChecking for obsolete ips ec.conf options [OK]Opportunistic Encryption [DISABLED]
配置 etc/xl2tpd/xl2tpd.conf:———————————————————————————————————————————————————————
執行命令:vim /etc/xl2tpd/xl2tpd.conf
修改內容:
;; This is a minimal sample xl2tpd configuration file for use; with L2TP over IPsec.;; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec; clients connect. In this example, the internal (protected) network; is 192.168.1.0/24. A special IP range within this network is reserved; for the remote clients: 192.168.1.128/25; (i.e. 192.168.1.128 ... 192.168.1.254);; The listen-addr parameter can be used if you want to bind the L2TP daemon; to a specific IP address instead of to all interfaces. For instance,; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99); will be used by xl2tpd as its address on pppX interfaces.[global]ipsec saref = yeslisten-addr = 192.168.1.2 ;此處為外網IP
;; requires openswan-2.5.18 or higher - Also does not yet work in combination; with kernel mode l2tp as present in linux 2.6.23+; ipsec saref = yes; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or; when using any of the SAref kernel patches for kernels up to 2.6.35.; saref refinfo = 30;; force userspace = yes;; debug tunnel = yes[lns default]ip range = 100.64.0.100-100.64.0.200 ;此處內網分配ip範圍
local ip = 100.64.0.1 ;此處為分配給伺服器的IPrequire chap = yesrefuse pap = yesrequire authentication = yesname = LinuxVPNserverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes
配置 /etc/ppp/options.xl2tpd:———————————————————————————————————————————————————————
執行命令:vim /etc/ppp/options.xl2tpd
修改一下內容:
ipcp-accept-localipcp-accept-remote
ms-dns 114.114.114.114 #此處填寫DNS地址
require-mschap-v2# ms-dns 192.168.1.1# ms-dns 192.168.1.3# ms-wins 192.168.1.2# ms-wins 192.168.1.4noauthnoccpauthcrtsctsidle 1800mtu 1410mru 1410nodefaultroutedebuglockproxyarpconnect-delay 5000# To allow authentication against a Windows domain EXAMPLE, and require the# user to be in a group "VPN Users". Requires the samba-winbind package# require-mschap-v2# plugin winbind.so# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'# You need to join the domain on the server, for example using samba:# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html新增 L2TP使用者:———————————————————————————————————————————————————————
執行命令:vim /etc/ppp/chap-secrets
修改內容:# Secrets for authentication using CHAP# client server secret IP addressesadmin * admin *
#格式為:使用者名稱空格協議空格密碼空格IP地址
啟動xl2tpd:———————————————————————————————————————————————————————
執行命令:service xl2tpd start
配置防火牆:———————————————————————————————————————————————————————
編輯防火牆配置:vi /etc/sysconfig/iptables以下內容僅供參考,新手別完全照抄:*filter:INPUT DROP [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1:100]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT-A INPUT -p udp -m udp --dport 500 -j ACCEPT-A INPUT -p udp -m udp --dport 4500 -j ACCEPT-A INPUT -p udp -m udp --dport 1701 -j ACCEPT-A INPUT -p gre -j ACCEPT-A INPUT -p ah -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -d 100.64.0.0/24 -j ACCEPT-A FORWARD -s 100.64.0.0/24 -j ACCEPT-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Fri Mar 30 10:36:16 2018# Generated by iptables-save v1.4.7 on Fri Mar 30 10:36:16 2018*nat:PREROUTING ACCEPT [831320:68105743]:POSTROUTING ACCEPT [1350:80883]:OUTPUT ACCEPT [1350:80883]-A POSTROUTING -s 100.64.0.0/24 -o eth1 -j MASQUERADECOMMIT# Completed on Fri Mar 30 10:36:16 2018
重啟防火牆:service iptables restart
配置自啟:———————————————————————————————————————————————————————
執行命令:chkconfig xl2tpd onchkconfig ipsec on
解決windows7無法連線:———————————————————————————————————————————————————————
新增2個登錄檔:
刪除 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters 下的 ProhibitIpSec 鍵值(如果沒有,新建一個32位DWORDS值位1)
在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 下新增 AssumeUDPEncapsulationContextOnSendRule(32位DWORDS值位2)轉載自——愛種樹的熊
執行命令:
vim /etc/ipsec.conf
內容如下:
# /etc/ipsec.conf - Libreswan IPsec configuration file# This file: /etc/ipsec.conf## Enable when using this configuration file with openswan instead of libreswan#version 2## Manual: ipsec.conf.5# basic configurationconfig setup # which IPsec stack to use, "netkey" (the default), "klips" or "mast". # For MacOSX use "bsd" protostack=netkey # # Normally, pluto logs via syslog. If you want to log to a file, # specify below or to disable logging, eg for embedded systems, use # the file name /dev/null # Note: SElinux policies might prevent pluto writing to a log file at # an unusual location. #logfile=/var/log/pluto.log # # The interfaces= line is only required for the klips/mast stack #interfaces="%defaultroute" #interfaces="ipsec0=eth0 ipsec1=ppp0" # # If you want to limit listening on a single IP - not required for # normal operation
#listen=127.0.0.1 # # Do not set debug options to debug configuration issues! # # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control kernel pfkey natt x509 dpd # private". # Note: "crypt" is not included with "all", as it can show confidential # information. It must be specifically specified # examples: # plutodebug="control parsing" # plutodebug="all crypt" # Again: only enable plutodebug or klipsdebug when asked by a developer #plutodebug=none #klipsdebug=none # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: SElinux policies might prevent pluto writing the core at # unusual locations dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their wireless networks. # This range has never been announced via BGP (at least upto 2015) nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24
# For example connections, see your distribution's documentation directory,## There is also a lot of information in the manual page, "man ipsec.conf"## It is best to add your IPsec connections as separate files in /etc/ipsec.d/#include /etc/ipsec.d/*.confconn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no auto=add rekey=no type=transport dpddelay=15 dpdtimeout=30 dpdaction=clear left=%eth2 leftprotoport=17/1701 right=%any rightprotoport=17/%any forceencaps=yes #此項必須開啟,否則NAT裝置無法上網
設定PSK金鑰:
———————————————————————————————————————————————————————
執行命令
vim /etc/ipsec.secrets
內容如下:
#include /etc/ipsec.d/*.secrets此處填寫外網IP %any : PSK "此處填寫金鑰"
例如:#include /etc/ipsec.d/*.secrets192.168.1.2 %any : PSK "123456"
開啟路由功能: ———————————————————————————————————————————————————————
執行命令:
vim /etc/sysctl.conf
將下面兩項:net.ipv4.ip_forward = 0net.ipv4.conf.default.rp_filter = 1
改為:
net.ipv4.conf.default.rp_filter = 0
執行命令:
sysctl -p啟動並測試IPSec:———————————————————————————————————————————————————————
執行命令:service ipsec startipsec verify執行ipsec verify返回如下資訊,不報錯則正常,報錯自行百度。
Verifying installed system and configuration filesVersion check and ipsec on-path [OK]Libreswan 3.15 (netkey) on 2.6.32-696.23.1.el6.x86_64Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK]Pluto ipsec.conf syntax [OK]Hardware random device [N/A]Two or more interfaces found, checking IP forwarding [OK]Checking rp_filter [OK]Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK]Checking 'ip' command [OK]Checking 'iptables' command [OK]Checking 'prelink' command does not interfere with FIPSChecking for obsolete ips ec.conf options [OK]Opportunistic Encryption [DISABLED]
配置
執行命令:vim /etc/xl2tpd/xl2tpd.conf
修改內容:
;; This is a minimal sample xl2tpd configuration file for use; with L2TP over IPsec.;; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec; clients connect. In this example, the internal (protected) network; is 192.168.1.0/24. A special IP range within this network is reserved; for the remote clients: 192.168.1.128/25; (i.e. 192.168.1.128 ... 192.168.1.254);; The listen-addr parameter can be used if you want to bind the L2TP daemon; to a specific IP address instead of to all interfaces. For instance,; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99); will be used by xl2tpd as its address on pppX interfaces.[global]ipsec saref = yeslisten-addr = 192.168.1.2 ;此處為外網IP
;; requires openswan-2.5.18 or higher - Also does not yet work in combination; with kernel mode l2tp as present in linux 2.6.23+; ipsec saref = yes; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or; when using any of the SAref kernel patches for kernels up to 2.6.35.; saref refinfo = 30;; force userspace = yes;; debug tunnel = yes[lns default]ip range = 100.64.0.100-100.64.0.200 ;此處內網分配ip範圍
local ip = 100.64.0.1 ;此處為分配給伺服器的IPrequire chap = yesrefuse pap = yesrequire authentication = yesname = LinuxVPNserverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes
配置 /etc/ppp/options.xl2tpd:———————————————————————————————————————————————————————
執行命令:vim /etc/ppp/options.xl2tpd
修改一下內容:
ipcp-accept-localipcp-accept-remote
ms-dns 114.114.114.114 #此處填寫DNS地址
require-mschap-v2# ms-dns 192.168.1.1# ms-dns 192.168.1.3# ms-wins 192.168.1.2# ms-wins 192.168.1.4noauthnoccpauthcrtsctsidle 1800mtu 1410mru 1410nodefaultroutedebuglockproxyarpconnect-delay 5000# To allow authentication against a Windows domain EXAMPLE, and require the# user to be in a group "VPN Users". Requires the samba-winbind package# require-mschap-v2# plugin winbind.so# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'# You need to join the domain on the server, for example using samba:# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html新增 L2TP使用者:———————————————————————————————————————————————————————
執行命令:vim /etc/ppp/chap-secrets
修改內容:# Secrets for authentication using CHAP# client server secret IP addressesadmin * admin *
#格式為:使用者名稱空格協議空格密碼空格IP地址
啟動xl2tpd:———————————————————————————————————————————————————————
執行命令:service xl2tpd start
配置防火牆:———————————————————————————————————————————————————————
編輯防火牆配置:vi /etc/sysconfig/iptables以下內容僅供參考,新手別完全照抄:*filter:INPUT DROP [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1:100]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT-A INPUT -p udp -m udp --dport 500 -j ACCEPT-A INPUT -p udp -m udp --dport 4500 -j ACCEPT-A INPUT -p udp -m udp --dport 1701 -j ACCEPT-A INPUT -p gre -j ACCEPT-A INPUT -p ah -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -d 100.64.0.0/24 -j ACCEPT-A FORWARD -s 100.64.0.0/24 -j ACCEPT-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Fri Mar 30 10:36:16 2018# Generated by iptables-save v1.4.7 on Fri Mar 30 10:36:16 2018*nat:PREROUTING ACCEPT [831320:68105743]:POSTROUTING ACCEPT [1350:80883]:OUTPUT ACCEPT [1350:80883]-A POSTROUTING -s 100.64.0.0/24 -o eth1 -j MASQUERADECOMMIT# Completed on Fri Mar 30 10:36:16 2018
重啟防火牆:service iptables restart
配置自啟:———————————————————————————————————————————————————————
執行命令:chkconfig xl2tpd onchkconfig ipsec on
解決windows7無法連線:———————————————————————————————————————————————————————
新增2個登錄檔:
刪除 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters 下的 ProhibitIpSec 鍵值(如果沒有,新建一個32位DWORDS值位1)
在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 下新增 AssumeUDPEncapsulationContextOnSendRule(32位DWORDS值位2)轉載自——愛種樹的熊