CentOS 5.5 安装 IPSEC / L2TP VPN

已经安装的工作环境为 Linode VPS + CentOS 5.5 32 bit

一、部署IPSEC 、安装 openswan

1、关联包

yum install make gcc gmp-devel bison flex

2、编译安装

cd /usr/src

wget http://www.openswan.org/download/openswan-2.6.24.tar.gz

tar zxvf openswan-2.6.24.tar.gz

cd openswan-2.6.24

make programs install

3、配置

vi /etc/ipsec.conf

config setup

nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

oe=off

protostack=netkey

conn L2TP-PSK-NAT

rightsubnet=vhost:%priv

also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret

pfs=no

auto=add

keyingtries=3

rekey=no

ikelifetime=8h

keylife=1h

type=transport

left=YOUR.SERVER.IP.ADDRESS

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

4、 设置 Shared Key

vi /etc/ipsec.secrets

YOUR.SERVER.IP.ADDRESS %any: PSK “YourSharedSecret”

5、 修改包转发设置

for each in /proc/sys/net/ipv4/conf/*

do

echo 0 > $each/accept_redirects

echo 0 > $each/send_redirects

done

6、 重启 IPSec ，测试

/etc/init.d/ipsec restart

ipsec verify

.

二、安装 L2TP

1、关联包

yum install libpcap-devel ppp

2、编译安装

cd /usr/src

wget http://downloads.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz

tar zxvf rp-l2tp-0.4.tar.gz

cd rp-l2tp-0.4

./configure

make

cp handlers/l2tp-control /usr/local/sbin/

mkdir /var/run/xl2tpd/

ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control

cd /usr/src

wget http://www.xelerance.com/software/xl2tpd/xl2tpd-1.2.4.tar.gz

tar zxvf xl2tpd-1.2.4.tar.gz

cd xl2tpd-1.2.4

make install

3、配置

mkdir /etc/xl2tpd

vi /etc/xl2tpd/xl2tpd.conf

[global]

ipsec saref = yes

[lns default]

ip range = 10.1.2.2-10.1.2.254

local ip = 10.1.2.1

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

4、修改 ppp 配置

vi /etc/ppp/options.xl2tpd

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

asyncmap 0

auth

crtscts

lock

hide-password

modem

debug

name l2tpd

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

5、添加用户名/密码

vi /etc/ppp/chap-secrets

# user server password ip

username l2tpd userpass *

6、启用包转发

iptables --table nat --append POSTROUTING --jump MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

7、修改/etc/sysctl.conf

vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

8、启动 xl2tpd

/usr/local/sbin/xl2tpd

.

三、扫尾

设置开机自动运行

vi /etc/rc.local

iptables --table nat --append POSTROUTING --jump MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

for each in /proc/sys/net/ipv4/conf/*

do

echo 0 > $each/accept_redirects

echo 0 > $each/send_redirects

done

/etc/init.d/ipsec restart

/usr/local/sbin/xl2tpd