本次安裝使用套件:

ipsec-tools-0.6.5-14.el5_5.5.i386.rpm

openswan-2.6.21-5.el5_6.4.i386.rpm

xl2tpd-1.3.1-1.el5.i386.rpm

ppp-2.4.4-9.0.rhel5.i386.rpm

1. install RPM

#rpm –ivh ipsec-tools-0.6.5-14.el5_5.5.i386.rpm

若安裝時有問題,可用rpm –Uvh ipsec-tools-0.6.5-14.el5_5.5.i386.rpm

#rpm –ivh openswan-2.6.21-5.el5_6.4.i386.rpm #rpm –ivh xl2tpd*

#rpm –ivh xl2tpd-1.3.1-1.el5.i386.rpm

#rpm –ivh ppp-2.4.4-9.0.rhel5.i386.rpm

若安裝時有問題,可用rpm –Uvh ppp-2.4.4-9.0.rhel5.i386.rpm

2.Configure VPNserver

設定帳號密碼

#vi /etc/ppp/chap-secrets

格式:username name password ip

例:tony xl2tpd 1234 *

xl2tpd設定檔(/etc/xl2tpd/xl2tpd.conf)

vi /etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = x.x.x.x(server ethernet ip)
ipsec saref = yes
auth file=/etc/ppp/chap-secrets(套用帳密文件)
[lns default]
ip range = 192.168.3.128-192.168.3.254(配發IP的區間)
local ip = 192.168.3.99(本機配發IP)
;require chap = yes(這邊;表示註解掉)
refuse pap = yes
require authentication = yes
name = xl2tpd(連線名稱)
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

設定/etc/ppp/options.xl2tpd

vi /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  168.95.1.1
ms-dns  8.8.8.8
#ms-wins 192.168.3.2
#ms-wins 192.168.3.4
noccp
auth
crtscts
idle 18000
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/xl2tpd.log(log檔案路徑)

啟動

#service xl2tpd start

設定xl2tpd 開機啟動

chkconfig xl2tpd on

3.Ipsec設定

設定/etc/ipsec.secrets

vi /etc/ipsec.secrets

include /etc/ipsec.d/*.secrets
192.168.1.20: PSK "0321654987"

設定/etc/ipsec.conf

vi /etc/ipsec.conf

config setup
protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:192.168.3.0/24,%v4:x.x.x.x(server ethernet ip)/32
        protostack=netkey
        #oe=off
nhelpers=0
include /etc/ipsec.d/*.conf

設定/etc/ipsec.d/l2tp-psk.conf

vi /etc/ipsec.d/l2tp-psk.conf

conn %default
    Forceencaps=yes
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=x.x.x.x(server ethernet ip)
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

設定/etc/sysctl.conf

vi /etc/sysctl.conf

#修改
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
#新增
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

再執行,讓設定生效

#sysctl -p

設定 /etc/ipsec.d/no_oe.conf

vi /etc/ipsec.d/no_oe.conf

conn block
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn clear
     auto=ignore

conn packetdefault
     auto=ignore

啟動Ipsec 服務

#service ipsec start

停掉指令

#service ipsec stop

4.check ipsec status 確認ipsec設定是否正確

#ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.21/K2.6.18-194.3.1.el5PAE (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                          [DISABLED]

出現上述訊息,表示Ipsec架設OK

5.iptables設定

iptables -A service -i eth0 -p 50 -j ACCEPT   # xl2tpd
iptables -A service -i eth0 -p UDP --dport  500  -j ACCEPT   # ipsec
iptables -A service -i eth0 -p UDP --dport  4500  -j ACCEPT   # xl2tpd
iptables -A service -i eth0 -p UDP --dport  1701  -j ACCEPT   # xl2tpd
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.3.0/24 -j MASQUERADE

6.Client連線設定

開始>控制台>開啟網路和共用中心

設定新的連線或網路

選擇使用我的網際網路連線(VPN)

透過網際網路使用私人網路(VPN)連線來連接

輸入server ip,定義連線名稱

勾選不要立即連線;先設定好,我稍後再連線

輸入帳號&密碼

進入連線內容

安全性底下

VPN類型

使用Ipsec的第二層通道通訊協定(L2TP/IPSec)

l2tp-ipsec01

進階設定

使用預先共用金鑰進行驗證,輸入YOUR SECRETS KEY

l2tp-ipsec02

修改註冊機碼,允許Ipsec轉譯至NAT後方伺服器

點選L2tp_Ipsec.reg修改

以下內容存成L2tp_Ipsec.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRasManParameters]
ServiceDll=hex(2)25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,
  72,00,61,00,73,00,6d,00,61,00,6e,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
Medias=hex(7)72,00,61,00,73,00,74,00,61,00,70,00,69,00,00,00,00,00
CustomDLL=hex(7)00,00,00,00
ServiceDllUnloadOnStop=dword00000001
AllowL2TPWeakCrypto=dword00000000
AllowPPTPWeakCrypto=dword00000000
KeepRasConnections=dword00000000
ProhibitIpsec=dword00000001
AllocatedLuids=hex

電腦重新啟動

查詢log是否登入

cat /var/log/pptpd.log
Jul 17 14:23:20 web xl2tpd[30296]: Connection established to 192.168.1.13, 1701. Local: 16471, Remote: 27 (ref=0/0). LNS session is 'default' 
Jul 17 14:23:20 web xl2tpd[30296]: Call established with 192.168.1.13, Local: 22258, Remote: 1, Serial: 0 
Jul 17 14:23:20 web pppd[1633]: pppd 2.4.4 started by root, uid 0
Jul 17 14:23:20 web pppd[1633]: Using interface ppp0
Jul 17 14:23:20 web pppd[1633]: Connect: ppp0 <--> /dev/pts/1
Jul 17 14:23:23 web pppd[1633]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received
Jul 17 14:23:23 web pppd[1633]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Jul 17 14:23:23 web pppd[1633]: Cannot determine ethernet address for proxy ARP
Jul 17 14:23:23 web pppd[1633]: local IP address 192.168.3.99
Jul 17 14:23:23 web pppd[1633]: remote IP address 192.168.3.128

By tony

自由軟體愛好者~喜歡不斷的思考各種問題,有新的事物都會想去學習嘗試 做實驗並熱衷研究 沒有所謂頂天的技術 只有謙虛及不斷的學習 精進專業,本站主要以分享系統及網路相關知識、資源而建立。 Github http://stnet253.github.io

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料