本次安裝使用套件:
ipsec-tools-0.6.5-14.el5_5.5.i386.rpm
openswan-2.6.21-5.el5_6.4.i386.rpm
xl2tpd-1.3.1-1.el5.i386.rpm
ppp-2.4.4-9.0.rhel5.i386.rpm
1. install RPM
#rpm –ivh ipsec-tools-0.6.5-14.el5_5.5.i386.rpm
若安裝時有問題,可用rpm –Uvh ipsec-tools-0.6.5-14.el5_5.5.i386.rpm
#rpm –ivh openswan-2.6.21-5.el5_6.4.i386.rpm #rpm –ivh xl2tpd*
#rpm –ivh xl2tpd-1.3.1-1.el5.i386.rpm
#rpm –ivh ppp-2.4.4-9.0.rhel5.i386.rpm
若安裝時有問題,可用rpm –Uvh ppp-2.4.4-9.0.rhel5.i386.rpm
2.Configure VPNserver
設定帳號密碼
#vi /etc/ppp/chap-secrets
格式:username name password ip
例:tony xl2tpd 1234 *
xl2tpd設定檔(/etc/xl2tpd/xl2tpd.conf)
vi /etc/xl2tpd/xl2tpd.conf
[global] listen-addr = x.x.x.x(server ethernet ip) ipsec saref = yes auth file=/etc/ppp/chap-secrets(套用帳密文件) [lns default] ip range = 192.168.3.128-192.168.3.254(配發IP的區間) local ip = 192.168.3.99(本機配發IP) ;require chap = yes(這邊;表示註解掉) refuse pap = yes require authentication = yes name = xl2tpd(連線名稱) ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
設定/etc/ppp/options.xl2tpd
vi /etc/ppp/options.xl2tpd
ipcp-accept-local ipcp-accept-remote ms-dns 168.95.1.1 ms-dns 8.8.8.8 #ms-wins 192.168.3.2 #ms-wins 192.168.3.4 noccp auth crtscts idle 18000 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 logfile /var/log/xl2tpd.log(log檔案路徑)
啟動
#service xl2tpd start
設定xl2tpd 開機啟動
chkconfig xl2tpd on
3.Ipsec設定
設定/etc/ipsec.secrets
vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets 192.168.1.20: PSK "0321654987"
設定/etc/ipsec.conf
vi /etc/ipsec.conf
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.3.0/24,%v4:x.x.x.x(server ethernet ip)/32
protostack=netkey
#oe=off
nhelpers=0
include /etc/ipsec.d/*.conf
設定/etc/ipsec.d/l2tp-psk.conf
vi /etc/ipsec.d/l2tp-psk.conf
conn %default
Forceencaps=yes
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=x.x.x.x(server ethernet ip)
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
設定/etc/sysctl.conf
vi /etc/sysctl.conf
#修改 net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 #新增 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0
再執行,讓設定生效
#sysctl -p
設定 /etc/ipsec.d/no_oe.conf
vi /etc/ipsec.d/no_oe.conf
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
啟動Ipsec 服務
#service ipsec start
停掉指令
#service ipsec stop
4.check ipsec status 確認ipsec設定是否正確
#ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.21/K2.6.18-194.3.1.el5PAE (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
出現上述訊息,表示Ipsec架設OK
5.iptables設定
iptables -A service -i eth0 -p 50 -j ACCEPT # xl2tpd iptables -A service -i eth0 -p UDP --dport 500 -j ACCEPT # ipsec iptables -A service -i eth0 -p UDP --dport 4500 -j ACCEPT # xl2tpd iptables -A service -i eth0 -p UDP --dport 1701 -j ACCEPT # xl2tpd iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT iptables -A INPUT -p gre -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -s 192.168.3.0/24 -j MASQUERADE
6.Client連線設定
開始>控制台>開啟網路和共用中心
設定新的連線或網路
選擇使用我的網際網路連線(VPN)
透過網際網路使用私人網路(VPN)連線來連接
輸入server ip,定義連線名稱
勾選不要立即連線;先設定好,我稍後再連線
輸入帳號&密碼
進入連線內容
安全性底下
VPN類型
使用Ipsec的第二層通道通訊協定(L2TP/IPSec)
進階設定
使用預先共用金鑰進行驗證,輸入YOUR SECRETS KEY
修改註冊機碼,允許Ipsec轉譯至NAT後方伺服器
點選L2tp_Ipsec.reg修改
以下內容存成L2tp_Ipsec.reg
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRasManParameters] ServiceDll=hex(2)25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f, 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00, 72,00,61,00,73,00,6d,00,61,00,6e,00,73,00,2e,00,64,00,6c,00,6c,00,00,00 Medias=hex(7)72,00,61,00,73,00,74,00,61,00,70,00,69,00,00,00,00,00 CustomDLL=hex(7)00,00,00,00 ServiceDllUnloadOnStop=dword00000001 AllowL2TPWeakCrypto=dword00000000 AllowPPTPWeakCrypto=dword00000000 KeepRasConnections=dword00000000 ProhibitIpsec=dword00000001 AllocatedLuids=hex
電腦重新啟動
查詢log是否登入
cat /var/log/pptpd.log
Jul 17 14:23:20 web xl2tpd[30296]: Connection established to 192.168.1.13, 1701. Local: 16471, Remote: 27 (ref=0/0). LNS session is 'default' Jul 17 14:23:20 web xl2tpd[30296]: Call established with 192.168.1.13, Local: 22258, Remote: 1, Serial: 0 Jul 17 14:23:20 web pppd[1633]: pppd 2.4.4 started by root, uid 0 Jul 17 14:23:20 web pppd[1633]: Using interface ppp0 Jul 17 14:23:20 web pppd[1633]: Connect: ppp0 <--> /dev/pts/1 Jul 17 14:23:23 web pppd[1633]: Unsupported protocol 'IPv6 Control Protovol' (0x8057) received Jul 17 14:23:23 web pppd[1633]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received Jul 17 14:23:23 web pppd[1633]: Cannot determine ethernet address for proxy ARP Jul 17 14:23:23 web pppd[1633]: local IP address 192.168.3.99 Jul 17 14:23:23 web pppd[1633]: remote IP address 192.168.3.128