VPN即虚拟专用网络,是在公用网络上建立连接到内部/专用网络的一种技术。本站曾经介绍过PPTP VPN的搭建,因为最近电脑升级“macOS Sierra”系统后,不再支持 PPTP 协议的VPN。就此机会,和大家分享一下L2TP和IPSec VPN的搭建。
1. 几种隧道协议的介绍
1.1 几种常用的隧道协议
简单的讲VPN就是一个经过加密的访问隧道。但发展至今已经不在是一个单纯的经过加密的访问隧道,它已经结合了访问控制、传输管理、加密、路由选择、可用性管理等多种功能,并在全球信息安全体系中发挥着重要的作用。下面是关于几个常用的VPN协议的介绍:
1.2 几种隧道协议的比较
2. L2TP/IPSecVPN的搭建
需要的软件
openswan:用于IPSec加密lsof:用于数据访问ppp:用于用户名、密码的认证xl2tp:提供L2TPVPN服务
1. 安装lsof
yum install -y lsof
2. 安装配置openswan
yum install openswan
配置ipsec.conf
vi /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.1.144
leftprotoport=17/1701
right=%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
leftnexthop=%defaultroute
rightnexthop=%defaultroute
3. 设置IPSec预共享密钥
vi /etc/ipsec.secrets
说明:外网IP地址 %any: PSK "预共享密钥" 192.168.1.144 %any: PSK "ipsec"
# include /etc/ipsec.d/*.secrets YOUR.SERVER.IP.ADDRESS %any: PSK " YourSharedSecret "
4. 修改转发包设置
for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done echo 1 > /proc/sys/net/core/xfrm_larval_drop
修改内核设置,使其支持转发
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
设置开机启动: chkconfig ipsec on 重启IPSec: service ipsec restart 查看系统IPSec安装和启动的正确性: ipsec verify
4. 安装ppp
yum install ppp
配置
mkdir /etc/xl2tpd
vi /etc/ppp/options.xl2tpd
require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 #ms-wins 192.168.1.2 #ms-wins 192.168.1.4 noccp asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd # 配置名将在下面使用 proxyarp lcp-echo-interval 30 lcp-echo-failure 4
5. 配置账号密码
vi /etc/ppp/chap-secrets
liuht l2tpd 111111 *
5. 安装L3TP
yum install -y make gcc wget configure libpcap-devel
配置
vi /etc/xl2tpd/xl2tpd.conf