近年来最累的一次折腾。有必要好好记录一下。跟了网上N个教程,有好几个都走不通。最后自己彻底整理了一次。把自己的经验和配置分享出来。

首先隆重感谢一下至今素未谋面的老熊,真是好人啊。06年的时候就在plesk服务器换ip的事上,帮了我好大的忙。没想到这次在我卡在第6步,最绝望的时候,这只熊的婀娜身影再一次出现在了我的生活中。还在漆黑的深夜中陪伴在我的身边。以下隆重公布一下他的QQ,造福广大网友!QQ: 499******* (后几位号码,为符合当地莫名其妙的“相关法规”,被系统自动屏蔽。。。)

其次要感谢老熊的同事,百忙中写好的防火墙规则,让我10分钟之内,就被兴奋得昏了头的我,给无情覆盖了。以至于下次人家重写之后,很自觉的在/root下给留了个备份。zan


1. 先安装openswan
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
wget http://download.openswan.org/openswan/openswan-2.6.38.tar.gz
tar zxvf openswan-2.6.38.tar.gz
cd openswan-2.6.38
make programs install


gkp说“安装 openswan,记得别用2.6.26,宁可用2.6.24。他和xl2tpd存在严重兼容性bug”


2. 安装xl2tpd

在centos 6官方的yum源中,没有这个软件包。需要安装fedora的epel源。
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-7.noarch.rpm
#CentOS 5用这个地址:  rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm
yum install xl2tpd -y


如果上面这个安装地址如果不对了。参照这个fedora epel的faq页(https://fedoraproject.org/wiki/EPEL/FAQ/zh-cn#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F

安装其他一些linux软件源,参照这页:http://www.esojourn.org/blog/post/repo-sources.php


编辑 /etc/ipsec.conf 注意$esojourn.org替换成你机器的ip。这个IP应该是你的公网IP,不是本机内网IP。


# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #


        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast

        protostack=netkey
        #这里注释说可以用auto,但实际上不行。还得老老实实写netkey

        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=add

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=$esojourn.org  #这里写公网IP,没固定IP的就到花生壳弄个动态域名解析。
    leftid=$esojourn.org
    leftprotoport=17/1701
    right=%any

修改ipsec密钥
vi  /etc/ipsec.secrets

www.esojourn.org %any: PSK "myps"
#www.esojourn.org改成公网ip,没固定IP的,就到花生壳弄个动态域名解析。http://www.oray.com/peanuthull/
#myps改成密码


3. 修改/etc/sysctl.conf,开启路由功能
vi /etc/sysctl.conf

星云说
将下面两项找到:
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1

改为:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0

之后先让修改后的配置生效,再测试一下,
sysctl -p
service ipsec start
ipsec verify


如果行了就这样了,但实际上,我反复测试之后,干脆在sysctl.conf最下面,加了这一段。加好后别忘了再sysctl -p一下。


#added for xl2tpd
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1


如果ipsec verify返回这样,就可以了。

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


我的经验中,这里可能会出这么几个故障:
第一:
SAref kernel support                                           [N/A]

这样的话, /etc/xl2tpd/xl2tpd.conf这个文件里
[global]
ipsec saref = no


第二:
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
ip转发检查失败。

Paul和Steve说:只要 cat /proc/sys/net/ipv4/ip_forward 返回结果是1就没事。这个我已经证实了。

第三:返回结果里,就没有Two or more interfaces found, checking IP forwarding和Checking NAT and MASQUERADEing这两项。碰上这个我也没办法了。重装了系统,又瞎折腾一通之后就好了。

[ 2012-7-6 ]
第四:更新加入一个新的情况
Checking for IPsec support in kernel                            [OK]
SAref kernel support                                           [N/A]
NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [FAILED]

  Please enable /proc/sys/net/core/xfrm_larval_drop
  or NETKEY will cause non-POSIX compliant long time-outs

Checking that pluto is running                                  [OK]

出这毛病,照着说明,
echo 1 > /proc/sys/net/core/xfrm_larval_drop
vi /etc/bashrc

然后把“echo 1 > /proc/sys/net/core/xfrm_larval_drop”这句加进去。以后每次开机自动执行一下。

4. 编辑 /etc/xl2tpd/xl2tpd.conf
vi /etc/xl2tpd/xl2tpd.conf

; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
listen-addr = esojourn.org  
;这里写内网IP。或者加;注释掉也问题不大。
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
ipsec saref = no
;这里一般都让写yes,但如果刚才你的ipsec verify中,有报SAref kernel support[N/A]的话,这里就写no。


; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; ipsec refinfo = 30
;
; forceuserspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 192.168.7.128-192.168.7.254
;这里写vpn client的ip段
local ip = 192.168.7.1

require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


5. 修改 /etc/ppp/options.xl2tpd

vi /etc/ppp/options.xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.4.4
ms-dns  8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000


vi /etc/ppp/chap-secrets
#文件格式
# user server password ip
username * userpass * #改成你的用户名 密码


6. 最关键的iptables配置
做完上面这堆步骤之后,客户端建个连接就可以验证进入vpn主机了。但是无法访问内外网。我就是在这里卡了一个多星期。网上的资料,有的没说这一步。有的说了也没说全。我发个权威的吧。

iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.7.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.7.0/24 -j ACCEPT
iptables-save
service iptables restart

192.168.7.0/24根据实际情况替换。

vi /etc/sysconfig/iptables 看到的应该是类似这样。
最上面先是nat规则,下面是filter规则。
下面filter表里,先把VPN要用到的udp端口1701,500,4500都打开。要用openvp的话,还要开1194。
另外filter表里,一定要有FORWARD规则。这点在网上好几个教程里都没说!坑死人。


#下面规则做参考啊,新手别完全照抄。
*nat
:PREROUTING ACCEPT [39:3503]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
# Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [121:13264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.7.0/24 -j ACCEPT
-A FORWARD -s 192.168.7.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun 28 15:50:40 2012


最后
service xl2tpd restart
service iptables restart
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on



最后编辑: Sonic 编辑于2012/07/06 18:23
Tags: , ,
网摘-网事 | 评论(16) | 引用(0) | 阅读(79958)
Share |
chengxiao Email Homepage
2012/07/08 11:14
请教博主一个问题,在配置l2tp vpn时,执行ipsec verify 这一步时提示-bash::psec :comand not found,这个该如何解决呢?
Sonic 回复于 2012/07/09 09:34
ipsec命令没找到,肯定是在安装openswan这步出的问题。检查一下安装过程。我估计在make programs install这一步,安装没成功。会有详细的错误信息。
分页: 2/2 第一页 上页 1 2 最后页