这里参考了:http://wiki.nikoforge.org/L2TP/IPSec_VPN_Setup_on_Centos_6_(64-bit)_for_use_with_Android_ICS_and_iOS_5_Clients
并对过程做了少量修改,增加了必需了小步骤,增加了NAT的设置。
开始之前请确认现在登陆用户为root,否则会提示权限不足。有底纹的文字为在shell中直接输入的代码。
1. 必要软件包的安装
整个过程需要4个软件包:libpcap、ppp、ipsec-tools和xl2tpd(debian 6下安装需要增加racoon),其中前两个centos官方源就有,后两个需要从其它网站下载,先安装前两个
yum libpcap
yum ppp
下载并安装后两个包,此时版本分别为0.8.0-3和1.3.1-4
wget http://repo.nikoforge.org/redhat/el6/i386/ipsec-tools-0.8.0-3defpsk.el6.i386.rpm
rpm -i ipsec-tools-0.8.0-3defpsk.el6.i386.rpm
wget http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora-epel/6/i386/xl2tpd-1.3.1-4.el6.i686.rpm
rpm -i xl2tpd-1.3.1-4.el6.i686.rpm
安装完成编写必要的脚本和配置文件
2. 环境初始化脚本,在shell下输入
cat > /etc/racoon/init.sh << EOF
#!/bin/sh
# set security policies
echo -e "flush;\n\
spdflush;\n\
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;\n\
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;\n"\
| setkey -c
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.123.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.123.0/24 -j ACCEPT
EOF
更改权限:chmod 750 /etc/racoon/init.sh
3. IPsec设置
cat > /etc/racoon/racoon.conf << EOF
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote anonymous
{
exchange_mode aggressive,main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
EOF
设置权限:chmod 600 /etc/racoon/racoon.conf
设置共享密钥
cat >/etc/racoon/psk.txt << EOF
* mysharedkey
EOF
设置权限:chmod 600 /etc/racoon/psk.txt
4. 设置L2TP服务
cat > /etc/xl2tpd/xl2tpd.conf << EOF
[global]
ipsec saref = yes
force userspace = yes
[lns default]
local ip = 192.168.123.200
ip range = 192.168.123.201- 192.168.123.210
refuse pap = yes
require authentication = yes
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/options.xl2tpd
EOF
5. 配置PPP
cat > /etc/ppp/options.xl2tpd << EOF
ms-dns 8.8.8.8
require-mschap-v2
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 10
lcp-echo-failure 100
EOF
设置拨号用户密码
cat > /etc/ppp/chap-secrets << EOF
# client server secret IP addresses
vpnuser * vpnpassword *
EOF
6. 启动服务
/etc/racoon/init.sh
/etc/init.d/racoon start
/etc/init.d/xl2tpd start
如果需要开机自动启动,把/etc/init.d/xl2tpd加入/etc/rc.local,并运行下面两个命令
chkconfig racoon on
chkconfig xl2tpd on
已知问题:
1. 如果系统无法连接,可以查看日志找出错误原因,如果是找不到ppp设备,尝试手动创建
mknod /dev/ppp c 108 0
2. Windows XP由于IPsec实现于标准不一致,拨号会失败。查看日志能看到:“ERROR: Expecting IP address type in main mode, but FQDN.”,这样的错误信息。解决办法只能是自己重新编译ipsec-tools,去掉标准检查部分的代码,patch代码如下:
--- src/racoon/ipsec_doi.c.orig Thu Feb 2 23:37:17 2006
+++ src/racoon/ipsec_doi.c Sun Sep 24 23:28:42 2006
@@ -3277,10 +3277,9 @@
iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
if (id_b->type != IPSECDOI_ID_IPV4_ADDR
&& id_b->type != IPSECDOI_ID_IPV6_ADDR) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_WARNING, LOCATION, NULL,
"Expecting IP address type in main mode, "
"but %s.\n", s_ipsecdoi_ident(id_b->type));
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
}
Debian 6下架设的不同处:
1. 需要安装软件包为5个,增加racoon
2. ipsec在debian下有自己的配置文件,可以不需要/etc/racoon/init.sh文件
ipforwarding在/etc/sysctl.conf中设置
net.ipv4.ip_forward=1
setkey在/etc/ipsec-tools.conf中设置
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
iptables规则用if-up脚本设置,参照:保存debian 6下的iptables设置
附:Iphone设置L2TP拨号方法
进入设置->通用->网络->VPN
点击添加VPN设置类型选择L2TP,输入参数如下:
没有评论:
发表评论