系统:Centos 6.9
优势:Windows、macOS、Linux、IPhone、
Android等设备都能用该协议代理上网
安装软件:
———————————————————————————————————————————————————————
运行命令:
yum install -y xd libreswan Centos7官方源中无xd,添加源 yum install -y epel-release
编辑ipsec配置文件:
——————————————————————————————————————————————————————— 运行命令: vim /etc/ipsec.conf 内容如下:
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file: /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual: ipsec.conf.5
# basic configuration
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
# For MacOSX use "bsd"
protostack=netkey
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
# an unusual location.
#logfile=/var/log/pluto.log
#
# The interfaces= line is only required for the klips/mast stack
#interfaces="%defaultroute"
#interfaces="ipsec0=eth0 ipsec1=ppp0"
#
# If you want to limit listening on a single IP - not required for
# normal operation
#listen=127.0.0.1
#
# Do not set debug options to debug configuration issues!
#
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
# private".
# Note: "crypt" is not included with "all", as it can show confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#plutodebug=none
#klipsdebug=none
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least upto 2015)
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
#include /etc/ipsec.d/*.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
rekey=no
type=transport
dpddelay=15
dpdtimeout=30
dpdaction=clear
left=%eth2
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes #此项必须开启,否则NAT设备无法上网
设置PSK密钥:
——————————————————————————————————————————————————————— 运行命令 vim /etc/ipsec.secrets 内容如下:
#include /etc/ipsec.d/*.secrets
此处填写外网IP %any : PSK "此处填写密钥"
例如:
#include /etc/ipsec.d/*.secrets
192.168.1.2 %any : PSK "123456"
开启路由功能
:
———————————————————————————————————————————————————————
运行命令: vim /etc/sysctl.conf 将下面两项:
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
改为: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 运行命令: sysctl -p
启动并测试IPSec:
———————————————————————————————————————————————————————
运行ipsec verify返回如下信息,不报错则正常,报错自行百度。
运行命令:
service ipsec start
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.23.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ips ec.conf options [OK]
Opportunistic Encryption [DISABLED]
配置
etc/xd/xd.conf
:
———————————————————————————————————————————————————————
运行命令:
vim /etc/xd/xd.conf
修改内容:
;
; This is a minimal sample xd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xd as its address on pppX interfaces.
[global]
ipsec saref = yes
listen-addr = 192.168.1.2 ;此处为外网IP
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes
[lns default]
ip range = 100.64.0.100-100.64.0.200 ;此处内网分配ip范围
local ip = 100.64.0.1 ;此处为分配给服务器的IP
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xd
length bit = yes
配置
/etc/ppp/options.xd
:
———————————————————————————————————————————————————————
运行命令:
vim /etc/ppp/options.xd
ipcp-accept-local
ipcp-accept-remote
ms-dns 114.114.114.114 #此处填写DNS地址
require-mschap-v2
# ms-dns 192.168.1.1
# ms-dns 192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noauth
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec--windows-domain-auth/setting-up-openswan-xd-with-native-windows-clients-lucid.html
添加
L2TP用户
:
———————————————————————————————————————————————————————
运行命令:
vim /etc/ppp/chap-secrets
修改内容:
# Secrets for authentication using CHAP
# client server secret IP addresses
admin * admin *
#格式为:用户名空格协议空格密码空格IP地址
启动xd
:
———————————————————————————————————————————————————————
运行命令:
service xd start
配置防火墙:
———————————————————————————————————————————————————————
以下内容仅供参考,新手别完全照抄:
编辑防火墙配置:
vi /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:100]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 100.64.0.0/24 -j ACCEPT
-A FORWARD -s 100.64.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Mar 30 10:36:16 2018
# Generated by iptables-save v1.4.7 on Fri Mar 30 10:36:16 2018
*nat
:PREROUTING ACCEPT [831320:68105743]
:POSTROUTING ACCEPT [1350:80883]
:OUTPUT ACCEPT [1350:80883]
-A POSTROUTING -s 100.64.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Mar 30 10:36:16 2018
重启防火墙:
service iptables restart
配置自启
:
———————————————————————————————————————————————————————
运行命令:
chkconfig xd on
chkconfig ipsec on
解决windows7无法连接:
———————————————————————————————————————————————————————
添加2个注册表:
删除 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters 下的 ProhibitIpSec 键值(如果没有,新建一个32位DWORDS值位1)
在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 下添加 AssumeUDPEncapsulationContextOnSendRule(32位DWORDS值位2)
转载自—— 爱种树的熊
|
https://blog.csdn.net/XZS1097035329/article/details/79821354