利用IPSec/L2TP代理上网

系统:Centos 6.9
优势:Windows、macOS、Linux、IPhone、 Android等设备都能用该协议代理上网


安装软件:
———————————————————————————————————————————————————————
运行命令: 
yum install -y xd libreswan
Centos7官方源中无xd,添加源  yum install -y epel-release

 
编辑ipsec配置文件:
———————————————————————————————————————————————————————
运行命令:
vim /etc/ipsec.conf

内容如下:
# /etc/ipsec.conf - Libreswan IPsec configuration file

# This file:  /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual:     ipsec.conf.5

# basic configuration
config setup
        # which IPsec stack to use, "netkey" (the default), "klips" or "mast".
        # For MacOSX use "bsd"
        protostack=netkey
        #
        # Normally, pluto logs via syslog. If you want to log to a file,
        # specify below or to disable logging, eg for embedded systems, use
        # the file name /dev/null
        # Note: SElinux policies might prevent pluto writing to a log file at
        #       an unusual location.
        #logfile=/var/log/pluto.log
        #
        # The interfaces= line is only required for the klips/mast stack
        #interfaces="%defaultroute"
        #interfaces="ipsec0=eth0 ipsec1=ppp0"
        #
        # If you want to limit listening on a single IP - not required for
        # normal operation
        #listen=127.0.0.1
        #
        # Do not set debug options to debug configuration issues!
        #
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control kernel pfkey natt x509 dpd
        #  private".
        # Note: "crypt" is not included with "all", as it can show confidential
        #       information. It must be specifically specified
        # examples:
        # plutodebug="control parsing"
        # plutodebug="all crypt"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #plutodebug=none
        #klipsdebug=none
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: SElinux policies might prevent pluto writing the core at
        #       unusual locations
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their wireless networks.
        # This range has never been announced via BGP (at least upto 2015)
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24

# For example connections, see your distribution's documentation directory,
# or  https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
#include /etc/ipsec.d/*.conf

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    rekey=no
    type=transport
    dpddelay=15
    dpdtimeout=30
    dpdaction=clear
    left=%eth2
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    forceencaps=yes  #此项必须开启,否则NAT设备无法上网


                         
设置PSK密钥:   
———————————————————————————————————————————————————————
运行命令
vim /etc/ipsec.secrets

内容如下:
#include /etc/ipsec.d/*.secrets
此处填写外网IP %any : PSK "此处填写密钥"
 
例如:
#include /etc/ipsec.d/*.secrets
192.168.1.2 %any : PSK "123456"



开启路由功能   
———————————————————————————————————————————————————————
运行命令:
vim /etc/sysctl.conf

将下面两项:
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
改为:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0  

运行命令:
sysctl -p



启动并测试IPSec:
———————————————————————————————————————————————————————
 运行命令:
service ipsec start
ipsec verify

运行ipsec verify返回如下信息,不报错则正常,报错自行百度。

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.23.1.el6.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ips                                                                                                                                                             ec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]


 
配置  etc/xd/xd.conf  
———————————————————————————————————————————————————————
 运行命令:
vim /etc/xd/xd.conf

修改内容:
;
; This is a minimal sample xd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xd as its address on pppX interfaces.

[global]
ipsec saref = yes
listen-addr = 192.168.1.2  ;此处为外网IP
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 100.64.0.100-100.64.0.200  ;此处内网分配ip范围
local ip = 100.64.0.1  ;此处为分配给服务器的IP
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xd
length bit = yes



配置  /etc/ppp/options.xd  
———————————————————————————————————————————————————————
 运行命令:
vim /etc/ppp/options.xd

修改一下内容:
ipcp-accept-local
ipcp-accept-remote
ms-dns  114.114.114.114 #此处填写DNS地址
require-mschap-v2

# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noauth
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# You need to join the domain on the server, for example using samba:
#  http://rootmanager.com/ubuntu-ipsec--windows-domain-auth/setting-up-openswan-xd-with-native-windows-clients-lucid.html  




添加  L2TP用户  
———————————————————————————————————————————————————————
 运行命令:
vim /etc/ppp/chap-secrets

修改内容:
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
admin * admin *
#格式为:用户名空格协议空格密码空格IP地址


启动xd  
———————————————————————————————————————————————————————
 运行命令:
service xd start


配置防火墙:  
———————————————————————————————————————————————————————
 编辑防火墙配置:
vi /etc/sysconfig/iptables

以下内容仅供参考,新手别完全照抄:
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:100]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 100.64.0.0/24 -j ACCEPT
-A FORWARD -s 100.64.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Mar 30 10:36:16 2018
# Generated by iptables-save v1.4.7 on Fri Mar 30 10:36:16 2018
*nat
:PREROUTING ACCEPT [831320:68105743]
:POSTROUTING ACCEPT [1350:80883]
:OUTPUT ACCEPT [1350:80883]
-A POSTROUTING -s 100.64.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Mar 30 10:36:16 2018

重启防火墙:
service iptables restart



配置自启  
———————————————————————————————————————————————————————
 运行命令:
chkconfig xd on
chkconfig ipsec on





解决windows7无法连接:  
———————————————————————————————————————————————————————
 添加2个注册表:

删除 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters 下的 ProhibitIpSec 键值(如果没有,新建一个32位DWORDS值位1)

在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 下添加 AssumeUDPEncapsulationContextOnSendRule(32位DWORDS值位2)

转载自—— 爱种树的熊




https://blog.csdn.net/XZS1097035329/article/details/79821354

你可能感兴趣的:(网络技术)