指采用IPSec协议来实现远程接入的一种***技术,IPSec全称为Internet Protocol Security,是由Internet Engineering Task Force (IETF) 定义的安全标准框架,在公网上为两个私有网络提供安全通信通道,通过加密通道保证连接的安全——在两个公共网关间提供私密数据封包服务
实验环境
centos6.5_x64
实验软件
xd-1.3.8-1.el6.x86_64
ppp-2.4.5-11.el6_10.x86_64
软件安装
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
yum install -y openswan ppp xd
cp -pv /etc/ipsec.conf /etc/ipsec.conf.bak
cat /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.10.16
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
cp -pv /etc/ipsec.secrets /etc/ipsec.secrets.bak
cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
192.168.10.16 %any: PSK "123456"
cp -pv /etc/sysctl.conf /etc/sysctl.conf.bak
tail -n10 /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
sysctl -p
echo "0" > /proc/sys/net/ipv4/conf/lo/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/eth0/rp_filter
ipsec setup restart
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
cp -pv /etc/xd/xd.conf /etc/xd/xd.conf.bak
cat /etc/xd/xd.conf
[global]
listen-addr = 192.168.10.16 ;
[lns default]
ip range = 172.16.37.2-172.16.37.254 ;
local ip = 172.16.37.1 ;
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xd
length bit = yes
cp -pv /etc/ppp/options.xd /etc/ppp/options.xd.bak
cat /etc/ppp/options.xd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name d
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
cp -pv /etc/ppp/chap-secrets /etc/ppp/chap-secrets.bak
cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test * 123456 *
service xd restart && chkconfig --level 35 xd on
service ipsec restart && chkconfig --level 35 ipsec on
netstat -tuplna | grep xd
udp 0 0 192.168.10.16:1701 0.0.0.0:* 1524/xd
ip addr | grep ppp
4: ppp0:
link/ppp
inet 172.16.37.1 peer 172.16.37.2/32 scope global ppp0