背景:
公司需要通内网,故此部署
流程:
1.安装所需要的包:---这次部署使用的是腾讯云机器centos7.3
centos7 使用libreswan代替了以往的openswan
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
yum install xd
yum install libreswan
2.修改ipsec的配置文件
[root@yyf ~]# vim /etc/ipsec.conf(只添加一行nat_traversal=yes即可)
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
nat_traversal=yes ###在配置文件里加入这一行,充许传透nat建立连接
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
3.建立ipsec 与 服务关联的配置文件
#因为这个文件没有所以需要手动创建
[root@yyf ~]# vim /etc/ipsec.d/_psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=10.40.1.91 ###10.40.1.91 是自己的网卡Ip地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
4.当建立连接时,需要输入预共享密匙,以下为预共享密匙的配置文件。
[root@yyf ~]# vim /etc/ipsec.d/ipsec.secrets
#include /etc/ipsec.d/*.secrets
10.40.1.91 %any: PSK "123456789"
#111.81.11.5 是外网网卡地址,PSK是预存共享密匙
5.修改内核支持,可以对照以下配置修改,修改完后运行sysctl -p 使配置生效
[root@yyf ~]# cat /etc/sysctl.conf
vm.swappiness = 0
net.ipv4.ip_forward = 1
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
[root@yyf ~]# sysctl -p
6.检验ipsec服务配置
#重启ipsec systemctl restart ipsec#检验ipsec服务配置 ipsec verify
[root@yyf ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-1160.88.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Warning: ignored obsolete keyword 'nat_traversal'
ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help
//报错处理,当出现以上几个[ENABLED]错误提示时 ,不用在意,可以继续。当然全部OK更好。
7.启动服务
#启动ipsec systemctl start ipsec #设置为开机自启 systemctl enable ipsec
8.修改L2tp的配置文件
[root@yyf ~]# vim /etc/xd/xd.conf
[global]
listen-addr = 10.40.1.91 ###本机外网网卡IP
ipsec saref = yes ###取消注释
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = Linux×××server
ppp debug = yes
pppoptfile = /etc/ppp/options.xd
length bit = yes
9.修改xd属性配置文件
[root@yyf ~]# vim /etc/ppp/options.xd
require-mschap-v2 ###添加此行
ipcp-accept-local
ipcp-accept-remote
#dns 写自己的网卡DNS ,写成8.8.8.8也行
ms-dns 172.26.2.21
#ms-dns 8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
10.添加用户名和密码(**登录的用户名和密码)
建立xd连接的用户,建立连接需要输入的用户名和密码就在该文件里配置:
vim /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses test * 123 *
11.iptables安装配置
CentOS7默认的防火墙不是iptables,而是firewalle.
检查firewall是否stop
iptables -F
iptables -X
iptables -Z
-地址转换:
iptables -t nat -A POSTROUTING -s 10.40.1.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 10.40.1.0/24 -j ACCEPT iptables -I FORWARD -d 10.40.1.0/24 -j ACCEPT iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT iptables -A INPUT -p esp -j ACCEPT iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #这条比较关键,因为这条是转发访问流量的。 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE service iptables save /bin/systemctl restart iptables.service
12.完成服务配置,启动服务
systemctl start xd
systemctl enable xd
客户端连上,如果需要打通与服务端想通的网段,需要自行在客户端添加路由
如mac上:
sudo route -n add 172.26.0.0/16 192.169.42.10
#172.26.0.0/16 这个是想要跳过去的下一跳路由网段
#192.169.42.10 这个是你获取的ip