1、cd /usr/srcwget http:/www.openswan.org/download/openswan-2.6.24.tar.gztar zxvf openswan-2.6.24.tar.gzcd openswan-2.6.24make programs install3、配置vi /etc/ipsec.confconfig setupnat_traversal=yesvirtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12oe=offprotostack=netkeyconn L2TP-PSK-NATri
2、ghtsubnet=vhost:%privalso=L2TP-PSK-noNATconn L2TP-PSK-noNATauthby=secretpfs=noauto=addkeyingtries=3rekey=noikelifetime=8hkeylife=1htype=transportleft=YOUR.SERVER.IP.ADDRESSleftprotoport=17/1701right=%anyrightprotoport=17/%any4、 设置 Shared Keyvi /etc/ipsec.secretsYOUR.SERVER.IP.ADDRESS %any: PSK “Your
3、SharedSecret”5、 修改包转发设置for each in /proc/sys/net/ipv4/conf/*doecho 0 $each/accept_redirects $each/send_redirectsdone6、 重启 IPSec ,测试/etc/init.d/ipsec restartipsec verify.二、安装 L2TPyum install libpcap-devel pppwget tar zxvf rp-l2tp-0.4.tar.gzcd rp-l2tp-0.4./configuremakecp handlers/l2tp-control /usr/lo
4、cal/sbin/mkdir /var/run/xl2tpd/ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-controltar zxvf xl2tpd-1.2.4.tar.gzcd xl2tpd-1.2.4make installmkdir /etc/xl2tpdvi /etc/xl2tpd/xl2tpd.confglobalipsec saref = yeslns defaultip range = 10.1.2.2-10.1.2.254local ip = 10.1.2.1refuse chap = yesrefuse p
5、ap = yesrequire authentication = yesppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes4、修改 ppp 配置vi /etc/ppp/options.xl2tpdrequire-mschap-v2ms-dns 8.8.8.8ms-dns 8.8.4.4asyncmap 0authcrtsctslockhide-passwordmodemdebugname l2tpdproxyarplcp-echo-interval 30lcp-echo-failure 45、添加用户名/密码v
6、i /etc/ppp/chap-secrets# user server password ipusername l2tpd userpass *6、启用包转发iptables -table nat -append POSTROUTING -jump MASQUERADEecho 1 /proc/sys/net/ipv4/ip_forward7、修改/etc/sysctl.confvi /etc/sysctl.confnet.ipv4.ip_forward = 1net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.default.accept_so
7、urce_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1kernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 68719476736kernel.shmall = 42949672968、启动 xl2tpd/usr/local/sbin/xl2tpd三、扫尾设置开机自动运行vi /etc/rc.local四、已知问题1、长宽之下连接不成功。 IP 地址被干扰了。就如同去 长宽用户在 查不到实际 ip ( 但 Gmail 确能记录
8、真实 ip )。服务器端错误日志the peer proposed: 服务器ip/32:17/1701 - 175.189.178.120/32:17/0peer proposal was reject in a virtual connection policy becausea private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)补记1:错怪长宽了。其实出现上面这句话,并不能代表是长宽设备 IP 分配的问题导致连结不成功。 昨晚查了很多资料
9、,然后发现不少同学出现这个问题。 原因在于 openswan 本身的 bug 。 最后重新编译安装 openswan-2.6.28 取代 openswan-2.6.24 ,问题华丽的解决了。能成功连接 l2tp 后,secure 日志记录中还是可以有上面一段迷惑人的纪录。补记2:Linode VPS + CentOS 5.5 成功安装 IPSEC/ L2TP VPN 后的状态2、 L2TP VPN 768 错误IPSEC services 被关掉了。“运行”“services.msc”然后在服务中启用“IPSEC services” 即可。以上内容90%抄自 Linode CentOS / Debian 部署 ipsec+l2tpd 简要笔记 ,部分参考自 CentOS安装L2TP/IPSEC 与简单故障处理 。
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1