其他 · 2021-09-11

VPN-L2TP+IPSec

centos一键部署

##服务器公网IP
re_ip=192.168.1.1
##预共享密码
re_passwd=123456
##登录账户：tom   密码：123456
yum install wget lsof vim nss -y
yum groupinstall "Development tools" -y
yum -y install libreswan.x86_64
cat  > /etc/ipsec.d/myipsec.conf << EFO
conn IDC-PSK-NAT
    rightsubnet=vhost:%priv
    also=IDC-PSK-noNAT

conn IDC-PSK-noNAT
    authby=secret
        ike=3des-sha1;modp1024
        phase2alg=aes256-sha1;modp2048
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=3h
    type=transport
    left=$re_ip
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
EFO

cat >  /etc/ipsec.secrets << EFO
##本机公网IP   允许连接的地址   共享类型   共享密码
$re_ip         %any:                   PSK              "$re_passwd"
EFO

yum -y install xl2tpd
###本机
sed  -i  "18c listen-addr = 192.168.0.100"   /etc/xl2tpd/xl2tpd.conf
###客户端地址池
sed -i "32c ip range = 9.9.9.9-9.9.9.18"  /etc/xl2tpd/xl2tpd.conf
sed -i "33c local ip = $re_ip"  /etc/xl2tpd/xl2tpd.conf
sed -i "4c ms-dns  114.114.114.114" /etc/ppp/options.xl2tpd
sed -i "22c require-mschap-v2" /etc/ppp/options.xl2tpd
cat > /etc/ppp/chap-secrets << EFO
##登录账户名   服务    密码    客户端地址
tom       *       123456        *
EFO

echo "vm.swappiness=0
net.core.somaxconn=1024
net.ipv4.tcp_max_tw_buckets=5000
net.ipv4.tcp_max_syn_backlog=1024
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.eth0.accept_source_route=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.accept_source_route=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.conf.lo.send_redirects=0
net.ipv4.conf.lo.rp_filter=0
net/ipv4/conf/ip_vti0/rp_filter = 0"   > /etc/sysctl.conf

sysctl -p

systemctl enable  ipsec.service  
systemctl enable  xl2tpd.service
systemctl restart ipsec.service  
systemctl restart xl2tpd.service

#验证ipsec 是否完全正确
ipsec verify
echo "开放UDP端口：1701、500、4500"
#我这里清空所有规则，只配置了转发的方便测试,注意：这里的网卡名称是否eth0，如果不是请修改为你的网卡名称
yum -y install iptables-services
iptables -F
iptables -F -t nat
##地址池网段
iptables -t nat -A POSTROUTING -s 9.9.9.0/24 -o eth0 -j MASQUERADE
##配置进出口转发
iptables -I FORWARD -s  9.9.9.0/24  -j ACCEPT
iptables -I FORWARD -d  9.9.9.0/24  -j ACCEPT
##保存规则，重启服务
service iptables save
service iptables restart

您可能还喜欢...

Ex 2.1