注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

老毛的日记本

 
 
 

日志

 
 

CentOS 5.5 Linux l2tp ipsec vpn设置与NAT-T  

2010-05-23 21:22:03|  分类: 默认分类 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

192.168.121.2 winxp ->192.168.121.1 NAT 60.190.111.1 ->60.190.111.3 centos5 192.168.122.3

winxp通过 nat 访问 vpn 服务器

NAT-T :据说openswan 版本要在2.6.22以上,反正2.6.21不行,2.6.24就可以了

http://www.openswan.org/download/binaries/centos/5/without-nss/openswan-2.6.24rc5-1.i386.rpm

openswan-2.6.21-5.el5_4.2.i386.rpm  openswan-2.6.24rc5-1.i386.rpm

xl2tpd

openswan

1 /etc/ipsec.conf

[root@tsdlt ipsec.d]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

        oe=off
#       forceencaps=yes
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

 

2 /etc/ipsec.d/xl2tpd-L2TP-PSK-NAT.conf

当然也可以直接写到ipsec.conf里面去


[root@tsdlt ipsec.d]# cat /etc/ipsec.d/xl2tpd-L2TP-PSK-NAT.conf
conn L2TP-PSK-NAT
        #
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        pfs =no                  

        #使用PSK,预共享密钥
        authby=secret

        left=60.190.111.3     #外网口
        leftid=60.190.111.3  #NAT-T必需
        leftprotoport=17/1701
        # The remote user.
        right=%any
        rightid=%any                           #NAT-T必需
        rightsubnet=vhost:%no,%priv  #NAT-T必需
        rightprotoport=17/%any
        #
        # Change 'ignore' to 'add' to enable the configuration for this user.
        #
        auto=add
        keyingtries=3

3 ipsec.secrets

 PSK密码存放文件

l2tp[root@tsdlt etc]# cat ipsec.secrets
#include /etc/ipsec.d/*.secrets
60.190.111.3 %any : PSK "your psk"

xl2tpd配置

1 /etc/xl2tpd/xl2tpd.conf

 

[root@tsdlt xl2tpd]# cat xl2tpd.conf
;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
 listen-addr = 60.190.111.3
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; forceuserspace = yes
;
; debug tunnel = yes

[lns default]

;要分配给客户端的地址
ip range = 192.168.122.11-192.168.122.20

;指定本端地址
local ip = 192.168.122.3
require chap = yes
refuse pap = yes
require authentication = yes
name = tsdlt
ppp debug = yes
pppoptfile = /etc/ppp/ppp-options.xl2tpd
length bit = yes

 

2 /etc/ppp/ppp-options.xl2tpd

[root@tsdlt ppp]# cat ppp-options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
#ms-dns  192.168.1.1
#ms-dns  192.168.1.3
#ms-wins 192.168.1.2
#ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

 

3 /etc/ppp/chap-secrets

用户名和密码

[root@tsdlt ppp]# cat chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
"test"  *       "test"          *


 ipsec verify[root@tsdlt etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.24rc5/K2.6.18-194.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
Testing against enforced SElinux mode                           [FAILED]

  SElinux is running in 'enforced' mode.
  If you encounter network related SElinux errors, especially when using KLIPS,
  try disabling SElinux using:

  echo "0" > /selinux/enforce (or edit /etc/sysconfig/selinux)

NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

#/etc/sysctl.conf     sysctl -p

#net.ipv4.conf.default.send_redirects = 0
#net.ipv4.conf.default.accept_redirects = 0


Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Two or more interfaces found, checking IP forwarding            [OK]

#sysctl.conf:   net.ipv4.ip_forward = 1
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


  评论这张
 
阅读(4016)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017