aws搭建xl2tp给iphone使用

haoningabc

浏览: 1465954 次
性别:
来自: 北京

最近访客更多访客>>

zfyq124

bartontang

dlzdy

cnnlush0605

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

linux

xl2tp

2019年12月26日

可以参考原来的配置
https://haoningabc.iteye.com/blog/2147783

有点太乱了，重新整理，客户端的配置可以参考上面的

aws申请免费vm搭建自己的呵呵哒
最后有个关键操作
iptables -t nat -A POSTROUTING -s 172.31.39.0/24 -o eth0 -j MASQUERADE

如果自己vm的内网ip是172.31.39.123

在aws的redhat7.6上

参考
#######https://blog.csdn.net/kitvv/article/details/50696585

https://www.linuxprobe.com/centos7-install-l2tp.html

yum install -y epel-release 通不过

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install epel-release-latest-7.noarch.rpm


yum install -y xl2tpd libreswan lsof

cat /etc/xl2tpd/xl2tpd.conf

[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 172.100.1.100-172.100.1.150
local ip = 172.100.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

cat /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
#ms-dns  172.31.0.2
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
name xl2tpd
#noccp
auth
#crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#lock
proxyarp
connect-delay 5000

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log

crtscts 和lock 在启动的时候报错所以去掉了
加了
name xl2tpd
#noccp

#比原来默认的配置多了这几项
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log

查看log开始如果这里没有，可以先去看/var/log/messages

cat /etc/ipsec.conf

config setup
	# Normally, pluto logs via syslog.
	#logfile=/var/log/pluto.log
	#
	# Do not enable debug options to debug configuration issues!
	#
	# plutodebug="control parsing"
	# plutodebug="all crypt"
    protostack=netkey
    dumpdir=/var/run/pluto/
#	plutodebug=none
	#
	# NAT-TRAVERSAL support
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	# It seems that T-Mobile in the US and Rogers/Fido in Canada are
	# using 25/8 as "private" address space on their wireless networks.
	# This range has never been announced via BGP (at least up to 2015)
#	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
    virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

注释掉了# plutodebug=none
加了
protostack=netkey
dumpdir=/var/run/pluto/

virtual_private 里面的172.100.0.0

对应
/etc/xl2tpd/xl2tpd.conf 中的ip range

cat /etc/ipsec.d/l2tp-ipsec.conf

conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.31.39.212
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

left 为：
#service/VPS的外网地址，某些vps只有eth0一块网卡的，
#就填内网地址，内核开启nat转发就可以了，
#CentOS7以下的用iptables定义转发规则

[root@aws ~]# cat /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
root * haha *

[root@aws ~]# cat /etc/ipsec.d/default.secrets

: PSK "testvpn"

[root@aws ~]# cat /etc/sysctl.d/60-sysctl_ipsec.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0

重启网络
systemctl restart network

安装配置防火墙

yum install firewalld
systemctl enable  firewalld
systemctl status  firewalld

firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

systemctl enable ipsec
systemctl enable xl2tpd

systemctl restart ipsec
systemctl restart xl2tpd

最后不要忘了那个最开始的iptables

iptables -t nat -A POSTROUTING -s 172.31.39.0/24  -o eth0  -j MASQUERADE

分享到：

br0和tap0的互相影响 | nlu的一些基础知识

2018-12-26 21:37
浏览 1869
评论(0)
分类:开源软件
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论