centos7 配置PPTP、L2TP、IPSec服务
首先,推荐跑下面的脚本:
https://github.com/BoizZ/PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7
这个脚本将pptp l2tp ipsec都按照,并且配置好,当然很多配置不准确
跑脚本的时候配置好ip规划,PPsk共享秘钥(这个后面客户端连接需要用到) 用户名 ,密码 (后面连接都需要用到)
PSK共享秘钥在/etc/ipsec.secrets可以找到和配置
用户名密码在/etc/ppp/chap-secrets 可以找到配置
下面的简单修改流程:
vim /etc/ipsec.conf
- config setup
- # NAT-TRAVERSAL support, see README.NAT-Traversal
- #nat_traversal=yes
- # exclude networks used on server side by adding %v4:!a.b.c./
- virtual_private=%v4:10.0.0.0/,%v4:192.168.0.0/,%v4:172.16.0.0/
- # OE is now off by default. Uncomment and change to on, to enable.
- #oe=off
- # which IPsec stack to use. auto will try netkey, then klips then mast
- protostack=netkey
- #force_keepalive=yes
- keep_alive=
- conn L2TP-PSK-NAT
- rightsubnet=vhost:%priv
- also=L2TP-PSK-noNAT
- conn L2TP-PSK-noNAT
- authby=secret
- pfs=no
- auto=add
- keyingtries=
- rekey=no
- ikelifetime=8h
- keylife=1h
- type=transport
- left=47.52.219.118 #这里要写外网ip
- leftid=47.52.219.118 #id随便填
- leftprotoport=/ #端口
- right=%any
- rightprotoport=/%any
- dpddelay=
- dpdtimeout=
- dpdaction=clear
- leftnexthop=%defaultroute
- rightnexthop=%defaultroute
- ike=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
- phase2alg=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
- sha2-truncbug=yes
vim /etc/xl2tpd/xl2tpd.conf
- [global]
- ; ipsec saref = yes
- listen-addr = 外网ip
- auth file = /etc/ppp/chap-secrets (用户名密码文件)
- port =
- [lns default]
- ip range = 10.81.24.100-10.81.24.199 (这个根据自己的内网网段和需要的ip数配置)
- local ip = 10.81.24.1 (分配给自己的ip)
- refuse chap = yes
- refuse pap = yes
- require authentication = yes
- name = L2TPVPN
- ppp debug = yes
- pppoptfile = /etc/ppp/options.xl2tpd 这里有xl2tpd的一些配置
- length bit = yes
用户名和密码会保存在这里
- /etc/ppp/chap-secrets
vim /etc/ppp/options.xl2tpd
- #require-pap
- #require-chap
- #require-mschap
- ipcp-accept-local
- ipcp-accept-remote
- require-mschap-v2
- ms-dns 8.8.8.8
- ms-dns 8.8.4.4
- asyncmap
- auth
- #crtscts #这几个注释的是新的配置里面没有,原来有的,注释掉就正常了
- #lock
- hide-password
- #modem
- debug
- name l2tpd
- proxyarp
- lcp-echo-interval
- lcp-echo-failure
- mtu
- noccp
- connect-delay
vim /etc/pptpd.conf
- #ppp /usr/sbin/pppd
- option /etc/ppp/options.pptpd pptpd的一些配置
- #debug
- # stimeout
- #noipparam
- logwtmp
- #vrf test
- #bcrelay eth1
- #delegate
- #connections
- localip 10.81.24.2
- remoteip 10.81.24.200-
vim /etc/xl2tpd/xl2tpd.conf
- [global]
- ; ipsec saref = yes
- listen-addr = 外网ip
- auth file = /etc/ppp/chap-secrets
- port =
- [lns default]
- ip range = 10.81.24.100-10.81.24.199
- local ip = 10.81.24.1
- refuse chap = yes
- refuse pap = yes
- require authentication = yes
- name = L2TPVPN
- ppp debug = yes
- pppoptfile = /etc/ppp/options.xl2tpd #这里有xl2tpd的一些配置
- length bit = yes
系统配置:
- net.ipv4.ip_forward =
- net.ipv4.conf.all.rp_filter =
- net.ipv4.conf.default.rp_filter =
- net.ipv4.conf.eth1.rp_filter = 这个允许转发的接口要配置好
- net.ipv4.conf.all.send_redirects =
- net.ipv4.conf.default.send_redirects =
- net.ipv4.conf.all.accept_redirects =
- net.ipv4.conf.default.accept_redirects =
防火墙配置
创建文件/usr/lib/firewalld/services/pptpd.xml
并修改:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>pptpd</short>
<description>PPTP</description>
<port protocol="tcp" port="1723"/>
</service>
创建文件/usr/lib/firewalld/services/l2tpd.xml
并修改:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>l2tpd</short>
<description>L2TP IPSec</description>
<port protocol="udp" port="500"/>
<port protocol="udp" port="4500"/>
<port protocol="udp" port="1701"/>
</service>
- firewall-cmd --reload
- firewall-cmd --permanent --add-service=pptpd
- firewall-cmd --permanent --add-service=l2tpd
- firewall-cmd --permanent --add-service=ipsec
- firewall-cmd --permanent --add-masquerade
- firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD -p tcp -i ppp+ -j TCPMSS --syn --set-mss
- firewall-cmd --reload
- 开机启动设置:
- systemctl enable pptpd ipsec xl2tpd
- systemctl restart pptpd ipsec xl2tpd
ipsec检查:全部ok ,碰到不是ok的,就看报错来解决,很多配置以及去掉了 会报错
- Verifying installed system and configuration files
- Version check and ipsec on-path [OK]
- Libreswan 3.25 (netkey) on 3.10.-514.26..el7.x86_64
- Checking for IPsec support in kernel [OK]
- NETKEY: Testing XFRM related proc values
- ICMP default/send_redirects [OK]
- ICMP default/accept_redirects [OK]
- XFRM larval drop [OK]
- Pluto ipsec.conf syntax [OK]
- Two or more interfaces found, checking IP forwarding [OK]
- Checking rp_filter [OK]
- Checking that pluto is running [OK]
- Pluto listening for IKE on udp [OK]
- Pluto listening for IKE/NAT-T on udp [OK]
- Pluto ipsec.secret syntax [OK]
- Checking 'ip' command [OK]
- Checking 'iptables' command [OK]
- Checking 'prelink' command does not interfere with FIPS [OK]
- Checking for obsolete ipsec.conf options [OK]
centos7 配置PPTP、L2TP、IPSec服务的更多相关文章
- CentOS7部署l2tp/IPsec服务
1.安装必要的工具 yum install vim net-tools wget unzip -y 2. 下载安装脚本 wget -O StackScript.zip http://files.cnb ...
- centos7配置nfs共享存储服务
nfs 是一种网络文件系统,需要依赖rpc进行过程调度 注意nfs只验证id,验证用户名,并且只能在类unix os上进行文件共享服务,由于它的脆弱的验证机制,所以不适宜在internet上工作,在内 ...
- 如何在 Debian / Ubuntu 服务器上架设 L2TP / IPSec VPN
本站的 Rio 最近在一台 Ubuntu 和一台 Debian 主机上配置了 L2TP / IPSec VPN,并在自己的博客上做了记录.原文以英文写就,我把它大致翻译了一下,结合我和 Rio 在设置 ...
- RouterOS安装以及搭建DHCP PPPoE PPTP L2TP服务
1.安装routeros https://mikrotik.com/download 网站下载routeros镜像 vdi格式 :VirtualBox默认创建的硬盘文件格式 vmdk格式:VMware ...
- 配置L2TP IPsec VPN (CentOS 6.5)
1. 安装相关包 yum install -y ppp iptables make gcc gmp-devel xmlto bison flex libpcap-devel lsof vim-enha ...
- PPTP vs. OpenVPN vs. L2TP/IPsec vs. SSTP
Which is the Best VPN Protocol? PPTP vs. OpenVPN vs. L2TP/IPsec vs. SSTP Want to use a VPN? If you’r ...
- [原]CentOS 7.2 1511部署L2TP/IPsec服务器及客户端
快过年了,感觉从去年开始,我们公司就变成了“别人的公司”,基本上提前一星期就放假了,好开心.正好可以利用这一段时间,把前段时间一些疑惑的问题解决下:) 然而挡在面前的一个拦路虎是:很多时候不能愉快的G ...
- PPTP&L2TP&PPPOE client and server configure
一. PPPOE 1. server(参考http://laibulai.iteye.com/blog/1171898) (1)安装rp-pppoe:yum install rp-pppoe (2)配 ...
- 架设基于StrongSwan的L2tp/IPSec VPN服务器
架设基于StrongSwan的L2tp/IPSec VPN服务器 参考: http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-w ...
随机推荐
- Configuring spartan 6 using mcu and spi flash
http://forums.xilinx.com/t5/General-Technical-Discussion/Configuring-spartan-6-using-mcu-and-spi-fla ...
- Android 交叉编译程序提示(not found)
原因是缺少库文件, 解决办法:arm-linux-readelf -a helloword | grep NEEDED 拷贝so文件到安卓下 或者 arm-linux-gcc hello.c -o h ...
- 数学图形(2.20)3D曲线
这一节主要是发布我自己写的3D曲线, (1)立体flower线圈 vertices = a = 10.1 b = 3.1 s = (a + b) / b o = i = to (**PI) j = m ...
- JNI/NDK开发指南(十)——JNI局部引用、全局引用和弱全局引用
转自:http://blog.csdn.net/xyang81/article/details/44657385 这篇文章比较偏理论,详细介绍了在编写本地代码时三种引用的使用场景和注意事项.可能看 ...
- go语言基础之 if else的使用
一.if_else 示例1: package main //必须有一个main包 import "fmt" func main() { a := 11 if a == 10 { f ...
- JS-为句柄添加监听函数
具体谈如何实现JS为句柄添加监听函数之前先看一段代码,算是抛出这个问题. <html> <head> <title>JS为句柄添加监听函数</title> ...
- win10 mysql57密码重置
[摘要: 1.my-default.ini 更名my.ini 正在解压的目次上面复造my-default.ini一份更名字为 my.ini. 2.翻开 Windows 情况变量设置, 新建变量名 MY ...
- Voice Commands (VCD) Cortana 微软小娜示例
Cortana 样品 您可以创建自定义功能Cortana使用Cortana技能装备或遗留的声音命令(VCD)平台. 在这里,你可以找到相关的样品: Cortana技能装备 目前Cortana技巧是建立 ...
- Linux网络编程之聊天程序(TCP协议之select)
服务器端:server.c #include <stdio.h> #include <stdlib.h> #include <errno.h> #include & ...
- 0x8002801D:库没有注册
同一段代码,在测试机上运行成功,但在用户机上运行失败,并报错:无法将类型为GeoProcessorClass的COM对象强制转换为接口类型IGeoProcessor,此操作失败的原因是COM组件调用Q ...