xl2tpd+ipsec预存密钥

zxpxyz

转载需注明转自CU的zxpxyz

wget http://www.openswan.org/download/openswan-2.6.32.tar.gz
wget http://downloads.sourceforge.net ... /rp-l2tp-0.4.tar.gz
wget http://www.xelerance.com/wp-cont ... xl2tpd-1.2.7.tar.gz

yum install libpcap-devel ppp -y

tar zxf openswan-2.6.32.tar.gz
cd openswan-2.6.32
make programs install

vi /etc/ipsec.conf

1. version 2.0
   
2. config setup
   
3.     nat_traversal=yes
   
4.     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
   
5.     oe=off
   
6.     protostack=netkey
   
7. 
   
8. conn L2TP-PSK-NAT
   
9.     rightsubnet=vhost:%priv
   
10.     also=L2TP-PSK-noNAT
    
11. 
    
12. conn L2TP-PSK-noNAT
    
13.     authby=secret
    
14.     pfs=no
    
15.     auto=add
    
16.     keyingtries=3
    
17.     rekey=no
    
18.     ikelifetime=8h
    
19.     keylife=1h
    
20.     type=transport
    
21.     left=192.168.0.10
    
22.     leftprotoport=17/1701
    
23.     right=%any
    
24.     rightprotoport=17/%any

复制代码

上面这段格式要对，否则报错。

vi /etc/ipsec.secrets
192.168.0.10  %any: PSK "YourSharedSecret"

检查ipsec是否正常
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.18-194.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
SAref kernel support                                           [N/A]
NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                             [OK]
Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]



tar zxvf rp-l2tp-0.4.tar.gz
cd rp-l2tp-0.4
./configure
make
cp handlers/l2tp-control /usr/local/sbin/
mkdir /var/run/xl2tpd/
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control


tar zxvf xl2tpd-1.2.4.tar.gz
cd xl2tpd-1.2.4
make install


vi /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.254
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/xl2tpd/options.xl2tpd
length bit = yes


vi /etc/xl2tpd/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

开启xl2tpd

xl2tpd -D

zxpxyz

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.10

开启路由

maochanglu

支持nat后面的多client吗？

zxpxyz

没明白你的意思。

hij4cker

支持nat后面的多client吗？
maochanglu 发表于 2011-02-14 14:37

反正我这么配是不支持。