VPN安装笔记

技术

/etc/init.d/xl2tpd restart 
/etc/init.d/ipsec restart
ipsec verify
===========================
apt-get update
apt-get install openswan
apt-get install xl2tpd
apt-get install ppp

/etc/ipsec.conf 
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
oe=off
protostack=netkey
 
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=106.184.5.203
leftprotoport=17/%any
right=%any
rightprotoport=17/%any
forceencaps=yes
/etc/xl2tpd/xl2tpd.conf 
[global]
ipsec saref = no
 
[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/xl2tpd/l2tp-secrets
x.x.x.x   %any:  PSK “somegoodpassword”
/etc/ppp/options.xl2tpd
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
 /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sysctl -p
service xl2tpd restart

最后我们需要修改某些网络策略,让ipsec正常运行:

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

5.启用转发

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

对于OpenVZ的主机,可能不支持MASQUERADE,此时需要使用SNAT:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP

fuck\fuck\(\)\[\]\\\/\fuck”\\$1″fuck\/script>’)} fuck

发表回复