CentOS6.5利用openswan xl2tpd配置VPN服务
OpenSWan是Linux下IPsec的最佳实现方式,其功能强大,最大程度地保证了数据传输中的安全性、完整性问题OpenSWan支持2.0、2.2、2.4以及2.6内核,可以运行在不同的系统平台下,包括X86、X86_64、IA64、MIPS以及ARMOpenSWan是开源项目FreeS/WAN停止开发后的后继分支项目,由三个主要组件构成:配置工具(ipsec命令脚本)Key管理工具(pluto)内核组件(KLIPS/26sec)26sec使用2.6内核内建模块Netkey,用来替代OpenSWan开发的KLIPS模块,2.4及以下版本内核无Netkey模块支持,只能使用KLIPS。如果你用的是2.6.9以上的内核,推荐使用26sec,可以不用给内核打Nat-T补丁就可以使用NAT,2.6.9以下版本内核的NETKEY存在Bug,推荐使用KLIPS
OpenSWan有两种连接方式:1) Network-To-Network方式Network-To-Network方式是把两个网络连接成一个虚拟专用网络。当连接建立后,每个子网的主机都可透明地访问远程子网的主机。要实现此种连接方式,要满足以下两个条件:I. 每个子网各自拥有一台安装有OpenSWan的主机作为其子网的出口网关;II.每个子网的IP段不能有叠加2) Road Warrior方式当使用Network-To-Network方式时,作为每个子网网关的主机不能像子网内部主机那样透明访问远程子网的主机,也就是说:如果你是一个使用LClient的移动用户,经常出差或是在不同的地点办公,你的LClient将不能用Network-To-Network方式与公司网络进行连接。Road Warrior方式正是为这种情况而设计的,连接建立后,你的LClient就可以连接到远程的网络了
#openswan配置
client1 192.168.10.2(网关192.168.10.1)
server1 192.168.22.210(内网192.168.10.1)
server2 192.168.22.199(内网192.168.20.1)
client2 192.168.20.2(网关192.168.20.2)
client1←—→ server1←———→ server2 ←—→ client2
10.2 22.210(10.1) 22.199(20.1) 20.2
安装openswan ipsec在server:
vim/etc/sysctl.conf#开启转发net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0sysctl-a|egrep"ipv4.*(accept|send)_redirects"|awk-F"="'{print$1"=0"}' /etc/sysctl.conf#禁用ICMP重定向/sbin/sysctl-psetenforce0yuminstallopenswanlsof#ipsec--versionLinuxOpenswanU2.6.32/K(nokernelcodepresentlyloaded)See`ipsec--copyright'forcopyrightinformation.#serviceipsecstartipsec_setup:StartingOpenswanIPsecU2.6.32/K2.6.32-431.el6.x86_64...#ipsecverifyCheckingyoursystemtoseeifIPsecgotinstalledandstartedcorrectly:Versioncheckandipsecon-path[OK]LinuxOpenswanU2.6.32/K2.6.32-431.el6.x86_64(netkey)CheckingforIPsecsupportinkernel[OK]SArefkernelsupport[N/A]NETKEY:TestingfordisabledICMPsend_redirects[OK]NETKEYdetected,testingfordisabledICMPaccept_redirects[OK]Checkingthatplutoisrunning[OK]PlutolisteningforIKEonudp500[OK]PlutolisteningforNAT-Tonudp4500[OK]Twoormoreinterfacesfound,checkingIPforwarding[OK]CheckingNATandMASQUERADEing[OK]Checkingfor'ip'command[OK]Checking/bin/shisnot/bin/dash[OK]Checkingfor'iptables'command[OK]OpportunisticEncryptionSupport[DISABLED]
配置ipsec
#vim/etc/ipsec.confversion2.0configsetupprotostack=netkeynat_traversal=yesvirtual_private=oe=offnhelpers=0connnet-to-netauthby=secrettype=tunnelike=aes256-sha2_256;modp2048phase2alg=aes256-sha2_256;modp2048left=192.168.22.210leftsubnet=192.168.10.1/24right=192.168.22.199rightsubnet=192.168.20.1/24forceencaps=yesdpddelay=1dpdtimeout=3dpdaction=restartauto=start#sha2_truncbug=yes
#vim/etc/ipsec.d/ipsec.secrets192.168.22.210%any0.0.0.0:PSK"test"#right的ip改一下#serviceipsecrestart#serviceipsecstatus#ipsecauto--upnet-to-net#测试上面定义的net-to-net117"net-to-net"#8:STATE_QUICK_I1:initiate004"net-to-net"#8:STATE_QUICK_I2:sentQI2,IPsecSAestablishedtunnelmode{ESP/NAT= 0xb7ba4252 0x98e5c578xfrm=AES_256-HMAC_SHA2_256NATOA=noneNATD=192.168.22.199:4500DPD=enabled}
#在client上面ping gateway的内网和另一个client的ip,是可以ping通的
#xl2tpd配置
Road Warrior模式
# yum install xl2tpd会安装 libpcap-1.4.0,ppp-2.4.5,xl2tpd-1.3.6 三个包http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm #yum安装不上,先安装这玩意
设置ipsec:
#grep-v^#/etc/ipsec.conf|sed'/^$/d'version2.0#conformstosecondversionofipsec.confspecificationconfigsetup#Debug-loggingcontrols:"none"for(almost)none,"all"forlots.#klipsdebug=none#plutodebug="controlparsing"#ForRedHatEnterpriseLinuxandFedora,leaveprotostack=netkeyprotostack=netkeynat_traversal=yesvirtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24protostack=netkeyoe=off#Enablethisifyousee"failedtofindanyavailableworker"#nhelpers=0nhelpers=0connnet-to-netauthby=secrettype=tunnelike=aes256-sha2_256;modp2048phase2alg=aes256-sha2_256;modp2048left=192.168.22.210leftsubnet=192.168.10.1/24right=192.168.22.199rightsubnet=192.168.20.1/24forceencaps=yesdpddelay=1dpdtimeout=3dpdaction=restartauto=startconnl2tp-pskauthby=secretpfs=noauto=addrekey=notype=transportleft=192.168.22.210leftprotoport=17/1701right=%anyrightprotoport=17/%anyrightsubnet=vhost:%priv,%no
配置xl2tpd
#grep-v^;/etc/xl2tpd/xl2tpd.conf|sed'/^$/d'[global]listen-addr=192.168.22.210authfile=/etc/ppp/chap-secrets[lnsdefault]iprange=192.168.10.128-192.168.10.254localip=192.168.10.1requirechap=yesrefusepap=yesrequireauthentication=yesname=LinuxVPNserverpppdebug=yespppoptfile=/etc/ppp/options.xl2tpdlengthbit=yes
#grep-v^#/etc/ppp/options.xl2tpd|sed'/^$/d'ipcp-accept-localipcp-accept-remotems-dns114.114.114.114noccpcrtsctsidle1800mtu1410mru1410nodefaultroutedebugproxyarpconnect-delay5000logfile/var/log/xl2tpd.log
#cat/etc/ppp/chap-secrets#SecretsforauthenticationusingCHAP#clientserversecretIPaddressesvpn*vpn192.168.10.22#用户名为vpn,密码为vpn,分配的ip地址为192.168.10.22
#在xp系统验证网上邻居–创建一个新的连接–vpn–输入gateway的ip–创建完毕后,右键–属性–安全,把"要求数据加密(没有就断开)"去掉,要不会出现错误 741
点击“IPSec设置”–“使用与共享的密钥作身份验证”输入上面的密钥“test”,就可以连接
#tail/var/log/xl2tpd.log#查看日志rcvd[IPCPConfReqid=0x6 addr0.0.0.0 ms-dns10.0.0.0 ms-dns20.0.0.0 ]sent[IPCPConfNakid=0x6 addr192.168.10.22 ms-dns1114.114.114.114 ms-dns2114.114.114.114 ]rcvd[IPCPConfAckid=0x2 addr192.168.10.1 ]rcvd[IPCPConfReqid=0x7 addr192.168.10.22 ms-dns1114.114.114.114 ms-dns2114.114.114.114 ]sent[IPCPConfAckid=0x7 addr192.168.10.22 ms-dns1114.114.114.114 ms-dns2114.114.114.114 ]foundinterfaceeth0forproxyarplocalIPaddress192.168.10.1remoteIPaddress192.168.10.22Script/etc/ppp/ip-upstarted(pid7472)Script/etc/ppp/ip-upfinished(pid7472),status=0x0
防火墙:
iptables -A INPUT -p udp –dport 500 -j ACCEPTiptables -A INPUT -p tcp –dport 4500 -j ACCEPTiptables -A INPUT -p udp –dport 4500 -j ACCEPTiptables -t nat -A POSTROUTING -s site-A-private-subnet -d site-B-private-subnet -j SNAT –to site-A-Public-IP
我们一路上兴致勃勃地参观,当夕阳西下时,才恋恋不舍地离开。
