CentOS安装配置L2TP并结合freeradius验证
分类:运维技术日期:2012-12-01 - 22:10:57作者:老谢
安装L2TP部分 1.安装必要的包
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced |
2.安装OpenSwan(OpenSwan是什么?—->>传送门)
wget http://www.openswan.org/download/openswan-2.6.24.tar.gz tar zxvf openswan-2.6.24.tar.gz cd openswan-2.6.24 make programs install |
3.接着安装L2TP
wget http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm rpm -Uvh epel-release-5-4.noarch.rpm yum install xl2tpd |
4.接下来修改配置各种文件……请耐心仔细完成 编辑/etc/ipsec.conf,在SERVER-IP-HERE的位置改成你的公网ip地址
# /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $ # This file: /usr/local/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Again: only enable plutodebug or klipsdebug when asked by a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. netkey,klips,mast,auto or none protostack=netkey # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=start conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=SERVER-IP-HERE leftprotoport=17/1701 right=%any |
新建/etc/ipsec.secrets
YOUR-SERVER-IP-HERE %any: PSK "yourvpnsecret" |
编辑/etc/sysctl.conf,在最下面加入下面的内容:
#added for xl2tpd net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 |
接下来
sysctl -p
service ipsec start
ipsec verify |
如果出现下面的内容,说明没问题
[root@vpn2 ~]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.24/K2.6.18-274.3.1.el5xen (netkey) Checking for IPsec support in kernel [OK] Testing against enforced SElinux mode [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] |
接着编辑/etc/xl2tpd/xl2tpd.conf,在YOUR-SERVER-IP-HERE的位置填写你的公网ip,LinuxVPNserver的地方填vpn服务器名
; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] listen-addr = YOUR-SERVER-IP-HERE ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ipsec saref = yes port = 1701 ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; ipsec refinfo = 30 ; ; forceuserspace = yes ; ; debug tunnel = yes [lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = no name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes |
接着编辑/etc/ppp/options.xl2tpd,保证内容如下:
require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure |
接着创建iptables规则以及加入开机启动
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT service iptables save service iptables restart service xl2tpd restart service iptables restart chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on |
最后创建L2TP账户
vim /etc/ppp/chap-secrets 格式样例:laoxie xl2tpd laoxie * |
至此为止,L2TP搭建完成,请测试直接在chap-secrets里面创建的账户是否可以正常登陆使用,如果没有问题则继续下面配置radius验证部分,如果有问题,返回检查。
连接freeradius验证部分 首先在freeradius服务器添加客户的,编辑/etc/raddb/clients.conf,格式如下:
client VPN Server IP HERE { secret = YOUR SECRET HERE shortname = yourVPN nastype = other } |
配置完以后freeradius服务器的ssh可以关掉了,因为在freeradius服务器只需要配置这一个步骤,下面连接到L2TP的服务器进行操作。
wget http://pkgs.repoforge.org/radiusclient/radiusclient-0.3.2-0.2.el5.rf.i386.rpm rpm -i radiusclient-0.3.2-0.2.el5.rf.i386.rpm |
编辑/etc/radiusclient/servers,内容如下:
#Server Name or Client/Server pair Key #---------------- --------------- #portmaster.elemental.net hardlyasecret #portmaster2.elemental.net donttellanyone YOUR_RADIUS_SERVER_HOSTNAME_OR_IP YOUR_RADIUS_SERVER_SECRET |
接着编辑/etc/radiusclient/radiusclient.conf ,内容如下:
auth_order radius,local login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver RADIUS_SERVER_IP_OR_HOSTNAME:1812 acctserver RADIUS_SERVER_IP_OR_HOSTNAME:1813 servers /etc/radiusclient/servers dictionary /etc/radiusclient/dictionary login_radius /usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login |
然后编辑/etc/radiusclient/dictionary在最下面加入以下内容:
INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit |
其中dictionary.microsoft默认没有,可以在
这里下载到 然后编辑/etc/ppp/options.xl2tpd,在最下面加入:
plugin radius.so plugin radattr.so |
最后重启L2TP服务,尝试连接吧!!
service xl2tpd restart |
** 本文主要参考以下文档:** Install and Setup FreeRADIUS on CentOS 5, CentOS 6 and Ubuntu 11.10 Setup L2TP/IPSec to Authenticate off FreeRADIUS on CentOS 5 + 6 六步搞定centos 6下l2tp + ipsec VPN服务器配置 CentOS 安装和配置L2TP VPN 感谢上面所有文章的原作者:)
沙发先坐了
靠.比你慢一秒!~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~我CCCCCCCCCCC
不明觉厉.纯占楼,看不懂的说.
额,大D好快啊。ym高科技,我刚试用了那个老薛主机。、
沙发木有了,,技术贴。。 看不懂哇。。
技术贴,看不懂。。。。
大神,问个问题,公司要求学Unix,我听说学Linux就可以,我想问问,初学者装哪个版本啊?
@Elizen 弄个freebsd玩玩吧
忘了,那个邮箱没头像…
很好啊,移动人员使用,充分利用现有报废电脑。如果加入此解决了什么实际问题,文档就更丰富了。。
按图索骥,试着折腾下
嗯。这个不错。可以试下
太深奥了!
如果是l2tp,则修改/etc/ppp/options.xl2tpd文件,而非编辑/etc/ppp/options.pptpd
已经更正 感谢提醒
老谢,你永远不会孤独,我们一直陪伴着你一起成长!~
plugin 这个是实现什么功能的? 我再配置这个时一直有报错