CentOS 6.x安装L2TP VPN

 梦缘人   2018-11-28 12:58   527 人阅读  0 条评论
会省钱

一、简介

L2TP是一种工业标准的Internet隧道协议,功能大致和PPTP协议类似,比如同样可以对网络数据流进行加密。不过也有不同之处,比如PPTP要求网络为IP网络,L2TP要求面向数据包的点对点连接;PPTP使用单一隧道,L2TP使用多隧道;L2TP提供包头压缩、隧道验证,而PPTP不支持。

L2TP 是一个数据链路层协议。其报文分为数据消息和控制消息两类。数据消息用投递 PPP 帧,该帧作为L2TP报文的数据区。L2TP不保证数据消息的可靠投递,若数据报文丢失,不予重传,不支持对数据消息的流量控制和拥塞控制。控制消息用以建立、维护和终止控制连接及会话,L2TP确保其可靠投递,并支持对控制消息的流量控制和拥塞控制。

二、L2TP与PPTP的不同

PPTP和L2TP都使用PPP协议对数据进行封装,然后添加附加包头用于数据在互联网络上的传输。尽管两个协议非常相似,但是仍存在以下几方面的不同:

  • PPTP要求互联网络为IP网络。L2TP只要求隧道媒介提供面向数据包的点对点的连接。L2TP可以在IP(使用UDP),帧中继永久虚拟电路(PVCs),X.25虚拟电路(VCs)或ATM VCs网络上使用。
  • PPTP只能在两端点间建立单一隧道。L2TP支持在两端点间使用多隧道。使用L2TP,用户可以针对不同的服务质量创建不同的隧道。
  • L2TP可以提供包头压缩。当压缩包头时,系统开销(overhead)占用4个字节,而PPTP协议下要占用6个字节。
  • L2TP可以提供隧道验证,而PPTP则不支持隧道验证。但是当L2TP或PPTP与IPSEC共同使用时,可以由IPSEC提供隧道验证,不需要在第2层协议上验证隧道
  • L2TP访问集中器(L2TP Access Concentrator,LAC)是一种附属在网络上的具有PPP端系统和L2Tpv2协议处理能力的设备,它一般就是一个网络接入服务器软件,在远程客户端完成网络接入服务的功能。
  • L2TP网络服务器(L2TP Network Server,LNS)是用于处理L2TP协议服务器端的软件。

三、L2TP的安装

1、环境准备

Bash

<span class="prism-token prism-comment" spellcheck="true">#安装epel源</span>
rpm -ivh http://mirrors.yun-idc.com/epel/6/x86_64/epel-release-6-8.noarch.rpm

<span class="prism-token prism-comment" spellcheck="true">#yum install epel-release</span>
<span class="prism-token prism-comment" spellcheck="true">#关闭防火墙</span>
<span class="prism-token prism-function">service</span> iptables stop
<span class="prism-token prism-comment" spellcheck="true">#关闭SELinux</span>
setenforce 0
<span class="prism-token prism-comment" spellcheck="true">#开启数据包转发</span>
sysctl -w net.ipv4.ip_forward<span class="prism-token prism-operator">=</span>1
 

2、软件安装

Bash

yum <span class="prism-token prism-function">install</span> xl2tpd -y
 

四、L2TP的配置

1、配置xl2tpd.conf主配置文件

# vim /etc/xl2tpd/xl2tpd.conf

Bash

<span class="prism-token prism-punctuation">[</span>lns default<span class="prism-token prism-punctuation">]</span>
ip range <span class="prism-token prism-operator">=</span> 10.0.0.2-200            <span class="prism-token prism-comment" spellcheck="true">#VPN客户的分配的IP地址</span>
local ip <span class="prism-token prism-operator">=</span> 10.0.0.1                  <span class="prism-token prism-comment" spellcheck="true">#L2TP VPN服务器的地址</span>
require chap <span class="prism-token prism-operator">=</span> <span class="prism-token prism-function">yes</span>
refuse pap <span class="prism-token prism-operator">=</span> <span class="prism-token prism-function">yes</span>
require authentication <span class="prism-token prism-operator">=</span> <span class="prism-token prism-function">yes</span>
name <span class="prism-token prism-operator">=</span> L2TPVPNserver
ppp debug <span class="prism-token prism-operator">=</span> <span class="prism-token prism-function">yes</span>
pppoptfile <span class="prism-token prism-operator">=</span> /etc/ppp/options.xl2tpd
length bit <span class="prism-token prism-operator">=</span> <span class="prism-token prism-function">yes</span>
 

2、配置options.xl2tpd文件

# vim /etc/ppp/options.xl2tpd

Bash

ipcp-accept-local
ipcp-accept-remote
ms-dns  119.29.29.29
ms-dns  114.114.114.114
<span class="prism-token prism-comment" spellcheck="true"># ms-wins 192.168.1.2</span>
<span class="prism-token prism-comment" spellcheck="true"># ms-wins 192.168.1.4</span>
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/xl2tpd.log
 

3、配置账号密码

# vim /etc/ppp/chap-secrets

Bash

<span class="prism-token prism-comment" spellcheck="true"># Secrets for authentication using CHAP</span>
<span class="prism-token prism-comment" spellcheck="true"># client      server    secret    IP addresses</span>
  vpn           *       123456           *
 

4、配置IP和端口映射

用的上就是保存规则 和自动启动,如果开有防火墙,每次重启需要启动下

Bash

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1723 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
<span class="prism-token prism-function">service</span> iptables save 保存规则
<span class="prism-token prism-function">service</span> iptables start 启动防火墙
<span class="prism-token prism-function">service</span> iptables restart 重启防火墙
<span class="prism-token prism-function">service</span> iptables stop 关闭防火墙
<span class="prism-token prism-function">service</span> iptables status 查看防火墙当前状态
<span class="prism-token prism-function">chkconfig</span> iptables on 自动启动

配置转发 sysctl.conf 与 防火墙设置

Bash

<span class="prism-token prism-function">vi</span> /etc/sysctl.conf
net.ipv4.ip_forward<span class="prism-token prism-operator">=</span> 0
修改为
net.ipv4.ip_forward<span class="prism-token prism-operator">=</span> 1
载入新配置
sysctl -p
检查配置生效方法:
执行命令cat /proc/sys/net/ipv4/ip_forward

显示为1则为打来了linux的路由转发功能,如果显示为0,则说明配置错误

六、L2TP启动和重新启动

Bash

<span class="prism-token prism-function">service</span> xl2tpd start
<span class="prism-token prism-function">service</span> xl2tpd restart

七、添加自启动

Bash

<span class="prism-token prism-function">chkconfig</span> xl2tpd on

添加用户

Bash

<span class="prism-token prism-function">vi</span> /etc/ppp/chap-secrets
UserName1 l2tpd PassWord1 *
UserName2 l2tpd PassWord2 *

#

Bash

<span class="prism-token prism-function">netstat</span> -antup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address     Foreign Address     State   PID
/Program

 

name   
tcp        0      0 0.0.0.0:22        0.0.0.0:*           LISTEN      1026
/sshd
tcp        0      0 127.0.0.1:25      0.0.0.0:*           LISTEN      1114
/master
tcp        0     52 192.168.1.10:22   192.168.1.36:62256  ESTABLISHED 1733
/sshd
udp        0      0 0.0.0.0:1701      0.0.0.0:*                       2378
/xl2tpd

# 链接查看日志

# tail -f /var/log/message

Jan 17 14:25:21 node1 xl2tpd[2373]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)

Jan 17 14:25:21 node1 xl2tpd[2378]: xl2tpd version xl2tpd-1.3.6 started on node1.wzlinux.com PID:2378

Jan 17 14:25:21 node1 xl2tpd[2378]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.

Jan 17 14:25:21 node1 xl2tpd[2378]: Forked by Scott Balmos and David Stipp, (C) 2001

Jan 17 14:25:21 node1 xl2tpd[2378]: Inherited by Jeff McAdams, (C) 2002

Jan 17 14:25:21 node1 xl2tpd[2378]: Forked again by Xelerance (www.xelerance.com) (C) 2006

Jan 17 14:25:21 node1 xl2tpd[2378]: Listening on IP address 0.0.0.0, port 1701

Jan 17 14:27:29 node1 xl2tpd[2378]: Connection established to 192.168.1.36, 1701.  Local: 345, Remote: 1 (ref=0/0).  LNS session is 'default'

Jan 17 14:27:29 node1 xl2tpd[2378]: Call established with 192.168.1.36, Local: 51894, Remote: 1, Serial: 0

Jan 17 14:27:29 node1 pppd[2399]: pppd 2.4.5 started by root, uid 0

Jan 17 14:27:29 node1 pppd[2399]: Using interface ppp0

Jan 17 14:27:29 node1 pppd[2399]: Connect: ppp0 <--> /dev/pts/1

Jan 17 14:27:31 node1 pppd[2399]: Cannot determine ethernet address for proxy ARP

Jan 17 14:27:31 node1 pppd[2399]: local  IP address 10.8.0.1

Jan 17 14:27:31 node1 pppd[2399]: remote IP address 10.8.0.100

本文地址:https://www.xfnz.net/896.html
版权声明:本文为原创文章,版权归 梦缘人 所有,欢迎分享本文,转载请保留出处!

 发表评论


表情