linux下搭建Ipsec+L2TP VPN服务（线上）

Posted 2022-05-12 chenzm0592

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了linux下搭建Ipsec+L2TP VPN服务（线上）相关的知识，希望对你有一定的参考价值。

安装软件及依赖包

yum -y install epel-release
yum -y install ipsec-tools
yum -y install gmp gmp-devel gawk flex bison
yum -y install openswan ppp xl2tpd

内核调优：cat /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000

kernel.shmmax = 67108864
fs.file-max = 65535

linux下搭建Ipsec+L2TP

修改ipsec的配置文件：

cd /etc/ipsec.d/
ls ./*.conf|xargs -I  mv  .bak
vim L2TP.conf
cat /etc/ipsec.d/L2TP.conf 
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
  
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=165.227.2.134
    leftprotoport=17/1701
    right=%any
rightprotoport=17/%any

linux下搭建Ipsec+L2TP

4.配置IPSEC的密钥：

165.227.2.134 %any: PSK "123456"

linux下搭建Ipsec+L2TP

验证IPSEC的运行状态：只要没有faild即可

linux下搭建Ipsec+L2TP

6. 编辑/etc/xl2tpd/xl2tpd.conf

linux下搭建Ipsec+L2TP

7.编辑/etc/ppp/options.xl2tpd

linux下搭建Ipsec+L2TP

设置VPN账户密码：

linux下搭建Ipsec+L2TP

启动服务：

linux下搭建Ipsec+L2TP

防火墙测量设置：

主要是以下几条要添加即可.

iptables -A FORWARD -s 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 165.227.2.134
iptables -I INPUT -p udp -m udp -m state --state NEW --dport 1701 -j ACCEPT
iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT
iptables -I INPUT -p esp -j ACCEPT
/etc/init.d/iptables save

苹果手机测试：

linux下搭建Ipsec+L2TP

电脑端测试：VPN.pbk

linux下搭建Ipsec+L2TP

以上是关于linux下搭建Ipsec+L2TP VPN服务（线上）的主要内容，如果未能解决你的问题，请参考以下文章

如何在CentOS创建L2TP/ipsec VPN服务

如何在windows phone 8.1上设置L2TP IPSEC VPN

win7系统 l2tp/ipsec连接错误809. 修改了注册编辑表也是这样！

如何在 Debian / Ubuntu 服务器上架设 L2TP / IPSec VPN

搭建L2tp/ipsec

PPTP，L2TP，IPSec和SSL VPN的区别