strongswan、xl2tp基础配置档
利用IPSEC保持总部静态IP+分支动态IP的连线。
环境:总部:Centos6.5
分支:vigor or Dlink 路由器
移动办公室:win7
wget https://download.strongswan.org/strongswan-5.3.5.tar.gz
tar -xzvf strongswan-5.3.5.tar.gz
cd strongswan-5.3.5.tar.gz
yum update
yum install pam-devel openssl-devel make gcc -y
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
make && make install
#for *** in /proc/sys/net/ipv4/conf/*; do echo 0 > $***/accept_redirects; echo 0 > $***/send_redirects; done
vim /etc/sysctl.conf
sysctl -p
vim /usr/local/etc/ipsec.conf
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=3des-sha1-modp1024
esp=3des-md5
conn ×××
left=0.0.0.0
leftsubnet=192.168.0.0/16
leftfirewall=yes
right=%any
rightsubnet=192.168.3.0/24
auto=add
conn ***2
left=0.0.0.0
leftsubnet=192.168.0.0/16
leftfirewall=yes
right=%any
rightsubnet=172.20.15.2/24
auto=add
vim /usr/local/etc/ipsec.secrets
: PSK XXXXXX
/usr/local/sbin/ipsec start
cat /var/log/messages
vim /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
ifconfig eth0:0 192.168.16.1 netmask 255.255.0.0 up
wget http://www.atomicorp.com/installers/atomic
sh ./atomic
yum check-update
yum install xl2tpd -y
vim /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 192.168.16.128-192.168.16.254
local ip = 192.168.16.1
require chap = yes
refuse pap = yes
require authentication = yes
name = Linux×××server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
ms-dns 192.168.1.1
ms-wins 192.168.1.2
ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 * test1 192.168.16.2
service xl2tpd start
vim /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
service iptables restart
service xl2tpd restart
/usr/local/sbin/ipsec restart
done