千家信息网

strongswan、xl2tp基础配置档

发表于:2024-12-02 作者:千家信息网编辑
千家信息网最后更新 2024年12月02日,利用IPSEC保持总部静态IP+分支动态IP的连线。环境:总部:Centos6.5分支:vigor or Dlink 路由器移动办公室:win7wget https://download.strong
千家信息网最后更新 2024年12月02日strongswan、xl2tp基础配置档

利用IPSEC保持总部静态IP+分支动态IP的连线。


环境:总部:Centos6.5

分支:vigor or Dlink 路由器

移动办公室:win7


wget https://download.strongswan.org/strongswan-5.3.5.tar.gz


tar -xzvf strongswan-5.3.5.tar.gz


cd strongswan-5.3.5.tar.gz


yum update


yum install pam-devel openssl-devel make gcc -y

./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp


make && make install


#for *** in /proc/sys/net/ipv4/conf/*; do echo 0 > $***/accept_redirects; echo 0 > $***/send_redirects; done



vim /etc/sysctl.conf

sysctl -p



vim /usr/local/etc/ipsec.conf


conn %default

ikelifetime=60m

rekeymargin=3m

keyingtries=1

keyexchange=ikev1

authby=secret

ike=3des-sha1-modp1024

esp=3des-md5


conn ×××


left=0.0.0.0

leftsubnet=192.168.0.0/16

leftfirewall=yes

right=%any

rightsubnet=192.168.3.0/24

auto=add


conn ***2


left=0.0.0.0

leftsubnet=192.168.0.0/16

leftfirewall=yes

right=%any

rightsubnet=172.20.15.2/24

auto=add


vim /usr/local/etc/ipsec.secrets

: PSK XXXXXX


/usr/local/sbin/ipsec start


cat /var/log/messages


vim /etc/rc.local

#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.


touch /var/lock/subsys/local


ifconfig eth0:0 192.168.16.1 netmask 255.255.0.0 up



wget http://www.atomicorp.com/installers/atomic

sh ./atomic

yum check-update

yum install xl2tpd -y

vim /etc/xl2tpd/xl2tpd.conf


[lns default]

ip range = 192.168.16.128-192.168.16.254

local ip = 192.168.16.1

require chap = yes

refuse pap = yes

require authentication = yes

name = Linux×××server

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes


vim /etc/ppp/options.xl2tpd

ipcp-accept-local

ipcp-accept-remote

ms-dns 192.168.1.1

ms-dns 192.168.1.1

ms-wins 192.168.1.2

ms-wins 192.168.1.4

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000


vim /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client server secret IP addresses

user1 * test1 192.168.16.2


service xl2tpd start


vim /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]



-A INPUT -p 50 -j ACCEPT

-A INPUT -p 51 -j ACCEPT

-A INPUT -p udp --dport 500 -j ACCEPT


-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT


service iptables restart

service xl2tpd restart

/usr/local/sbin/ipsec restart


done


0