一、环境介绍:
1、CentOS 6.5 (要求双网卡做软路由,如果只是做×××可以单网卡)
a、外网IP:192.168.0.133/24 b、内网IP:10.10.10.1/8
2、Window 10 主机一台做为一台内网测试软路由使用;
a、内网IP:10.10.10.10/8
二、开始前的网络测试:
1、CentOS 6.5(以下简称×××-Server)测试:
a、测试外网网络是否联通;
# ping www.baidu.com
b、测试内网网络:
# ping 10.10.10.10
2、Windows 10 (以下简称Client)测试:
a、测试是否可以联通×××-Server:
# ping 10.10.10.1
b、测试是否可以上网(现在不能上网):
# ping www.baidu.com
三、开始安装部署:
以下操作在×××-Server上操作:
1、安装epel源:
# cd /etc/yum.repos.d/ # wget http://mirrors.163.com/.help/CentOS6-Base-163.repo # yum -y install epel-release
2、安装必须的软件(openswan、ppp、xl2tpd);
openswan:提供IPSec加密
ppp:提供密码认证
xl2tpd:提供×××服务
# yum -y install openswan ppp xl2tpd
3、修改ipsec的配置文件:
# cd /etc/ipsec.d/
# ls ./*.conf|xargs -I {} mv {} {}.bak
# vim L2TP.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.0.133
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
4、配置ipsec的密钥:
# vim /etc/ipsec.d/L2TP.secrets 192.168.0.133 %any: PSK "YourPsk"
注:IP为你的服务器外网IP,“YourPsk”修改为你想要的密钥
5、修改Forward转发:
# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 # sysctl -p
6、验证ipsec的运行状态
# service ipsec start # ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
注:只要没有Faild就可以了
一、错误信息:
Starting pluto IKE daemon for IPsec: Initializing NSS database See 'man pluto' if you want to protect the NSS database with a password certutil - Utility to manipulate NSS certificate databases Usage: certutil <command> -d <database-directory> <options> Valid commands: -A Add a certificate to the database (create if needed) -B Run a series of certutil commands from a batch file -E Add an Email certificate to the database (create if needed) -C Create a new binary certificate from a BINARY cert request -G Generate a new key pair -D Delete a certificate from the database -F Delete a key from the database -U List all modules -K List all private keys -L List all certs, or print out a single named cert -M Modify trust attributes of certificate -N Create a new certificate database -T Reset the Key database or token -O Print the chain of a certificate -R Generate a certificate request (stdout) -V Validate a certificate -W Change the key database password --upgrade-merge Upgrade an old database and merge it into a new one --merge Merge source database into the target database -S Make a certificate and add to database certutil -H <command> : Print available options for the given command certutil -H : Print complete help output of all commands and options certutil --syntax : Print a short summary of all commands and options Failed to initialize nss database sql:/etc/ipsec.d .Initializing NSS database See 'man pluto' if you want to protect the NSS database with a password certutil - Utility to manipulate NSS certificate databases Usage: certutil <command> -d <database-directory> <options> Valid commands: -A Add a certificate to the database (create if needed) -B Run a series of certutil commands from a batch file -E Add an Email certificate to the database (create if needed) -C Create a new binary certificate from a BINARY cert request -G Generate a new key pair -D Delete a certificate from the database -F Delete a key from the database -U List all modules -K List all private keys -L List all certs, or print out a single named cert -M Modify trust attributes of certificate -N Create a new certificate database -T Reset the Key database or token -O Print the chain of a certificate -R Generate a certificate request (stdout) -V Validate a certificate -W Change the key database password --upgrade-merge Upgrade an old database and merge it into a new one --merge Merge source database into the target database -S Make a certificate and add to database certutil -H <command> : Print available options for the given command certutil -H : Print complete help output of all commands and options certutil --syntax : Print a short summary of all commands and options Failed to initialize nss database sql:/etc/ipsec.d .... [FAILED]
解决方法:
# certutil -N -d /etc/ipsec.d # ipsec newhostkey --configdir /etc/ipsec.d/ --output /etc/ipsec.d/keys.secrets --bits 2192
二、错误信息:
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
解决方法:
# vim /etc/sysctl.conf 在任意位置添加以下: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # sysctl -p # ipsec verify
7、编辑/etc/xl2tpd/xl2tpd.conf
# vim /etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes listen-addr = 192.168.0.133 [lns default] ip range = 10.10.10.100-10.10.10.200 local ip = 10.10.10.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = y
8、编辑 /etc/ppp/options.xl2tpd
# vim /etc/ppp/options.xl2tpd require-mschap-v2 ms-dns 223.5.5.5 ms-dns 114.114.114.114 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
9、编辑 /etc/ppp/chap-secrets (此配置文件是设置×××的用户名,密码)
# vim /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses admin * admin *
10、启动相应的服务:
# service xl2tpd start # service ipsec start
11、iptables修改:
# iptables -A FORWARD -s 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356 # iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.0.133 # iptables -I INPUT -p udp -m udp -m state --state NEW --dport 1701 -j ACCEPT # iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT # iptables -I INPUT -p udp -m udp -m state --state NEW --dport 500 -j ACCEPT # iptables -I INPUT -p esp -j ACCEPT # /etc/init.d/iptables save # /etc/init.d/iptables restart
修改后的iptables 例子:
# Generated by iptables-save v1.4.7 on Tue Jan 19 06:18:56 2016*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [12:720] :OUTPUT ACCEPT [25:2380]-A INPUT -p esp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -s 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356COMMIT # Completed on Tue Jan 19 06:18:56 2016 # Generated by iptables-save v1.4.7 on Tue Jan 19 06:18:56 2016*nat :PREROUTING ACCEPT [55:8845] :POSTROUTING ACCEPT [1:108] :OUTPUT ACCEPT [1:108] -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.0.133COMMIT # Completed on Tue Jan 19 06:18:56 2016
到此×××-Server的部署已经全部完成;可以在Client机器上测试是否可以上网,然后在其它要中拨号试下是否成功!祝大家成功!
如有问题可以直接在本文下方回复。
友情连接:www.cnblogs.com/zlyang/p/6073488.html
