一、苹果升级IOS10后无法使用pptp
L2TP相比PPTP是另外一种隧道协议方式,部分网络下PPTP无法连接,可以尝试L2TP,一般而言在PC上,两者使用体验没什么不同,技术原理上的不同请参照这里.建议PC电脑上优先使用PPTP,无法使用可以尝试L2TP,移动端推荐使用L2TP;
二、部署IPSec
- 安装必备依赖包
yum install make gcc gmp-devel bison flex lsof
- 安装Openswan
wget https://download.openswan.org/openswan/old/openswan-2.6/openswan-2.6.38.tar.gz
tar -zxvf openswan-2.6.38.tar.gz
cd openswan-2.6.38
make programs install
- 编辑配置文件/etc/ipsec.conf,将protostack=auto,修改为:protostack=netkey,并在最后追加以下内容
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=10.144.67.116
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
leftnexthop=%defaultroute
rightnexthop=%defaultroute
设置共享密钥PSK 编辑配置文件/etc/ipsec.secrets
10.144.67.116 %any: PSK "redhat"
修改包转发设置
for a in /proc/sys/net/ipv4/conf/*; do
echo 0 > $a/accept_redirects;
echo 0 > $a/send_redirects;
done
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
- 重启IPSec
service ipsec restart
- 查看系统IPSec安装和启动的正确性
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K2.6.32-504.30.3.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
一般情况下没有报[FAILED]就可以了。但是如果转发已经确认配置了.
三、部署L2TP(使用xl2tpd和rp-l2tp) xl2tpd最新版已经包含了l2tp-control,rp-l2tp可不需要安装。
- 安装依赖软件
yum install libpcap-devel ppp policycoreutils
- 安装xl2tpd和rp-l2tp
wget http://sourceforge.net/projects/rp-l2tp/files/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz
tar -zxvf rp-l2tp-0.4.tar.gz
cd rp-l2tp-0.4
./configure
make
cp handlers/l2tp-control /usr/local/sbin/
mkdir /var/run/xl2tpd/
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
- 安装xl2tpd
wget https://download.openswan.org/xl2tpd/xl2tpd-1.3.0.tar.gz
tar zxf xl2tpd-1.3.0.tar.gz
cd xl2tpd-1.3.0
make && make install
- 建立xl2tpd配置文件
mkdir /etc/xl2tpd
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global]
ipsec saref = yes
[lns default]
ip range = 10.82.88.2-10.82.88.254
local ip = 10.82.88.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
- 配置ppp 建立options.xl2tpd文件
cat > /etc/ppp/options.xl2tpd <<EOF
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
EOF
- 设置拨号用户名和密码
echo "username l2tpd password *" > /etc/ppp/chap-secrets
- 最后添加iptables转发规则并保存重启
#NAT链路
# 使内网可以访问内网
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
# 公网可以访问内网
-A POSTROUTING -d x.x.x.x -o eth1 -j MASQUERADE
#补充filter链路
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [858:163878]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p gre -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -s 192.168.5.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i ppp+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
service iptabls save
- 以debug方式启动l2tp,查看有无错误
xl2tpd -D
如果可以正常连接请ctrl+c退出,再直接后台启动
xl2tpd
- 默认不支持service启动和重启,需要的话,我们添加一个启动脚本
/etc/init.d/xl2tpd
#!/bin/sh
#
# xl2tpd This shell script takes care of starting and stopping l2tpd.
#
# chkconfig: - 80 30
# de script ion: Layer 2 Tunnelling Protocol Daemon (RFC 2661)
#
# processname: xl2tpd
# config: /etc/xl2tpd/xl2tpd.conf
# pidfile: /var/run/xl2tpd.pid
#Servicename
SERVICE=xl2tpd
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
[ -x /usr/local/sbin/$SERVICE ] || exit 0
RETVAL=0
start() {
echo -n "Starting $SERVICE: "
if [ ! -d /var/run/xl2tpd ]
then
mkdir /var/run/xl2tpd
fi
daemon /usr/local/sbin/$SERVICE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SERVICE
echo ""
return $RETVAL
}
stop() {
echo -n "Stopping $SERVICE: "
killproc $SERVICE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$SERVICE
return $RETVAL
}
restart() {
stop
start
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $SERVICE
RETVAL=$?
;;
restart|reload)
restart
;;
condrestart)
[ -f /var/lock/subsys/$SERVICE ] && restart || :
;;
*)
echo "Usage: $SERVICE {start|stop|status|restart|reload|condrestart}"
exit 1
esac
- 添加到系统并设置开机启动
chmod +x /etc/init.d/xl2tpd
chkconfig --add /etc/init.d/xl2tpd
chkconfig xl2tpd on
service xl2tpd start|stop|restart|status
- 检查端口是否正常启动
netstat -an|grep 1701
udp 0 0 0.0.0.0:1701 0.0.0.0:*