`
haoningabc
  • 浏览: 1446801 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

xl2tp redhat8

xl2tp 
阅读更多
#######
例子 

################# snat原理:https://blog.csdn.net/jk110333/article/details/8229828


aws:
eth0:172.31.33.238

ppp0:192.168.3.99---------172.17.0.13


tx:
eth0: 172.17.0.13

ppp0: 172.17.0.13-------- 192.168.3.99

ppp1:192.168.2.99---------192.168.2.128

手机 192.168.2.128

tx:
iptables -t nat -A POSTROUTING -s 192.168.2.0/24  -o ppp0  -j MASQUERADE

route add default dev ppp0



#iptables -t nat -A POSTROUTING -s 192.168.3.0/24  -o ppp1  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o ppp0  -j MASQUERADE


#iptables -t nat -A POSTROUTING -s 192.168.2.0/20  -o ppp0  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.3.0/24  -o ppp0  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o eth0  -j MASQUERADE

aws:
iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o eth0  -j MASQUERAD


#route add -net  223.104.3.0 netmask 255.255.255.0 dev eth0
#route add 223.104.3.157  gw 172.17.0.1 eth0







###########
2020-04-04在60上连这台的脚本
startv.sh 
#!/bin/sh
#systemctl start NetworkManager
#systemctl start firewalld
#systemctl start ipsec
#systemctl start xl2tpd

#route add 118.25.212.122 gw 172.17.0.1 eth0
#route add 212.129.249.212 gw 172.17.0.1 eth0
#route add 13.114.212.191 gw 172.17.0.1 eth0

echo 'c testvpn' > /var/run/xl2tpd/l2tp-control

route del default
route add default dev ppp0

#echo 'd testvpn' > /var/run/xl2tpd/l2tp-control
#route del default
#route add default dev eth0

#/etc/resolv.conf
#cp /root/back_config/resolv.conf.8 /etc/resolv.conf

checkppp0.sh 
#!/bin/sh
ppp0=`ifconfig |grep ppp0`
if [ ! -n "$ppp0" ] ;then
	a="will start vpn"
	echo 'c testvpn' > /var/run/xl2tpd/l2tp-control
	sleep 5
	#route del default
	ip link set ppp0 up
	/usr/sbin/route add default dev ppp0
	touch /opt/c
else
	ip link set ppp0 up
	/usr/sbin/route add default dev ppp0
	a="noting to do"
fi
/usr/sbin/ifconfig ppp0

echo $a


2019-12-10 新建aws redhat8

主要内容: 
#!/bin/sh
#cat /proc/sys/net/ipv4/ip_forward
#for each in /proc/sys/net/ipv4/conf/*
#do
#    echo 0 > $each/accept_redirects
#    echo 0 > $each/send_redirects
#done

#firewall-cmd --permanent --add-service=ipsec
#firewall-cmd --permanent --add-port=1701/udp
#firewall-cmd --permanent --add-port=4500/udp
#firewall-cmd --permanent --add-masquerade
#firewall-cmd --reload

#iptables -t nat -A POSTROUTING -s 172.31.37.0/24  -o eth0  -j MASQUERADE

systemctl start ipsec
xl2tpd -D > /dev/null 2>&1 &

注意,xl2tp用systemctl启动有问题,所以直接执行xl2tpd -D
安装: 
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
yum install firewalld
dnf install screen
dnf install libreswan xl2tpd  NetworkManager-l2tp -y


libreswan 中有ipsec

sysctl -p /etc/sysctl.conf 
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0



systemctl start ipsec

#systemctl start xl2tpd
可能有问题
https://github.com/hwdsl2/setup-ipsec-vpn/issues/506 
xl2tpd -D > /dev/null 2>&1 &


要修改的几个配置文件
vim /etc/xl2tpd/xl2tpd.conf 注意global 下面 加了ipsec saref = no 和 force userspace = yes
其他默认 

[global]
ipsec saref = no
force userspace = yes

[lns default]
ip range = 192.168.1.100-192.168.1.150
local ip = 192.168.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

vim  /etc/ppp/options.xl2tpd 
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
name xl2tpd
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
proxyarp
connect-delay 5000


vim /etc/ipsec.d/l2tp-ipsec.conf
这个是新加的 
conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.31.37.13
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any


注意left是内网ip 172.31.37.13 还要设置转发 
iptables -t nat -A POSTROUTING -s 172.31.37.0/24  -o eth0  -j MASQUERADE


vim /etc/ppp/chap-secrets 
[root@rbredhat8 ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client	server	secret			IP addresses
root	*	密码!	*



vim /etc/ipsec.d/default.secrets 
: PSK "密码!"




检查
ipsec verify
看是否ok
tail -f /var/log/messages

Sep 22 09:11:47 awsrb libipsecconf[11344]: Warning: obsolete keyword 'forceencaps' ignored
vim /etc/ipsec.d/l2tp-ipsec.conf

lsof -i:1701


nc -vuz 13.231.219.45  1701

telnet 不了udp

systemctl start ipsec
systemctl start xl2tpd

直接xl2tpd -D 看报错信息,不用 > /dev/null 2>&1



























分享到:
| 用WebAssembly与rust和c交互的demo
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics