2016年12月2日 星期五

CentOS 架 L2TP/IPsec VPN


Mac OS X預設是無法用OpenVPN,不過能用L2TP/IPsec或IKEv2,這篇就來講怎麼在CentOS 6上架設L2TP/IPsec。





安裝EPEL(Extra Packages for Enterprise Linux)套件庫:
[root@localhost ~]# wget http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm
[root@localhost ~]# rpm -ivh epel-release-6-8.noarch.rpm 
[root@localhost ~]# yum update


接著安裝strongswanxl2tpd
[root@localhost ~]# yum install strongswan xl2tpd


接著打開封包轉送,到/etc/sysctl.confnet.ipv4.ip_forward改成1:
[root@localhost ~]# cat /etc/sysctl.conf|more
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p


然後設定IPsec連線,用PSK(pre-shared key)方式驗證。
[root@localhost ~]# cat /etc/strongswan/ipsec.conf
config setup
 
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
 
conn l2tp
        keyexchange=ikev1 
        left=192.168.1.2  # 對外IP
        leftsubnet=0.0.0.0/0
        leftprotoport=17/1701
        authby=secret
        leftfirewall=no
        right=%any
        rightprotoport=17/%any
        type=transport
        auto=add


然後設定PSK。
[root@localhost ~]# cat /etc/strongswan/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
: PSK "xxxxxxxx"


再來設定L2TP。
[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 192.168.1.2 # 對外IP

[lns default]
ip range = 172.30.10.2-172.30.10.254
local ip = 172.30.10.1
require chap = yes
unix authentication = yes ; 使用pam驗證
name = LinuxVPNserver ; 後面會用到
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


如果上面使用了pam驗證:
[root@localhost ~]# cat /etc/pam.d/ppp
#%PAM-1.0
auth    required        pam_nologin.so
auth    required        pam_unix.so
account required        pam_unix.so
session required        pam_unix.so


然後是ppp部分:
[root@localhost ~]# cat /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
login # 透過PAP使用系統密碼驗證


最後就是連線密碼,chap部分;client是帳號,server是上面/etc/xl2tpd/xl2tpd.conf的name,secret是密碼,IP addresses是分配的ip地址。
[root@localhost ~]# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server         secret  IP addresses
  vpn    LinuxVPNserver "vpn"   *

[root@localhost ~]# cat /etc/ppp/pap-secrets
# Secrets for authentication using PAP
# client server         secret   IP addresses
  *      LinuxVPNserver ""       *


啟動service,並設定開機自動啟動。
[root@localhost ~]# service strongswan start
[root@localhost ~]# service xl2tpd start
[root@localhost ~]# chkconfig strongswan on
[root@localhost ~]# chkconfig xl2tpd on


然後修改iptables。
[root@localhost ~]# iptables -A INPUT -p esp -j ACCEPT # ESP
[root@localhost ~]# iptables -A INPUT -p ah -j ACCEPT # AH
[root@localhost ~]# iptables -A INPUT -p udp --dport 500 -j ACCEPT # IKE
[root@localhost ~]# iptables -A INPUT -p udp --dport 4500 -j ACCEPT # NAT-T
[root@localhost ~]# iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT # 強制l2tp透過ipsec存取
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 172.30.10.0/24 -o eth0 -j MASQUERADE # 轉送VPN流量
[root@localhost ~]# /etc/init.d/iptables save


接著來測試在mac上能不能連線,系統偏好設定->網路,左下角新增。

伺服器地址就是剛剛的對外ip,跟帳號。

再點進階,填入剛剛的認證方式。

完成後就可以連線了(如果沒辦法連線請繼續往下看)。



如果沒辦法連線看看防火牆有沒有擋掉port 500 4500。

[root@localhost ~]# iptables -L -n 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited # 擋掉了
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:4500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           policy match dir in pol ipsec udp dpt:1701 
[root@localhost ~]# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited # 刪掉
[root@localhost ~]# iptables -L -n 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:4500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           policy match dir in pol ipsec udp dpt:1701 
[root@localhost ~]# /etc/init.d/iptables save


然後如果無法對外連線,檢查看看FORWARD chain有沒有擋掉
[root@localhost ~]# iptables -L -n
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
[root@localhost ~]# iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
[root@localhost ~]# iptables -L -n
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination 
[root@localhost ~]# /etc/init.d/iptables save


沒有留言:

張貼留言