Mac OS X預設是無法用OpenVPN,不過能用L2TP/IPsec或IKEv2,這篇就來講怎麼在CentOS 6上架設L2TP/IPsec。
安裝EPEL(Extra Packages for Enterprise Linux)套件庫:
[root@localhost ~]# wget http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm [root@localhost ~]# rpm -ivh epel-release-6-8.noarch.rpm [root@localhost ~]# yum update
接著安裝
strongswan和xl2tpd[root@localhost ~]# yum install strongswan xl2tpd
接著打開封包轉送,到
/etc/sysctl.conf把net.ipv4.ip_forward改成1:[root@localhost ~]# cat /etc/sysctl.conf|more net.ipv4.ip_forward = 1 [root@localhost ~]# sysctl -p
然後設定IPsec連線,用PSK(pre-shared key)方式驗證。
[root@localhost ~]# cat /etc/strongswan/ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn l2tp
keyexchange=ikev1
left=192.168.1.2 # 對外IP
leftsubnet=0.0.0.0/0
leftprotoport=17/1701
authby=secret
leftfirewall=no
right=%any
rightprotoport=17/%any
type=transport
auto=add
然後設定PSK。
[root@localhost ~]# cat /etc/strongswan/ipsec.secrets # ipsec.secrets - strongSwan IPsec secrets file : PSK "xxxxxxxx"
再來設定L2TP。
[root@localhost ~]# cat /etc/xl2tpd/xl2tpd.conf [global] listen-addr = 192.168.1.2 # 對外IP [lns default] ip range = 172.30.10.2-172.30.10.254 local ip = 172.30.10.1 require chap = yes unix authentication = yes ; 使用pam驗證 name = LinuxVPNserver ; 後面會用到 ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
如果上面使用了pam驗證:
[root@localhost ~]# cat /etc/pam.d/ppp #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so
然後是ppp部分:
[root@localhost ~]# cat /etc/ppp/options.xl2tpd ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 login # 透過PAP使用系統密碼驗證
最後就是連線密碼,chap部分;client是帳號,server是上面
/etc/xl2tpd/xl2tpd.conf的name,secret是密碼,IP addresses是分配的ip地址。[root@localhost ~]# cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses vpn LinuxVPNserver "vpn" *
[root@localhost ~]# cat /etc/ppp/pap-secrets # Secrets for authentication using PAP # client server secret IP addresses * LinuxVPNserver "" *
啟動service,並設定開機自動啟動。
[root@localhost ~]# service strongswan start [root@localhost ~]# service xl2tpd start [root@localhost ~]# chkconfig strongswan on [root@localhost ~]# chkconfig xl2tpd on
然後修改iptables。
[root@localhost ~]# iptables -A INPUT -p esp -j ACCEPT # ESP [root@localhost ~]# iptables -A INPUT -p ah -j ACCEPT # AH [root@localhost ~]# iptables -A INPUT -p udp --dport 500 -j ACCEPT # IKE [root@localhost ~]# iptables -A INPUT -p udp --dport 4500 -j ACCEPT # NAT-T [root@localhost ~]# iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT # 強制l2tp透過ipsec存取 [root@localhost ~]# iptables -t nat -A POSTROUTING -s 172.30.10.0/24 -o eth0 -j MASQUERADE # 轉送VPN流量 [root@localhost ~]# /etc/init.d/iptables save
接著來測試在mac上能不能連線,系統偏好設定->網路,左下角新增。
伺服器地址就是剛剛的對外ip,跟帳號。
再點進階,填入剛剛的認證方式。
完成後就可以連線了(如果沒辦法連線請繼續往下看)。
如果沒辦法連線看看防火牆有沒有擋掉port 500 4500。
[root@localhost ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited # 擋掉了 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec udp dpt:1701 [root@localhost ~]# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited # 刪掉 [root@localhost ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec udp dpt:1701 [root@localhost ~]# /etc/init.d/iptables save
然後如果無法對外連線,檢查看看FORWARD chain有沒有擋掉
[root@localhost ~]# iptables -L -n Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited [root@localhost ~]# iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited [root@localhost ~]# iptables -L -n Chain FORWARD (policy ACCEPT) target prot opt source destination [root@localhost ~]# /etc/init.d/iptables save
沒有留言:
張貼留言