系統：Centos 6.9優勢：Windows、macOS、Linux、IPhone、Android等設備都能用該協議代理上網 安裝軟件：——————————————————————————————————————————————————————— 運行命令：? yum install -y xl2tpd libreswan Centos7官方源中無xl2tpd，添加源?yum install -y epel-release ?編輯ipsec配置文件： ——————————————————————————————————————————————————————— 運行命令： vim /etc/ipsec.conf 內容如下： # /etc/ipsec.conf - Libreswan IPsec configuration file # This file:? /etc/ipsec.conf## Enable when using this configuration file with openswan instead of libreswan#version 2## Manual:? ? ?ipsec.conf.5 # basic configurationconfig setup# which IPsec stack to use, "netkey" (the default), "klips" or "mast".# For MacOSX use "bsd"protostack=netkey## Normally, pluto logs via syslog. If you want to log to a file,# specify below or to disable logging, eg for embedded systems, use# the file name /dev/null# Note: SElinux policies might prevent pluto writing to a log file at#? ? ? ?an unusual location.#logfile=/var/log/pluto.log## The interfaces= line is only required for the klips/mast stack#interfaces="%defaultroute"#interfaces="ipsec0=eth0 ipsec1=ppp0"## If you want to limit listening on a single IP - not required for# normal operation ? ? ? ? #listen=127.0.0.1## Do not set debug options to debug configuration issues!## plutodebug / klipsdebug = "all", "none" or a combation from below:# "raw crypt parsing emitting control kernel pfkey natt x509 dpd#? private".# Note: "crypt" is not included with "all", as it can show confidential#? ? ? ?information. It must be specifically specified# examples:# plutodebug="control parsing"# plutodebug="all crypt"# Again: only enable plutodebug or klipsdebug when asked by a developer#plutodebug=none#klipsdebug=none## Enable core dumps (might require system changes, like ulimit -C)# This is required for abrtd to work properly# Note: SElinux policies might prevent pluto writing the core at#? ? ? ?unusual locationsdumpdir=/var/run/pluto/## NAT-TRAVERSAL support# exclude networks used on server side by adding %v4:!a.b.c.0/24# It seems that T-Mobile in the US and Rogers/Fido in Canada are# using 25/8 as "private" address space on their wireless networks.# This range has never been announced via BGP (at least upto 2015)nat_traversal=yesvirtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24 # For example connections, see your distribution's documentation directory,# or?https://libreswan.org/wiki/## There is also a lot of information in the manual page, "man ipsec.conf"## It is best to add your IPsec connections as separate files in /etc/ipsec.d/#include /etc/ipsec.d/*.conf conn L2TP-PSK-NATrightsubnet=vhost:%privalso=L2TP-PSK-noNAT conn L2TP-PSK-noNATauthby=secretpfs=noauto=addrekey=notype=transportdpddelay=15dpdtimeout=30dpdaction=clearleft=%eth2leftprotoport=17/1701right=%anyrightprotoport=17/%anyforceencaps=yes? #此項必須開啟，否則NAT設備無法上網 ? ? ? ? ? ? ? ? ? ? ? ? ?設置PSK密鑰:?? ——————————————————————————————————————————————————————— 運行命令 vim /etc/ipsec.secrets 內容如下： #include /etc/ipsec.d/*.secrets此處填寫外網IP?%any : PSK "此處填寫密鑰" ?例如：#include /etc/ipsec.d/*.secrets192.168.1.2 %any : PSK "123456" 開啟路由功能:???——————————————————————————————————————————————————————— 運行命令： vim /etc/sysctl.conf 將下面兩項：net.ipv4.ip_forward = 0net.ipv4.conf.default.rp_filter = 1 改為： net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0? 運行命令： sysctl -p 啟動并測試IPSec：——————————————————————————————————————————————————————— ?運行命令：service ipsec startipsec verify 運行ipsec verify返回如下信息，不報錯則正常，報錯自行百度。 Verifying installed system and configuration files Version check and ipsec on-path? ? ? ? ? ? ? ? ? ? ? ? ?[OK]Libreswan 3.15 (netkey) on 2.6.32-696.23.1.el6.x86_64Checking for IPsec support in kernel? ? ? ? ? ? ? ? ? ? [OK]NETKEY: Testing XFRM related proc valuesICMP default/send_redirects? ? ? ? ? ? ? ? ? ? [OK]ICMP default/accept_redirects? ? ? ? ? ? ? ? ? [OK]XFRM larval drop? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[OK]Pluto ipsec.conf syntax? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[OK]Hardware random device? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [N/A]Two or more interfaces found, checking IP forwarding? ? [OK]Checking rp_filter? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [OK]Checking that pluto is running? ? ? ? ? ? ? ? ? ? ? ? ? [OK]Pluto listening for IKE on udp 500? ? ? ? ? ? ? ? ? ? ?[OK]Pluto listening for IKE/NAT-T on udp 4500? ? ? ? ? ? ? [OK]Pluto ipsec.secret syntax? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [OK]Checking 'ip' command? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[OK]Checking 'iptables' command? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[OK]Checking 'prelink' command does not interfere with FIPSChecking for obsolete ips? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?ec.conf options? ? ? ? ? ? ? ? ?[OK]Opportunistic Encryption? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [DISABLED] ?配置?etc/xl2tpd/xl2tpd.conf：?——————————————————————————————————————————————————————— ?運行命令：vim /etc/xl2tpd/xl2tpd.conf 修改內容： ;; This is a minimal sample xl2tpd configuration file for use; with L2TP over IPsec.;; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec; clients connect. In this example, the internal (protected) network; is 192.168.1.0/24.? A special IP range within this network is reserved; for the remote clients: 192.168.1.128/25; (i.e. 192.168.1.128 ... 192.168.1.254);; The listen-addr parameter can be used if you want to bind the L2TP daemon; to a specific IP address instead of to all interfaces. For instance,; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99); will be used by xl2tpd as its address on pppX interfaces. [global]ipsec saref = yeslisten-addr = 192.168.1.2? ;此處為外網IP ;; requires openswan-2.5.18 or higher - Also does not yet work in combination; with kernel mode l2tp as present in linux 2.6.23+; ipsec saref = yes; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or;? when using any of the SAref kernel patches for kernels up to 2.6.35.; saref refinfo = 30;; force userspace = yes;; debug tunnel = yes [lns default]ip range = 100.64.0.100-100.64.0.200? ;此處內網分配ip范圍 local ip = 100.64.0.1? ;此處為分配給服務器的IPrequire chap = yesrefuse pap = yesrequire authentication = yesname = LinuxVPNserverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes 配置?/etc/ppp/options.xl2tpd：?——————————————————————————————————————————————————————— ?運行命令：vim /etc/ppp/options.xl2tpd 修改一下內容： ipcp-accept-localipcp-accept-remote ms-dns? 114.114.114.114 #此處填寫DNS地址 require-mschap-v2 # ms-dns? 192.168.1.1# ms-dns? 192.168.1.3# ms-wins 192.168.1.2# ms-wins 192.168.1.4noauthnoccpauthcrtsctsidle 1800mtu 1410mru 1410nodefaultroutedebuglockproxyarpconnect-delay 5000# To allow authentication against a Windows domain EXAMPLE, and require the# user to be in a group "VPN Users". Requires the samba-winbind package# require-mschap-v2# plugin winbind.so# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'# You need to join the domain on the server, for example using samba:#?http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html? 添加?L2TP用戶：?——————————————————————————————————————————————————————— ?運行命令：vim /etc/ppp/chap-secrets 修改內容： # Secrets for authentication using CHAP# client? ? ? ? server? secret? ? ? ? ? ? ? ? ? IP addresses admin * admin?* #格式為：用戶名空格協議空格密碼空格IP地址 啟動xl2tpd：?——————————————————————————————————————————————————————— ?運行命令：service xl2tpd start 配置防火墻：?——————————————————————————————————————————————————————— ?編輯防火墻配置：vi /etc/sysconfig/iptables 以下內容僅供參考，新手別完全照抄：*filter:INPUT DROP [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1:100]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT-A INPUT -p udp -m udp --dport 500 -j ACCEPT-A INPUT -p udp -m udp --dport 4500 -j ACCEPT-A INPUT -p udp -m udp --dport 1701 -j ACCEPT-A INPUT -p gre -j ACCEPT-A INPUT -p ah -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -d 100.64.0.0/24 -j ACCEPT-A FORWARD -s 100.64.0.0/24 -j ACCEPT-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Fri Mar 30 10:36:16 2018# Generated by iptables-save v1.4.7 on Fri Mar 30 10:36:16 2018*nat:PREROUTING ACCEPT [831320:68105743]:POSTROUTING ACCEPT [1350:80883]:OUTPUT ACCEPT [1350:80883]-A POSTROUTING -s 100.64.0.0/24 -o eth1 -j MASQUERADECOMMIT# Completed on Fri Mar 30 10:36:16 2018 重啟防火墻：service iptables restart 配置自啟：?——————————————————————————————————————————————————————— ?運行命令：chkconfig xl2tpd onchkconfig ipsec on 解決windows7無法連接：?——————————————————————————————————————————————————————— ?添加2個注冊表： 刪除 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters 下的 ProhibitIpSec 鍵值（如果沒有，新建一個32位DWORDS值位1） 在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 下添加 AssumeUDPEncapsulationContextOnSendRule（32位DWORDS值位2） 轉載自——愛種樹的熊

https://blog.csdn.net/XZS1097035329/article/details/79821354

總結

以上是生活随笔為你收集整理的利用IPSec/L2TP代理上网的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。