注意,底下所有指令都用root身分執行,所以就不再打sudo了!
1.系統部分
首先安裝必要套件:
- apt-get install strongswan xl2tpd ppp lsof
再來設定轉發相關(打指令,可全部複製貼上):
- echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
- echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
- echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
- echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
- echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
- echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
- echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
- sysctl -p
2.IPSec部分
接著要來設定strongswan,編輯 /etc/ipsec.conf:
- config setup
- conn L2TP-PSK-noNAT
- authby=secret
- #shared secret. Use rsasig for certificates.
- auto=add
- #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
- keyingtries=3
- #Only negotiate a conn. 3 times.
- ikelifetime=8h
- keylife=1h
- ike=aes256-sha1,aes128-sha1,3des-sha1
- type=transport
- #because we use l2tp as tunnel protocol
- left=1.2.3.4 #別忘了要改成VPN Server的真實IP喔
- #fill in server IP above
- leftprotoport=17/1701
- right=%any
- rightprotoport=17/%any
- dpddelay=10
- # Dead Peer Dectection (RFC 3706) keepalives delay
- dpdtimeout=20
- # length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
- dpdaction=clear
- # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
再來修改預先共用金鑰,編輯 /etc/ipsec.secrets,將PASSWORD改成你要的密碼:
- # This file holds shared secrets or RSA private keys for authentication.
- # RSA private key for this host, authenticating it to any other host
- # which knows the public part.
- # 將底下PASSWORD改成你要的密碼,別忘了""不可刪除
- %any : PSK "PASSWORD"
3.L2TP部分
編輯 /etc/xl2tpd/xl2tpd.conf:
- [global]
- ipsec saref = yes
- saref refinfo = 30
- ;debug avp = yes
- ;debug network = yes
- ;debug state = yes
- ;debug tunnel = yes
- [lns default]
- ip range = 192.168.1.x-192.168.1.y ;這裡是要配發給client的內部IP區段
- local ip = 192.168.1.z ;這裡是VPN Server的內部IP
- require chap = yes
- refuse pap = yes
- require authentication = yes
- ;ppp debug = yes
- pppoptfile = /etc/ppp/options.xl2tpd
- length bit = yes
再來編輯 /etc/ppp/options.xl2tpd:
- require-mschap-v2
- ms-dns 8.8.8.8
- ms-dns 8.8.4.4
- auth
- mtu 1200
- mru 1000
- crtscts
- hide-password
- modem
- name l2tpd
- proxyarp
- lcp-echo-interval 30
- lcp-echo-failure 4
增加使用者,編輯 /etc/ppp/chap-secrets:
- # Secrets for authentication using CHAP
- # client server secret IP addresses
- username l2tpd PASSWORD *
別忘了server要填l2tp才行
到這邊就設定完成了,可重啟服務:
- ipsec update
- ipsec reload
- ipsec restart
- service xl2tpd restart
設定防火牆,並開放NAT功能,讓連進來的client也可連上網路,請參考底下(來源:鳥哥):
- mkdir -p /usr/local/virus/iptables
- vim /usr/local/virus/iptables/iptables.rule
- ################## 增加底下 ###################
- #!/bin/bash
- # 請先輸入您的相關參數,不要輸入錯誤了!
- EXTIF="eth0" # 這個是可以連上 Public IP 的網路介面
- INIF="eth1" # 內部 LAN 的連接介面;若無則寫成 INIF=""
- INNET="192.168.1.0/24" # 若無內部網域介面,請填寫成 INNET=""
- export EXTIF INIF INNET
- # 第一部份,針對本機的防火牆設定!##########################################
- # 1. 先設定好核心的網路功能:
- echo "1" > /proc/sys/net/ipv4/tcp_syncookies
- echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; do
- echo "1" > $i
- done
- for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; do
- echo "0" > $i
- done
- # 2. 清除規則、設定預設政策及開放 lo 與相關的設定值
- PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
- iptables -F
- iptables -X
- iptables -Z
- iptables -P INPUT DROP
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # 3. 啟動額外的防火牆 script 模組
- if [ -f /usr/local/virus/iptables/iptables.deny ]; then
- sh /usr/local/virus/iptables/iptables.deny
- fi
- if [ -f /usr/local/virus/iptables/iptables.allow ]; then
- sh /usr/local/virus/iptables/iptables.allow
- fi
- if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
- sh /usr/local/virus/httpd-err/iptables.http
- fi
- # 4. 允許某些類型的 ICMP 封包進入
- AICMP="0 3 3/4 4 11 12 14 16 18"
- for tyicmp in $AICMP
- do
- iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
- done
- # 5. 載入允許進入的service表,用額外檔案以方便單獨設定,就不用每次都要下拉編輯
- if [ -f /usr/local/virus/iptables/iptables.services ]; then
- sh /usr/local/virus/iptables/iptables.services
- fi
- # 第二部份,針對後端主機的防火牆設定!###############################
- # 1. 先載入一些有用的模組
- modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack ip_conntrack_ftp ip_conntrack_irc"
- for mod in $modules
- do
- testmod=`lsmod | grep "^${mod} " | awk '{print $1}'`
- if [ "$testmod" == "" ]; then
- modprobe $mod
- fi
- done
- # 2. 清除 NAT table 的規則吧!
- iptables -F -t nat
- iptables -X -t nat
- iptables -Z -t nat
- iptables -t nat -P PREROUTING ACCEPT
- iptables -t nat -P POSTROUTING ACCEPT
- iptables -t nat -P OUTPUT ACCEPT
- # 3. 若有內部介面的存在 (雙網卡) 開放成為路由器,且為 IP 分享器!
- if [ "$INIF" != "" ]; then
- iptables -A INPUT -i $INIF -j ACCEPT
- echo "1" > /proc/sys/net/ipv4/ip_forward
- if [ "$INNET" != "" ]; then
- for innet in $INNET
- do
- iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
- done
- fi
- fi
- # 如果你的 MSN 一直無法連線,或者是某些網站 OK 某些網站不 OK,
- # 可能是 MTU 的問題,那你可以將底下這一行給他取消註解來啟動 MTU 限制範圍
- # iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
- # --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
- # 4. NAT 伺服器後端的 LAN 內對外之伺服器設定
- # iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \
- # -j DNAT --to-destination 192.168.1.210:80 # WWW
- # 5. 特殊的功能,包括 Windows 遠端桌面所產生的規則,假設桌面主機為 1.2.3.4
- # iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --dport 6000 \
- # -j DNAT --to-destination 192.168.100.10
- # iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --sport 3389 \
- # -j DNAT --to-destination 192.168.100.20
- # 6. 最終將這些功能儲存下來吧!
- # /etc/init.d/iptables save
- # 在Ubuntu不一定有用就是了,就不用啦,反正每次開機都會執行一次
- # iptables-save
- ########################### END OF iptables.rule #####################
- vim /usr/local/virus/iptables/iptables.allow
- ################### 新增底下 #####################
- #!/bin/bash
- # 底下則填寫你允許進入本機的其他網域或主機啊!
- #iptables -A INPUT -i $EXTIF -s 1.2.3.4 -j ACCEPT
- ########################## END OF iptables.allow #####################
- vim /usr/local/virus/iptables/iptables.services
- ################### 新增底下 ####################
- #!/bin/bash
- # 將妳要對外開啟的服務設定在此
- # iptables -A INPUT -p TCP -i $EXTIF --dport 21 --sport 1024:65534 -j ACCEPT # FTP
- # iptables -A INPUT -p TCP -i $EXTIF --dport 22 --sport 1024:65534 -j ACCEPT # SSH
- # iptables -A INPUT -p TCP -i $EXTIF --dport 25 --sport 1024:65534 -j ACCEPT # SMTP
- # iptables -A INPUT -p UDP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT # DNS
- # iptables -A INPUT -p TCP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT # DNS
- # iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65534 -j ACCEPT # WWW
- # iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT # POP3
- # iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT # HTTPS
- ## !!!!!!這裡是 L2TP Over IPSec VPN 務必開放的Port!!!!!!!! ##
- iptables -A INPUT -p UDP -i $EXTIF --dport 500 -j ACCEPT
- iptables -A INPUT -p UDP -i $EXTIF --dport 4500 -j ACCEPT
- iptables -A INPUT -p UDP -i $EXTIF --dport 1701 -j ACCEPT
- ########################## END OF iptables.services #####################
- chmod 700 /usr/local/virus/iptables/iptables.*
好了之後,編輯/etc/rc.local,增加一行
重新開機就可以囉~
- /usr/local/virus/iptables/iptables.rule
大大您好...我近期根據您的文件配置一個L2TP with IPSec Server,但我配置之後透過Win7去新增一個VPN Client撥接,如果我去Win7的VPN撥接設定一組L2TP"預先共用金鑰"後無法撥接成功,但如果設定"使用憑證進行驗證"就可以,請教這哪邊出了問題?
回覆刪除