温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

strongswan、xl2tp基础配置档

发布时间:2020-04-09 18:23:24 来源:网络 阅读:2837 作者:奈若 栏目:网络安全

利用IPSEC保持总部静态IP+分支动态IP的连线。


环境:总部:Centos6.5

      分支:vigor or Dlink 路由器

      移动办公室:win7


wget https://download.strongswan.org/strongswan-5.3.5.tar.gz


tar -xzvf strongswan-5.3.5.tar.gz


cd strongswan-5.3.5.tar.gz


yum update


yum install pam-devel openssl-devel make gcc -y

 ./configure  --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp


make && make install


#for *** in /proc/sys/net/ipv4/conf/*; do echo 0 > $***/accept_redirects; echo 0 > $***/send_redirects; done



vim /etc/sysctl.conf

sysctl -p



vim /usr/local/etc/ipsec.conf


conn %default

    ikelifetime=60m

    rekeymargin=3m

    keyingtries=1

    keyexchange=ikev1

    authby=secret

        ike=3des-sha1-modp1024

        esp=3des-md5


conn ×××


        left=0.0.0.0

        leftsubnet=192.168.0.0/16

        leftfirewall=yes

        right=%any

        rightsubnet=192.168.3.0/24

        auto=add


conn ***2


        left=0.0.0.0

        leftsubnet=192.168.0.0/16

        leftfirewall=yes

        right=%any

        rightsubnet=172.20.15.2/24

        auto=add


vim /usr/local/etc/ipsec.secrets

 : PSK XXXXXX


/usr/local/sbin/ipsec start


cat /var/log/messages  


vim /etc/rc.local

#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.


touch /var/lock/subsys/local


ifconfig eth0:0 192.168.16.1  netmask 255.255.0.0  up



wget http://www.atomicorp.com/installers/atomic

sh ./atomic

yum check-update

yum install xl2tpd -y

vim /etc/xl2tpd/xl2tpd.conf


[lns default]

ip range = 192.168.16.128-192.168.16.254

local ip = 192.168.16.1

require chap = yes

refuse pap = yes

require authentication = yes

name = Linux×××server

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes


vim /etc/ppp/options.xl2tpd

ipcp-accept-local

ipcp-accept-remote

ms-dns  192.168.1.1

ms-dns  192.168.1.1

ms-wins 192.168.1.2

ms-wins 192.168.1.4

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000


vim  /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

user1   *       test1   192.168.16.2


service xl2tpd start


vim /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]



-A INPUT -p 50 -j ACCEPT

-A INPUT -p 51 -j ACCEPT

-A INPUT -p udp --dport 500 -j ACCEPT


-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT


service iptables restart

service xl2tpd restart

/usr/local/sbin/ipsec restart


done


向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI