strongswan、xl2tp基础配置档

利用IPSEC保持总部静态IP+分支动态IP的连线。

环境：总部：Centos6.5

      分支：vigor or Dlink 路由器

      移动办公室：win7

wget https://download.strongswan.org/strongswan-5.3.5.tar.gz

tar -xzvf strongswan-5.3.5.tar.gz

cd strongswan-5.3.5.tar.gz

yum update

yum install pam-devel openssl-devel make gcc -y

 ./configure  --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp

make && make install

#for *** in /proc/sys/net/ipv4/conf/*; do echo 0 > $***/accept_redirects; echo 0 > $***/send_redirects; done

vim /etc/sysctl.conf

sysctl -p

vim /usr/local/etc/ipsec.conf

conn %default

    ikelifetime=60m

    rekeymargin=3m

    keyingtries=1

    keyexchange=ikev1

    authby=secret

        ike=3des-sha1-modp1024

        esp=3des-md5

conn ×××

        left=0.0.0.0

        leftsubnet=192.168.0.0/16

        leftfirewall=yes

        right=%any

        rightsubnet=192.168.3.0/24

        auto=add

conn ***2

        left=0.0.0.0

        leftsubnet=192.168.0.0/16

        leftfirewall=yes

        right=%any

        rightsubnet=172.20.15.2/24

        auto=add

vim /usr/local/etc/ipsec.secrets

 : PSK XXXXXX

/usr/local/sbin/ipsec start

cat /var/log/messages  

vim /etc/rc.local

#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

ifconfig eth0:0 192.168.16.1  netmask 255.255.0.0  up

wget http://www.atomicorp.com/installers/atomic

sh ./atomic

yum check-update

yum install xl2tpd -y

vim /etc/xl2tpd/xl2tpd.conf

[lns default]

ip range = 192.168.16.128-192.168.16.254

local ip = 192.168.16.1

require chap = yes

refuse pap = yes

require authentication = yes

name = Linux×××server

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

vim /etc/ppp/options.xl2tpd

ipcp-accept-local

ipcp-accept-remote

ms-dns  192.168.1.1

ms-dns  192.168.1.1

ms-wins 192.168.1.2

ms-wins 192.168.1.4

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

vim  /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

user1   *       test1   192.168.16.2

service xl2tpd start

vim /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -p 50 -j ACCEPT

-A INPUT -p 51 -j ACCEPT

-A INPUT -p udp --dport 500 -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

service iptables restart

service xl2tpd restart

/usr/local/sbin/ipsec restart

done