Deployment and configuration of L2TP + IPSec V in Linux Environment
I'm a rookie 131 2022-01-26 10:09:23 阅读数:77
deployment
configuration
l2tp
tp
ipsec
List of articles
L2TP+IPsec V_P_N
problem :
- Building a L2TP+IPSec V_P_N Environmental Science , And test the V_P_N Whether it can communicate normally , Requirements are as follows
- Use L2TP The protocol creates a tunnel connection that supports authentication and encryption
- Use IPSec Encrypt data
- Assign to clients 192.168.3.0/24 The address pool
- The user name of the client connection is :tom, The password for 123456
- Pre shared key is :randoass
programme :
The host required by the experimental environment and the corresponding ip The settings are shown in the table
| Host name | IP Address |
|---|---|
| Windows host | 201.1.2.20 |
| client | eth0 192.168.19.10 |
| eth3 201.1.2.10 |
Experimental Topology
![[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-fCNoNpMO-1632068774999)(E:/Typort/image-20210919231231026.png)]](http://inotgo.com/imagesLocal/202112/16/202112161119478393_0.jpg)
step :
Step one : Deploy IPSec service
1) Install package
yum -y install libreswan
# This software is used to encrypt
2) newly build IPSec Key validation profile
cat /etc/ipsec.conf
...
include /etc/ipsec.d/*.conf # On the last line of this file , A call file appears , and httpd similar
# His profile can also be written in /etc/ipsec.d/ Under this path , The file name is unlimited , The suffix is .conf that will do
When copying , Please remove the notes , Otherwise you will report an error
vim /etc/ipsec.d/myipsec.conf
conn IDC-PSK-NAT
rightsubnet=vhost:%priv # Run the established vpn virtual network
also=IDC-PSK-noNAT
conn IDC-PSK-noNAT
authby=secret # Encryption Authentication
ike=3des-sha1;modp1024
phase2alg=aes256-sha1;modp2048
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=3h
type=transport
left=201.1.2.10 #vpn The external network of the server IP Address
leftprotoport=17/1701
right=%any # Run any client connection
rightprotoport=17/%ang
3) establish IPSec Predefined shared key
cat /etc/ipsec.secrets # See where the sub profile is
include /etc/ipsec.d/*.secrets # His profile can also be written in /etc/ipsec.d/ Under this path , The file name is unlimited , The suffix is .secrets that will do
vim /etc/ipsec.d/mypass.secrets
201.1.2.10 %any: PSK "randpass"
#randpass Pre shared key with 201.1.2.10 by vpn Server's IP
4) start-up IPSec service
systemctl start ipsec.service
ss -nultp |grep 500
The default port of this software 500 and 4500
Step two : Deploy XL2TP service
1) Install package
wget https://download-ib01.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/x/xl2tpd-1.3.15-1.el8.x86_64.rpm
yum -y localinstall xl2tpd-1.3.15-1.el8.x86_64.rpm
2) modify xl2tp The configuration file ( modify 3 The contents of a configuration file )
vim /etc/xl2tpd/xl2tpd.conf # Master profile
Just modify these two lines , The rest will not move , These two lines are around the penultimate line
...
ip range = 192.168.3.128-192.168.3.254 # Assigned to the client IP
local ip = 201.1.2.10 #VPN Server's IP
...
vim /etc/ppp/options.xl2tpd # Authentication configuration
# Open the parameters of authentication
require-mschap-v2 # Open notes , Or rewrite , a key , Be sure to write at the top , Otherwise you will report an error
# Lines 11 and 17 crtscts and lock These two default comments , If it is open, please note
# If not noted , No mistake. , But it won't connect us VPN
vim /etc/ppp/chap-secrets # Modify the authentication user
tom * 123456 *
# user name Server identity password client
3) Start the service
systemctl start xl2tpd
netstat -nultp | grep xl2tpd
4) Set route forwarding , A firewall
echo "1" > /proc/sys/net/ipv4/ip_forward # Turn on route forwarding
firewall-cmd --set-default-zone=trusted
5)NAT Rule settings ( Non mandatory operation )
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j SNAT --to-source 201.1.2.5
Step three : Client side test
1) Input V_P_N Server account and password , Connect v_p_n And test network connectivity
Click... In network settings v_p_n, And then add , Then enter the corresponding information
![[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-Oz5ytP7v-1632068775000)(E:/Typort/image-20210920002204257.png)]](http://inotgo.com/imagesLocal/202112/16/202112161119478393_2.jpg)
In the network card option , A new network card appears , Or in the connection xl2tpd The connection of , It indicates that the addition is successful
copyright:author[I'm a rookie 131],Please bring the original link to reprint, thank you. https://en.javamana.com/2022/01/202201261009172398.html
- The external text of ecarts pie chart is too long and the display is incomplete
- PPTP deployment in Linux Environment
- UDP two ideas to realize reliable transmission [with Java implementation code]
- Builder mode to realize computer assembly (Java code instance)
- Unity strange IOC fool use tutorial (dispatch usage)
- Spring boot application monitoring: Java obtains CPU, memory and JVM internal health code
- Yyds dry goods inventory springboot integrates gateway to realize gateway function
- Yyds dry goods inventory [javase series] Java classes and objects, all things are objects
- Detailed explanation of [Linux] directory structure
- How to prevent performance degradation after MySQL database upgrade
- Installing zookeeper under Linux system
- Common commands for Linux
- Yyds dry goods inventory idea integrates mybatis generator
- In depth understanding of Kafka principle: theme and zoning
- JavaScript delete DOM
- Java exclusion classes (custom configured classes, custom classes)
- Java: error: invalid source distribution: 16
- TestNG has learned, and you have mastered half of Java unit testing
- Command mode, strategy mode and template method mode of Android design mode
- Dacia spring: the most valuable model in Europe in 2022
- Is blazor struggling in spring or in the cold wind
- Interaction between Tomcat and dispatcher embedded in spring boot
- MySQL view slow query log
- Disruptor note 8: supplement to knowledge points (final part), Linux container technology
- Dev series -- treelist usage, Kafka interview questions sorting
- Use of git in eclipse, rabbitmq principle flow chart
- Installing redis under Windows
- Java web part, java development back-end development interview questions
- Elegant use of Java 8 stream, combined with practical analysis, java code performance tuning
- Seventh, thoroughly understand what the data structure heap is?
- After rabbitmq is introduced, how to ensure that 100% of the whole link data is not lost?
- Cross domain problems and solutions of golang HTTP server
- Spring MVC execution process
- Learn Java, the best reading order of Java books
- Python variable operator data structure
- What the hell is object-oriented? How to understand change
- Solution to the Java problem of the second simulation match of Blue Bridge Cup
- Linux system startup principle and troubleshooting
- How Java rewrites the equals method and hashcode method of objects, wechat development java tutorial, baidu online disk download
- Project management tools: Maven Usage Summary
- The whole process of installing JDK
- Mount of Linux command -- file system mount
- CVE-2015-1635(MS15-034)-HTTP. Sys remote code execution replication
- Minimum priority queue of data structure and algorithm
- Custom orm of 30 classes handwritten spring core principles (Part 1) (6)
- Basic JavaScript syntax - expression
- Hive actual combat UDF external dependency file cannot be found
- Spring cloud Alibaba uses Seata to resolve the whole process of distributed transactions
- Java obtains wechat user information. After reading this article, you must learn java basic case tutorial
- The idea Java Web project is exported as a jar, packaged into a runnable exe program, and Shence data Java interview questions
- Git ignores files and mybatis works
- Yyds dry inventory springsecurity default page generation
- Classes commonly used in Java (I), how to design an elegant restful interface
- To what extent can Java learn to find a job?
- Linux system startup principle and troubleshooting
- Custom orm of 30 classes handwritten spring core principles (Part 1) (6)
- Can't connect to MySQL server on localhost (10061) appears in MySQL login
- Interviewer: how do you choose the redis persistence mechanism AOF log and RDB snapshot at work
- The source code analysis of okhttp framework starts with the use of synchronous & asynchronous requests
- Interview question on Java set: how does set judge repetition