Deployment and configuration of L2TP + IPSec V in Linux Environment

I'm a rookie 131 2022-01-26 10:09:23 阅读数:77

deployment configuration l2tp tp ipsec

L2TP+IPsec V_P_N

problem :

  • Building a L2TP+IPSec V_P_N Environmental Science , And test the V_P_N Whether it can communicate normally , Requirements are as follows
  • Use L2TP The protocol creates a tunnel connection that supports authentication and encryption
  • Use IPSec Encrypt data
  • Assign to clients 192.168.3.0/24 The address pool
  • The user name of the client connection is :tom, The password for 123456
  • Pre shared key is :randoass

programme :

The host required by the experimental environment and the corresponding ip The settings are shown in the table

Host name IP Address
Windows host 201.1.2.20
client eth0 192.168.19.10
eth3 201.1.2.10

Experimental Topology

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-fCNoNpMO-1632068774999)(E:/Typort/image-20210919231231026.png)]

step :

Step one : Deploy IPSec service

1) Install package

yum -y install libreswan
# This software is used to encrypt 

2) newly build IPSec Key validation profile

cat /etc/ipsec.conf
...
include /etc/ipsec.d/*.conf # On the last line of this file , A call file appears , and httpd similar 
# His profile can also be written in /etc/ipsec.d/ Under this path , The file name is unlimited , The suffix is .conf that will do 
When copying , Please remove the notes , Otherwise you will report an error
vim /etc/ipsec.d/myipsec.conf
conn IDC-PSK-NAT
rightsubnet=vhost:%priv # Run the established vpn virtual network 
also=IDC-PSK-noNAT
conn IDC-PSK-noNAT
authby=secret # Encryption Authentication 
ike=3des-sha1;modp1024
phase2alg=aes256-sha1;modp2048
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=3h
type=transport
left=201.1.2.10 #vpn The external network of the server IP Address 
leftprotoport=17/1701
right=%any # Run any client connection 
rightprotoport=17/%ang

3) establish IPSec Predefined shared key

cat /etc/ipsec.secrets # See where the sub profile is 
include /etc/ipsec.d/*.secrets # His profile can also be written in /etc/ipsec.d/ Under this path , The file name is unlimited , The suffix is .secrets that will do 
vim /etc/ipsec.d/mypass.secrets
201.1.2.10 %any: PSK "randpass"
#randpass Pre shared key with 201.1.2.10 by vpn Server's IP

4) start-up IPSec service

systemctl start ipsec.service
ss -nultp |grep 500
The default port of this software 500 and 4500

Step two : Deploy XL2TP service

1) Install package

wget https://download-ib01.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/x/xl2tpd-1.3.15-1.el8.x86_64.rpm
yum -y localinstall xl2tpd-1.3.15-1.el8.x86_64.rpm

2) modify xl2tp The configuration file ( modify 3 The contents of a configuration file )

vim /etc/xl2tpd/xl2tpd.conf # Master profile 
Just modify these two lines , The rest will not move , These two lines are around the penultimate line
...
ip range = 192.168.3.128-192.168.3.254 # Assigned to the client IP 
local ip = 201.1.2.10 #VPN Server's IP
...
vim /etc/ppp/options.xl2tpd # Authentication configuration 
# Open the parameters of authentication 
require-mschap-v2 # Open notes , Or rewrite , a key , Be sure to write at the top , Otherwise you will report an error 
# Lines 11 and 17 crtscts and lock These two default comments , If it is open, please note 
# If not noted , No mistake. , But it won't connect us VPN
vim /etc/ppp/chap-secrets # Modify the authentication user 
tom * 123456 *
# user name Server identity password client 

3) Start the service

systemctl start xl2tpd
netstat -nultp | grep xl2tpd

4) Set route forwarding , A firewall

echo "1" > /proc/sys/net/ipv4/ip_forward # Turn on route forwarding 
firewall-cmd --set-default-zone=trusted

5)NAT Rule settings ( Non mandatory operation )

iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j SNAT --to-source 201.1.2.5

Step three : Client side test

1) Input V_P_N Server account and password , Connect v_p_n And test network connectivity

Click... In network settings v_p_n, And then add , Then enter the corresponding information

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-Oz5ytP7v-1632068775000)(E:/Typort/image-20210920002204257.png)]

In the network card option , A new network card appears , Or in the connection xl2tpd The connection of , It indicates that the addition is successful
 Insert picture description here

copyright:author[I'm a rookie 131],Please bring the original link to reprint, thank you. https://en.javamana.com/2022/01/202201261009172398.html