| VPN(L2TP/IPsec) |
|
# wget http://mirror.nl.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm # rpm -ivh epel-release-6-8.noarch.rpm # yum install openswan xl2tpd ppp lsof # yum install wget bind-utils ←いらないかも |
|
# wget http://www.cpan.org/src/5.0/perl-5.20.0.tar.gz # ./configure.gnu # make # make install # wget http://downloads.sourceforge.net/project/flex/flex-2.5.39.tar.gz # tar zxvf flex-2.5.39.tar.gz # cd flex-2.5.39 # ./configure # make # make install # wget http://ftp.gnu.org/pub/gnu/bison/bison-3.0.2.tar.gz # ./configure # make # make install # wget http://www.tcpdump.org/release/libpcap-1.6.1.tar.gz # ./configure # make # make install # wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.7.tar.gz # tar zxvf ppp-2.4.6.tar.gz # cd /ppp-2.4.6 # ./configure # make # make install # wget ftp://ftp.gnu.org/gnu/gmp/gmp-5.1.3.tar.gz # wget ftp://ftp.gnu.org/gnu/gmp/gmp-6.0.0a.tar.bz2 # tar jxvf gmp-6.0.0a.tar.bz2 # ./configure # make # make install # wget xl2tpd-1.3.6.tar.gz # tar zxvf xl2tpd-1.3.6.tar.gz # cd xl2tpd-1.3.6 # make # make install # wget https://download.openswan.org/openswan/openswan-latest.tar.gz # tar zxvf openswan-latest.tar.gz # cd openswan # make programs # make install |
|
[global] auth file = /etc/ppp/chap-secrets [lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.100 require chap = yes refuse pap = yes require authentication = yes name = xl2tpd ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes |
|
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 refuse-pap refuse-chap refuse-mschap require-mschap-v2 persist |
|
version 2.0 config setup nat_traversal=yes protostack=netkey virtual_private=%v4:192.168.1.0/24 oe=off nhelpers=0 include /etc/ipsec.d/*.conf |
|
conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 forceencaps=yes also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=%defaultroute leftnexthop=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=10 dpdtimeout=20 dpdaction=clear |
|
#include /etc/ipsec.d/*.secrets 192.168.1.100 %any : PSK "dddddddd" |
|
# Secrets for authentication using CHAP # client server secret IP addresses user1 * pass1 * |
|
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 # sysctl -p |
|
-SELINUX=enforcing +SELINUX=disabled |
|
*filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT # L2TP/IPsec -A FORWARD -i ppp+ -j ACCEPT -A FORWARD -o ppp+ -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -j MASQUERADE COMMIT |
|
/etc/init.d/xl2tpd start /etc/init.d/ipsec start |
|
# ipsec verify Pluto listening for IKE on udp 500 Pluto listening for NAT-T on udp 4500 [FAILED] これは # yum install lsof |
更新 2014.11.09