注意(:wq保存文件 putty登陆用户名为ec2-user)
安装与配置:
环境介绍:
OS:CentOS 6.4 x86_64 Minimal
1. 修改 /etc/sysctl.conf,新增如下配置: # vi /etc/sysctl.conf
# For xl2tpd net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
# sysctl -p
2. 安装EPEL扩展库 # yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
//安装时运行yum报错:
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again
解决办法:
vi /etc/yum.repos.d/epel.repo
编辑[epel]下的baseurl前的#号去掉,mirrorlist前添加#号。正确配置如下:
[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
再运行
yum makecache
3. 安装所需软件包
# yum install wget bind-utils lsof
# yum install openswan xl2tpd ppp
# yum downgrade openswan
4. 通过如下脚本完成配置文件的修改 # vim l2tpvpn.sh (注意要删掉注释)
#!/bin/sh IPSEC_PSK=SharedSecret ;修改以上变量的值,作为共享密码 PRIVATE_IP=`wget -q -O - 'http://instance-data/latest/meta-data/local-ipv4'` PUBLIC_IP=`wget -q -O - 'http://instance-data/latest/meta-data/public-ipv4'` ;修改以上变量的值,我通过命令来自动获取服务器的本地内网IP和公网IP,但仅适用于EC2 cat > /etc/ipsec.conf <<EOF version 2.0 config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 oe=off protostack=netkey nhelpers=0 interfaces=%defaultroute plutostderrlog=/var/log/pluto.log conn vpnpsk auto=add left=$PRIVATE_IP leftid=$PUBLIC_IP leftsubnet=$PRIVATE_IP/32 leftnexthop=%defaultroute leftprotoport=17/1701 rightprotoport=17/%any right=%any rightsubnetwithin=0.0.0.0/0 forceencaps=yes authby=secret pfs=no type=transport auth=esp ike=3des-sha1 phase2alg=3des-sha1 dpddelay=30 dpdtimeout=120 dpdaction=clear EOF cat > /etc/ipsec.secrets <<EOF $PUBLIC_IP %any : PSK "$IPSEC_PSK" EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF [global] port = 1701 ;debug avp = yes ;debug network = yes ;debug state = yes ;debug tunnel = yes [lns default] ip range = 172.192.169.10-172.192.169.250 local ip = 172.192.169.1 ;修改以上虚拟地址范围 require chap = yes refuse pap = yes require authentication = yes name = l2tpd ;ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes EOF cat > /etc/ppp/options.xl2tpd <<EOF ipcp-accept-local ipcp-accept-remote ms-dns 172.31.0.2 ;修改以上DNS服务器 noccp auth crtscts idle 1800 mtu 1280 mru 1280 lock connect-delay 5000 EOF
# chmod +x l2tpvpn.sh # ./l2tpvpn.sh
5. 配置用户名与密码 # vi /etc/ppp/chap-secrets
# 修改以下用户名与密码 # Secrets for authentication using CHAP # client server secret IP addresses "username" * "password" *
6. 配置NAT共享上网(修改如下虚拟地址范围与配置文件中相匹配) # iptables -t NAT -A POSTROUTING -s 172.192.169.0/24 -o eth0 -j MASQUERADE
7. 开放如下端口(EC2需要在SecurityGroup中配置)
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
8. 启动相关服务,并设置为自动启动
# service ipsec restart
# service xl2tpd restart
# chkconfig ipsec on
# chkconfig xl2tpd on
9. 结束