Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "how CentOS7 deploys L2TP". The editor shows you the operation process through an actual case. The operation method is simple, fast and practical. I hope this article "how CentOS7 deploys L2TP" can help you solve the problem.

L2tp is an industry standard Internet tunneling protocol, which has similar functions to PPTP protocol, for example, it can also encrypt network data streams. Accepted by many companies, it has become the industrial standard of IETF's layer 2 channel protocol, which is based on Microsoft's Point-to-Point tunneling Protocol (PPTP) and Cisco layer 2 forwarding Protocol (L2F). This virtual private network can be used by Internet service providers and companies over the Internet.

1. First check whether your host supports pptp. If the result is yes, it means that you have passed modprobe ppp-compress-18 & & echo yes2. Whether TUN is enabled or not

Some virtual machine hosts need to be enabled, and the returned result is cat: / dev/net/tun: File descriptor in bad state. It means yes.

Cat / dev/net/tun3. Update and install yum install updateyum update-y4. Install the EPEL source yum install-y epel-release5. Install xl2tpd and libreswanyum install-y xl2tpd libreswan lsof6. Edit the xl2tpd configuration file vim / etc/xl2tpd/xl2tpd.conf

The modifications are as follows:

[global] [lns default] ip range = 172.100.1.100-172.100.1.150 # address pool assigned to the client local ip = 172.100.1.1require chap = yesrefuse pap = yesrequire authentication = yesname = LinuxVPNserverppp debug = yespppoptfile = / etc/ppp/options.xl2tpdlength bit = yes7. Edit the pppoptfile file vim / etc/ppp/options.xl2tpd

The modifications are as follows:

Setting mtu,mru is not recommended for the first time configuration of ipcp-accept-localipcp-accept-remotems-dns 8.8.8.8ms-dns 209.244.0.3ms-dns 208.67.222.222name xl2tpd#noccpauthcrtsctsidle 1800mtu 1410 #, otherwise mru 1410nodefaultroutedebuglockproxyarpconnect-delay 5000refuse-paprefuse-chaprefuse-mschaprequire-mschap-v2persistlogfile / var/log/xl2tpd.log8 may be incorrect. Edit the ipsec configuration file vim / etc/ipsec.confconfig setup protostack=netkey dumpdir=/var/run/pluto/ virtual_private=%v4:10.0.0.0/8,%v4:172.100.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 include / etc/ipsec.d/*.conf9. Edit the conn file vim / etc/ipsec.d/l2tp-ipsec.conf of include

The modifications are as follows:

The public network address of conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 dpddelay=10 dpdtimeout=20 dpdaction=clear forceencaps=yes also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=192.168.0.17 # service/VPS. For some vps with only an eth0 network card, # fill in the private network address, and the kernel can enable nat forwarding. Define the forwarding rule leftprotoport=17/1701 right=%any rightprotoport=17/%any10 with iptables below # CentOS7. Set username and password vim / etc/ppp/chap-secrets

Modify the content:

Vpnuser * pass * description: user name [space] service [space] password [space] specify IP11. Set PSKvim / etc/ipsec.d/default.secrets: PSK "testvpn" 12.CentOS7 firewall set firewall-cmd-- permanent-- add-service=ipsecfirewall-cmd-- permanent-- add-port=1701/udpfirewall-cmd-- permanent-- add-port=4500/udpfirewall-cmd-- permanent-- add-masqueradefirewall-cmd-- reload13.IP_FORWARD set vim / etc/sysctl.d/60-sysctl_ipsec.confnet.ipv4.ip_forward = 1net.ipv4.conf.all.accept_redirects = 0net.ipv4. Conf.all.rp_filter = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.eth0.rp_filter = 0net.ipv4.conf.eth0.send_redirects = 0net.ipv4.conf.eth2.accept_redirects = 0net.ipv4.conf.eth2.rp_filter = 0net.ipv4. Conf.eth2.send_redirects = 0net.ipv4.conf.eth3.accept_redirects = 0net.ipv4.conf.eth3.rp_filter = 0net.ipv4.conf.eth3.send_redirects = 0net.ipv4.conf.ip_vti0.accept_redirects = 0net.ipv4.conf.ip_vti0.rp_filter = 0net.ipv4.conf.ip_vti0.send_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.lo.rp_filter = 0net.ipv4.conf.lo.send _ Redirects = 0net.ipv4.conf.ppp0.accept_redirects = 0net.ipv4.conf.ppp0.rp_filter = 0net.ipv4.conf.ppp0.send_redirects = 0

Restart takes effect

Systemctl restart network13.ipsec startup & check systemctl enable ipsecsystemctl restart ipsec

Check: ipsec verify

Normal output:

Verifying installed system and configuration filesVersion check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-123.13.2.el7.x86_64Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK ] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found Checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking' iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] 14.xl2tpd start systemctl enable xl2tpdsystemctl restart xl2tpd15.Windows connection

For Windows connection, you need to modify the registry key value (it is said that you do not need to modify it, but if I do not modify it, it will not be shown in the 789 Magi log).

This is the end of the introduction to "how CentOS7 deploys L2TP". Thank you for reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.