最近发现GFW又升级了,而使用google是我们IT人员必须的工具,没有办法只有自己动手部署squid服务器,结果发现squid不是很稳定,经常说出现一会能打开,一会又打不开的情况(具体原因未知),为避免麻烦干脆在Azure上部署了一套L2TP ***服务器,在这里将部署过程写下,希望对各位博友有帮助;
L2TP是常用的一种point-site的***。而目前在Azure上的*** Gateway只支持IPsec和SSTP两种。如果客户需要L2TP服务器,需要自己在VM中搭建。本文将介绍如何在Azure上搭建基于CentOS65的L2TP服务器。
情况说明:我这里采用的是CentOS6.8操作系统,其它操作系统的操作方法大概相同;
注意:不要买错了哦,NO Made in China,是.com,不是.cn
vi /etc/yum.repos.d/epel.repo
[epel]
name=epel
baseurl=http://mirrors.sohu.com/fedora-epel/6/$basearch
enabled=1
gpgcheck=0
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
wget https://download.openswan.org/openswan/openswan-2.6.49.tar.gz --no-check-certificate
tar vxf openswan-2.6.49.tar.gz
cd openswan-2.6.49
make programs install
注:如果在安装之后发现无法启动ipsec服务,可以yum install -y ipsec,它会安装一些依懒上去,就可以正常启动对应服务了;
yum install -y xl2tpd
vi /etc/ipsec.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=100.104.172.10 #这里的IP地址为Azure VM的内网地址;
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=30
dpdtimeout=120
dpdaction=clear
vi /etc/ipsec.secrets
%any %any: PSK "www.obayun.com" #引号中间为密钥;
或者写成
100.104.172.10 %any: PSK "www.obayun.com" #其中100.104.172.10 为Azure VM的内网地址;
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
通过下面的命令生效配置:
#配置内核生效NAT转发
sysctl -p
#启动IPSEC服务
service ipsec start
ipsec verify #检测IPSEC是否正常
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-642.6.2.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
[global]
ipsec saref = no
[lns default]
#设置建立连接后,分配给客户端的ip地址
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = Linux***server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
vi /etc/ppp/chap-secrets
obayun * "www.obayun.com " * #前面为用户名,引号中间为密码;
vi /etc/ppp/options.xl2tpd
require-mschap-v2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
service iptables save
service ipsec restart
service xl2tpd restart
service iptables restart
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on
这个名字我怎么听都不对,我更愿意叫它NAT或防火墙,感觉更容易理解,作用就是将你的虚拟机端口映射到公网;
这里以Windows7为例,新建1.reg,将对应内容复制至此文件,双击导入注册表,然后重启电脑即可;
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"ProhibitIpSec"=dword:00000000
配置***客户端,设置对应的预设密钥为:前面服务器端配置的密钥即可;
从此通往自由之门的路已经打开....