L2TP-сервер с IPSec на Debian за 2 минуты / СисАдм / r3l0c.name


    apt-get install strongswan xl2tpd

/etc/ipsec.secrets


    %any %any : PSK "sharedKeyyyyy"

/etc/ppp/chap-secrets


    "client1" l2tpserver "PassW0rd!33313" "192.168.3.10"
    "client2" l2tpserver "zPassW0rd!3331f!!!" "192.168.3.11"
    "client3" l2tpserver "AsfjePas9DsW0rd!3331" "192.168.3.12"

/etc/xl2tpd/xl2tpd.conf


    [global]
    port = 1701
    access control = no
    ipsec saref = yes
    force userspace = yes
    auth file = /etc/ppp/chap-secrets

    [lac hostname]
    lns =  !!!!!!!!SERVER IP!!!!!!!!

    [lns default]
    ip range = 192.168.3.5-192.168.3.255
    local ip = 192.168.3.1
    name = l2tpserver
    pppoptfile = /etc/ppp/options
    flow bit = yes
    exclusive = no
    hidden bit = no
    length bit = yes
    require authentication = yes
    require chap = yes
    refuse pap = yes

/etc/ipsec.conf


config setup
    nat_traversal=yes
    protostack=netkey
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
conn l2tpvpn
    forceencaps=yes
    type=transport
    authby=secret
    pfs=no
    rekey=no
    keyingtries=1
    left=%any
    leftprotoport=udp/l2tp
    [email protected]
    right=%any
    rightprotoport=udp/%any
    auto=add

/etc/ppp/options


ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
#defaultroute
#usepeerdns
lock
noproxyarp
silent
modem
asyncmap 0
hide-password
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4

iptables_setup.sh


#!/bin/bash
IF_EXT="eth0"
IF_INT="ppp+"
NET_INT="192.168.3.1/24"
iptables -F
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ${IF_INT} -s ${NET_INT} -j ACCEPT
iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s ${NET_INT} -j ACCEPT
iptables -t nat -A POSTROUTING -s ${NET_INT} -j MASQUERADE -o ${IF_EXT}
iptables -A FORWARD -i ${IF_INT} -o ${IF_EXT} -s ${NET_INT} -j ACCEPT
iptables -A FORWARD -i ${IF_EXT} -o ${IF_INT} -d ${NET_INT} -m state --state RELATED,ESTABLISHED -j ACCEPT


    service xl2tpd restart && service strongswan restart

L2TP-сервер с IPSec на Debian за 2 минуты

Комментарии ()

Написать комментарий