L2TP是常用的一种point-site的VPN。而目前在Azure上的VPN Gateway只支持IPsec和SSTP两种。如果客户需要L2TP服务器,需要自己在VM中搭建。本文将介绍如何在Azure上搭建基于CentOS65的L2TP服务器。

一、在Azure上创建VM

1. 创建CentOS6.5的VM

在Azure上创建虚拟机时选择CentOS6.5:

具体创建的过程就不再介绍了。

2. 给VM创建Endpoint

L2TP Over IPSec将使用UDP500和UDP4500两个端口,是标准的IPSEC的NAT-T端口。另外22端口也是需要的。具体的配置如下:

二、在VM上安装软件

通过SSH登陆VM。

1. 检查版本,配置YUM源

cat /etc/redhat-release

CentOS release 6.5 (Final)

确认软件版本是CentOS6.5

vim /etc/yum.repos.d/epel.repo

[epel]

name=epel

baseurl=http://mirrors.sohu.com/fedora-epel/6/$basearch

enabled=

gpgcheck=

2. 安装软件

a. 首先通过Yum安装:

yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof

b. 然后安装IPSEC:

下载最新的IPSEC:

wget https://download.openswan.org/openswan/openswan-2.6.49.tar.gz --no-check-certificate

解压:

tar vxf openswan-2.6..tar.gz

安装:

make programs install

c. 通过Yum安装epel里的xl2tpd:

yum install -y xl2tpd

三、配置各种服务

1. IPSEC的配置

vim /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file: /usr/local/share/doc/openswan/ipsec.conf-sample

#

# Manual: ipsec.conf.

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

# Do not set debug options to debug configuration issues!

# plutodebug / klipsdebug = "all", "none" or a combation from below:

# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"

# eg:

# plutodebug="control parsing"

# Again: only enable plutodebug or klipsdebug when asked by a developer

#

# enable to get logs per-peer

# plutoopts="--perpeerlog"

#

# Enable core dumps (might require system changes, like ulimit -C)

# This is required for abrtd to work properly

# Note: incorrect SElinux policies might prevent pluto writing the core

dumpdir=/var/run/pluto/

#

# NAT-TRAVERSAL support, see README.NAT-Traversal

nat_traversal=yes

# exclude networks used on server side by adding %v4:!a.b.c./

# It seems that T-Mobile in the US and Rogers/Fido in Canada are

# using / as "private" address space on their 3G network.

# This range has not been announced via BGP (at least upto --)

virtual_private=%v4:10.0.0.0/,%v4:192.168.0.0/,%v4:172.16.0.0/,%v4:25.0.0.0/,%v6:fd00::/,%v6:fe80::/

# OE is now off by default. Uncomment and change to on, to enable.

oe=off

# which IPsec stack to use. auto will try netkey, then klips then mast

protostack=netkey

#protostack=auto

# Use this to log to a file, or disable logging on embedded systems (like openwrt)

#plutostderrlog=/dev/null

# Add connections here

# sample VPN connection

# for more examples, see /etc/ipsec.d/examples/

#conn sample

# # Left security gateway, subnet behind it, nexthop toward right.

# left=10.0.0.1

# leftsubnet=172.16.0.0/

# leftnexthop=10.22.33.44

# # Right security gateway, subnet behind it, nexthop toward left.

# right=10.12.12.1

# rightsubnet=192.168.0.0/

# rightnexthop=10.101.102.103

# # To authorize this connection, but not actually start it,

# # at startup, uncomment this.

# #auto=add

conn L2TP-PSK-NAT

  rightsubnet=vhost:%priv

  also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

  authby=secret

  pfs=no

  auto=add

  keyingtries=

  rekey=no

  ikelifetime=8h

  keylife=1h

  type=transport

  left=10.215.92.31 #AWS EC2 Internal IP

  leftprotoport=/

  right=%any

  rightprotoport=/%any

  dpddelay=

  dpdtimeout=

  dpdaction=clear

2. 配置IPSEC的Security

vim /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for inter-Pluto

# authentication. See ipsec_pluto() manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host

# which knows the public part. Suitable public keys, for ipsec.conf, DNS,

# or configuration of other implementations, can be extracted conveniently

# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys

#include /var/lib/openswan/ipsec.secrets.inc

%any %any: PSK "azure"

3. 配置sysctl.conf文件

vim /etc/sysctl.conf

net.ipv4.ip_forward =

net.ipv4.conf.default.rp_filter =

net.ipv4.conf.all.send_redirects =

net.ipv4.conf.default.send_redirects =

net.ipv4.conf.all.log_martians =

net.ipv4.conf.default.log_martians =

net.ipv4.conf.default.accept_source_route =

net.ipv4.conf.all.accept_redirects =

net.ipv4.conf.default.accept_redirects =

net.ipv4.icmp_ignore_bogus_error_responses =

通过下面的命令,是配置生效:

sysctl -p

service ipsec start

ipsec verify

4. 配置xl2tpd

vim /etc/xl2tpd/xl2tpd.conf

;

; This is a minimal sample xl2tpd configuration file for use

; with L2TP over IPsec.

;

; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec

; clients connect. In this example, the internal (protected) network

; is 192.168.1.0/. A special IP range within this network is reserved

; for the remote clients: 192.168.1.128/

; (i.e. 192.168.1.128 ... 192.168.1.254)

;

; The listen-addr parameter can be used if you want to bind the L2TP daemon

; to a specific IP address instead of to all interfaces. For instance,

; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98

; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)

; will be used by xl2tpd as its address on pppX interfaces.

[global]

; listen-addr = 192.168.1.98

;

; requires openswan-2.5. or higher - Also does not yet work in combination

; with kernel mode l2tp as present in linux 2.6.+

; ipsec saref = yes

; Use refinfo of  if using an SAref kernel patch based on openswan 2.6. or

; when using any of the SAref kernel patches for kernels up to 2.6..

; saref refinfo =

;

; force userspace = yes

;

; debug tunnel = yes

ipsec saref = no

[lns default]

ip range = 192.168.1.128-192.168.1.254

local ip = 192.168.1.99

require chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPNserver

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

5. 配置ppp的用户名密码

vim /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client server secret IP addresses

user * azure *

6. 配置iptables

iptables -t nat -A POSTROUTING -s 192.168.1.0/ -o eth0 -j MASQUERADE

iptables -I FORWARD -s 192.168.1.0/ -j ACCEPT

iptables -I FORWARD -d 192.168.1.0/ -j ACCEPT

service iptables save

四、设置服务

service ipsec restart

service xl2tpd restart

service iptables restart

chkconfig xl2tpd on

chkconfig iptables on

chkconfig ipsec on

五、设置IPHONE

在Azure上搭建L2TP服务器的更多相关文章

  1. 微软.NET年芳15:我在Azure上搭建Photon服务器(C#.NET)

    网上火热的“微软.NET年芳15”文章,我也得写点什么嘛,毕竟我还是现任的微软MVP. 摘录网上的“.NET 15周年”信息如下: 微软的 .NET 框架本周迎来了 15 岁生日..NET 的第一个版 ...

  2. Mac上搭建直播服务器Nginx+rtmp

    简介 nginx是非常优秀的开源服务器,用它来做hls或者rtmp流媒体服务器是非常不错的选择,本人在网上整理了安装流程,分享给大家并且作备忘. 步骤安装 1.安装Homebrow Homebrew简 ...

  3. CentOs上搭建git服务器

    CentOs上搭建git服务器 首先安装setuptools wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0 ...

  4. [Windows Azure] 使用 Windows Azure 快速搭建 Redis 服务器

    [Windows Azure] 使用 Windows Azure 快速搭建 Redis 服务器   Redis相信玩开源,大数据的朋友们并不陌生,大家最熟悉的使用者就是新浪微博,微博的整体数据缓存都是 ...

  5. 在路由器上搭建SVN服务器

    在路由器上搭建SVN服务器 SVN托管服务大家都不陌生了,我最早开始用的是谷歌提供的SVN,因为在上面托管的项目都是开源的,所以当有些项目不方便在网上公开的时候,就需要自己搭建SVN服务器了.wind ...

  6. Ubuntu上搭建Git服务器

    下面我们就看看,如何在Ubuntu上搭建Git服务器.我们使用VMware虚拟机安装两台Ubantu系统,分别命名为gitServer和gitClient_01. 1.安装OpenSSH并配置SSH无 ...

  7. Mac上搭建直播服务器Nginx

    Mac上搭建直播服务器Nginx 1.安装Homebrew,执行命令 Homebrew简称brew,是Mac OSX上的软件包管理工具,能在Mac中方便的安装软件或者卸载软件,可以说Homebrew就 ...

  8. CentOS Linux上搭建PPPoE服务器及拨号设置

    CentOS Linux上搭建PPPoE服务器及拨号设置 搭建PPPoE,成功了的话,就觉得超级简单,在CentOS Linux更是5步左右就能搞定. 1.安装pppoe,安装完成后,会有pppoe- ...

  9. 【转】【FTP】之windows8.1上搭建FTP服务器方法

    参考地址:<windows8.1上搭建FTP服务器方法>

随机推荐

  1. awk的getline命令

    原文出处:生活费的博客,http://www.cnblogs.com/276815076/archive/2011/12/05/2276625.html#undefined  两种情况:getline ...

  2. 基于Visual c++ 2012的php扩展开发 - HelloWord!

    1.cmd进入命令行模式,并进入php-5.6.20-src/ext源代码的ext目录下输入命令php ext_skel_win32.php --extname=HelloWord,执行结果如下图: ...

  3. iOS_多线程(一)

    在学习多线程之前首先搞清楚以下几个问题. 并发:在同一时刻,只有一条指令被执行,多条指令进行快速切换执行. 并行:在同一时刻,多个处理器可以处理多条指令 1.什么是进程?      一个运行的程序就是 ...

  4. springmvc返回视图(解析)

    1.什么是视图? 视图就是展示给用户看的结果.可以是很多形式,例如:html.JSP.excel表单.Word文档.PDF文档.JSON数据.freemarker模板视图等等. 2.传统JSP和JST ...

  5. 泛型学习第三天——C#读取数据库返回泛型集合 把DataSet类型转换为List<T>泛型集合

    定义一个类: public class UserInfo    {        public System.Guid ID { get; set; } public string LoginName ...

  6. Java注解处理器

    Java注解处理器 2015/03/03 | 分类: 基础技术 | 0 条评论 | 标签: 注解 分享到:1 译文出处: race604.com   原文出处:Hannes Dorfmann Java ...

  7. Spring初学之spring的事务管理注解

    spring的事务管理,本文的例子是:比如你需要网购一本书,卖书的那一方有库存量以及书的价格,你有账户余额.回想我们在编程中要实现买书这样的功能,由于你的账户表和书的库存量表肯定不是同一张数据库表,所 ...

  8. poj 1061 青蛙的约会 扩展欧几里德

    青蛙的约会 Time Limit: 1000MS   Memory Limit: 10000K       Description 两 只青蛙在网上相识了,它们聊得很开心,于是觉得很有必要见一面.它们 ...

  9. python基础2 - 运算符

    3. 运算符 3.1 算数运算符 算数运算符是 运算符的一种 是完成基本的算术运算使用的符号,用来处理四则运算 运算符 描述 实例 + 加 10 + 20 = 30 - 减 10 - 20 = -10 ...

  10. JavaScript 获取输入时的光标位置及场景问题

    前言 在输入编辑的业务场景中,可能会需要在光标当前的位置或附近显示提示选项.比如社交评论中的@user功能,要确保提示的用户列表总是出现在@字符右下方,又或者是在自定义编辑器中 autocomplet ...