#!/bin/bash #zhanxing yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof #准备环境 yum install -y openswan yum install -y xl2tpd read -p "input your ip addres:" ip read -p "input your PSK:" psk read -p "input your *** user:" user read -p "input your *** password:" pwd eth=`ip a | grep inet | grep -v inet6|grep -v 127.0.0.1 |awk '{ print $NF}'` cat << OFF >/etc/ipsec.conf # /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/local/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.10.20.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey # Use this to log to a file, or disable logging on embedded systems (like openwrt) #plutostderrlog=/dev/null # Add connections here # sample *** connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=add conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport # left=172.16.16.93 leftprotoport=17/1701 right=%any OFF echo "left=$ip" >> /etc/ipsec.conf echo "$ip %any: PSK \"$psk\"" >> /etc/ipsec.secrets cat <<OFF >>/etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 OFF sysctl -p cat <<OFF > /etc/xl2tpd/xl2tpd.conf ; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] ; listen-addr = 192.168.1.98 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes [lns default] ip range = 10.10.20.100-10.10.20.120 local ip = 10.10.20.1 require chap = yes refuse pap = yes require authentication = yes name = Linux×××server ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes OFF cat <<OFF > /etc/ppp/options.xl2tpd ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 114.114.114.114 # ms-dns 192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 # To allow authentication against a Windows domain EXAMPLE, and require the # user to be in a group "××× Users". Requires the samba-winbind package # require-mschap-v2 # plugin winbind.so # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\××× Users"' # You need to join the domain on the server, for example using samba: # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.ht OFF echo "$user * $pwd *" >>/etc/ppp/chap-secrets cat <<OFF > /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Tue Apr 11 18:22:14 2017 *filter :INPUT DROP [144:39853] :FORWARD DROP [13:520] :OUTPUT DROP [4:478] -A INPUT -i $eth -p gre -j ACCEPT -A INPUT -s 10.168.118.0/24 -j ACCEPT -A INPUT -s 10.10.20.0/24 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT -A INPUT -p udp --dport 500 -j ACCEPT -A INPUT -p udp --dport 1701 -j ACCEPT -A INPUT -p udp --dport 4500 -j ACCEPT -A INPUT -p tcp -m tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT -A FORWARD -s 10.10.20.0/24 -j ACCEPT -A FORWARD -d 10.10.20.0/24 -j ACCEPT -A FORWARD -i ppp+ -o eth0 -j ACCEPT -A FORWARD -i $eth -o ppp+ -j ACCEPT -A OUTPUT -d 10.168.118.0/24 -j ACCEPT -A OUTPUT -d 10.10.20.0/24 -j ACCEPT -A OUTPUT -p gre -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -m state --state ESTABLISHED -j ACCEPT COMMIT # Completed on Tue Apr 11 18:22:14 2017 # Generated by iptables-save v1.4.7 on Tue Apr 11 18:22:14 2017 *nat :PREROUTING ACCEPT [22:1140] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o $eth -j MASQUERADE -A POSTROUTING -o $eth -j MASQUERADE -A POSTROUTING -s 10.10.20.0/24 -o $eth -j MASQUERADE COMMIT # Completed on Tue Apr 11 18:22:14 2017 OFF service ipsec restart service xl2tpd restart /etc/init.d/iptables restart chkconfig ipsec on chkconfig xl2tpd on chkconfig iptables on
l2tp-***
猜你喜欢
转载自blog.51cto.com/zhanx/2318159
今日推荐
周排行