单IP和多IP的机器搭建方法差不多 ,主要是修改规则。。
QQ交流群952577343
“`
yum -y install strongswan xl2tpd ppp cronie iptables-services procps net-tools
IP=$(ip addr | grep inet | grep -v inet6 | grep -vE ‘127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’ | grep -o -E ‘[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’ | head -1)
sed -i -e “/net.ipv4.ip_forward/d” /etc/sysctl.conf
echo “net.ipv4.ip_forward=1” >> /etc/sysctl.conf
sed -i -e “/net.ipv4.conf.all.accept_redirects/d” /etc/sysctl.conf
echo “net.ipv4.conf.all.accept_redirects=0” >> /etc/sysctl.conf
sed -i -e “/net.ipv4.conf.all.send_redirects/d” /etc/sysctl.conf
echo “net.ipv4.conf.all.send_redirects=0” >> /etc/sysctl.conf
sed -i -e “/net.ipv4.conf.default.rp_filter/d” /etc/sysctl.conf
echo “net.ipv4.conf.default.rp_filter=0” >> /etc/sysctl.conf
sed -i -e “/net.ipv4.conf.default.accept_source_route/d” /etc/sysctl.conf
echo “net.ipv4.conf.default.accept_source_route=0” >> /etc/sysctl.conf
sed -i -e “/net.ipv4.conf.default.send_redirects/d” /etc/sysctl.conf
echo “net.ipv4.conf.default.send_redirects=0” >> /etc/sysctl.conf
sed -i -e “/net.ipv4.icmp_ignore_bogus_error_responses/d” /etc/sysctl.conf
echo “net.ipv4.icmp_ignore_bogus_error_responses=1” >> /etc/sysctl.conf
sysctl -p
cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p –
cat <<EOF > /etc/ppp/options.xl2tpd
# The name of the local system for authentication purposes
name l2tpd
# Refuse EAP, PAP, CHAP or MS-CHAP connections
# Accept ONLY MS-CHAPv2 or MPPE with 128-bit encryption
refuse-eap
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
# Require authorization
auth
# Add entry to the ARP system table
proxyarp
# Disable BSD-Compress and Van Jacobson TCP/IP header compression
nobsdcomp
novj
novjccomp
# Disable logging
nolog
nologfd
# LCP echo-requests options
lcp-echo-interval 30
lcp-echo-failure 5
# MTU MRU options
mtu 1200
mru 1200
# DNS options for Windows clients
ms-dns 8.8.8.8
ms-dns 8.8.4.4
EOF
cat <<EOF > /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 172.18.0.10-172.18.0.100
local ip = 172.18.0.254
refuse pap = yes
refuse chap = yes
require authentication = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
exclusive = yes
ppp debug = no
assign ip = yes
EOF
cat <<EOF > /etc/strongswan/ipsec.conf
version 2
conn L2TP-PSK-NAT
authby=secret
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=${IP}
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
EOF
cat <<EOF > /etc/strongswan/ipsec.secrets
# ipsec.secrets – strongSwan IPsec secrets file
%any %any : PSK “888888”
EOF
cat <<EOF > /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
coco * coco *
EOF
yum remove firewalld -y ; yum install -y iptables-services ; iptables -F ; iptables -t filter -F ; systemctl enable iptables.service ; service iptables save ; systemctl start iptables.service
iptables -t nat -A POSTROUTING -s 172.18.0.0/24 -o eth0 -j SNAT –to-source ${IP} -m comment –comment IPSEC
systemctl restart xl2tpd.service strongswan.service
systemctl enable xl2tpd.service strongswan.service
service iptables save
“`