CentOS7.2 安装L2TP/IPSec 服务端/客户端 ( libreswan+xl2tpd ）

#!/bin/bash IP=$1 PSK=$2 USERNAME=$3 PASSWORD=$4 IPRANGE="192.168.18" config_install(){ cat > /etc/ipsec.conf<<EOF version 2.0 config setup protostack=netkey nhelpers=0 uniqueids=no interfaces=%defaultroute virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!${IPRANGE}.0/24 conn l2tp-psk rightsubnet=vhost:%priv also=l2tp-psk-nonat conn l2tp-psk-nonat authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=%defaultroute leftid=${IP} leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=40 dpdtimeout=130 dpdaction=clear sha2-truncbug=yes EOF cat > /etc/ipsec.secrets<<EOF %any %any : PSK "${PSK}" EOF cat > /etc/xl2tpd/xl2tpd.conf<<EOF [global] port = 1701 [lns default] ip range = ${IPRANGE}.2-${IPRANGE}.254 local ip = ${IPRANGE}.1 require chap = yes refuse pap = yes require authentication = yes name = l2tpd ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes EOF cat > /etc/ppp/options.xl2tpd<<EOF ipcp-accept-local ipcp-accept-remote require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp auth hide-password idle 1800 mtu 1410 mru 1410 nodefaultroute debug proxyarp connect-delay 5000 EOF rm -f /etc/ppp/chap-secrets cat > /etc/ppp/chap-secrets<<EOF # Secrets for authentication using CHAP # client server secret IP addresses ${USERNAME} l2tpd ${PASSWORD} * EOF } ################################################################ ## these function not used but keep it for future use ## ################################################################ list_users(){ if [ ! -f /etc/ppp/chap-secrets ];then echo "Error: /etc/ppp/chap-secrets file not found." exit 1 fi local line="+-------------------------------------------+\n" local string=%20s printf "${line}|${string} |${string} |\n${line}" Username Password grep -v "^#" /etc/ppp/chap-secrets | awk '{printf "|'${string}' |'${string}' |\n", $1,$3}' printf ${line} } add_user(){ while : do read -p "Please input your Username:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets > /dev/null 2>&1 if [ $? -eq 0 ];then echo "Username (${user}) already exists. Please re-enter your username." else break fi fi done pass=`rand` echo "Please input ${user}'s password:" read -p "(Default Password: ${pass}):" tmppass [ ! -z ${tmppass} ] && pass=${tmppass} echo "${user} l2tpd ${pass} *" >> /etc/ppp/chap-secrets echo "Username (${user}) add completed." } del_user(){ while : do read -p "Please input Username you want to delete it:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets >/dev/null 2>&1 if [ $? -eq 0 ];then break else echo "Username (${user}) is not exists. Please re-enter your username." fi fi done sed -i "/^\<${user}\>/d" /etc/ppp/chap-secrets echo "Username (${user}) delete completed." } mod_user(){ while : do read -p "Please input Username you want to change password:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets >/dev/null 2>&1 if [ $? -eq 0 ];then break else echo "Username (${user}) is not exists. Please re-enter your username." fi fi done pass=`rand` echo "Please input ${user}'s new password:" read -p "(Default Password: ${pass}):" tmppass [ ! -z ${tmppass} ] && pass=${tmppass} sed -i "/^\<${user}\>/d" /etc/ppp/chap-secrets echo "${user} l2tpd ${pass} *" >> /etc/ppp/chap-secrets echo "Username ${user}'s password has been changed." } #################################################### ## main start here ## #################################################### if [ $# != 4 ]; then echo "usage: ./config_vpn_server.sh [ip] [psk] [username] [password]" exit 1 fi config_install if [[ "`cat /etc/sysctl.conf | grep yt_vpn_server_config`" == "" ]] ; then echo "#yt_vpn_server_config" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf for each in `ls /proc/sys/net/ipv4/conf/`; do echo "net.ipv4.conf.${each}.accept_source_route=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.rp_filter=0" >> /etc/sysctl.conf done sysctl -p fi echo 1 > /proc/sys/net/ipv4/ip_forward systemctl enable ipsec systemctl enable xl2tpd systemctl restart ipsec systemctl restart xl2tpd echo "Checking ipsec status..." systemctl -a | grep ipsec echo "Checking xl2tpd status..." systemctl -a | grep xl2tpd echo "Please wait a moment..." sleep 5 ipsec verify