Linux Policy-based site-to-site IPsec VPN动态IP的配置及内网穿透的应用（StrongSwan）

上一篇文章提到了一点StrongSwan的配置。

本文继续使用StrongSwan。

StrongSwan的left和right是支持使用域名的，利用此可以实现动态IP的支持；上一篇文章用了type=transport模式转发UDP端口构建L2TPv3，如果没有L2组网的需求，其实可以直接利用type=tunnel模式实现L3转发。

网络拓扑：

上图中的路由器lan-router1和lan-router2都是通过pppoe接入互联网的，域名lan-router1.router和lan-router2.router通过ddns分别解析到了各自pppoe0的IP地址上；server1和server2分别通过lan-router1和lan-router2接入互联网。

下面的操作将在server1与lan-router2之间构建site-to-site IPsec VPN，接通192.168.1.0/24与10.0.0.0/24这两个内网。

提醒：用StrongSwan构建site-to-site IPsec VPN的话，需要至少有一端的UDP 500和4500端口在公网可以访问。

1. 配置StrongSwan

安装StrongSwan就不再阐述了。

在IPsec的配置文件中，left指本地，right指对方。

2.1 server1的配置

编辑/etc/ipsec.conf，末尾加入：

conn peer-server2-tunnel-1
	left=0.0.0.0
	leftid="@server1-id"
	right=lan-router2.router
	rightid="@lan-router2-id"
	leftsubnet=192.168.1.0/24
	rightsubnet=10.0.0.0/24
	ike=aes128-sha1-modp2048!
	keyexchange=ikev2
	reauth=no
	ikelifetime=28800s
	dpddelay=30s
	dpdtimeout=120s
	dpdaction=restart
	esp=aes128-sha1-modp2048!
	keylife=3600s
	rekeymargin=540s
	type=tunnel
	compress=no
	authby=secret
	auto=route
	keyingtries=%forever

conn peer-server2-tunnel-1

left=0.0.0.0

leftid="@server1-id"

right=lan-router2.router

rightid="@lan-router2-id"

leftsubnet=192.168.1.0/24

rightsubnet=10.0.0.0/24

ike=aes128-sha1-modp2048!

keyexchange=ikev2

reauth=no

ikelifetime=28800s

dpddelay=30s

dpdtimeout=120s

dpdaction=restart

esp=aes128-sha1-modp2048!

keylife=3600s

rekeymargin=540s

type=tunnel

compress=no

authby=secret

auto=route

keyingtries=%forever

这里left直接用0.0.0.0表示任何IP都接受连接，right用lan-router2的ddns域名lan-router2.router。

其中left/rightsubnet分别定义了server1的内网IP段，server2的内网IP段，意思就是leftsubnet和rightsubnet之间的流量将走site-to-site IPsec VPN。left/rightsubnet支持定义多个子网的，用逗号分隔。

在server1的auto是route，意思是当内核遇到目的地为rightsubnet的流量，自动发起协商构建site-to-site IPsec VPN。

left/rightid是不建议省略的，另外记得在开头添加@阻止把字符串当成域名解析成IP。

其余的参数，大概就是使用aes-128加密，sha1签名，ikev2协议交换密钥，30秒发送一次心跳包（使用NAT的话尤其重要），心跳包超过120秒无回应重新构建连接（dpdaction=restart）。

编辑/etc/ipsec.secrets，在末尾加入（其中的pre-shared-key是密码，记得改成你自己定的值）：

0.0.0.0 lan-router2.router @server1-id @lan-router2-id : PSK "pre-shared-key"

1	0.0.0.0 lan-router2.router @server1-id @lan-router2-id : PSK "pre-shared-key"

ipsec.secrets的格式，上一篇文章也有提到，是：

left_ip right_ip left_id right_id : PSK "pre-shared-key"

1	left_ip right_ip left_id right_id : PSK "pre-shared-key"

2.2 server2的配置

server2需开放UDP端口500与4500。

编辑/etc/ipsec.conf，末尾加入：

conn peer-lan-router1.router-tunnel-1
	left=0.0.0.0
	leftid="@lan-router2-id"
	right=lan-router1.router
	rightid="@server1-id"
	leftsubnet=10.0.0.0/24
	rightsubnet=192.168.1.0/24
	ike=aes128-sha1-modp2048!
	keyexchange=ikev2
	reauth=no
	ikelifetime=28800s
	dpddelay=30s
	dpdtimeout=120s
	dpdaction=clear
	esp=aes128-sha1-modp2048!
	keylife=3600s
	rekeymargin=540s
	type=tunnel
	compress=no
	authby=secret
	auto=add
	keyingtries=%forever

conn peer-lan-router1.router-tunnel-1

left=0.0.0.0

leftid="@lan-router2-id"

right=lan-router1.router

rightid="@server1-id"

leftsubnet=10.0.0.0/24

rightsubnet=192.168.1.0/24

ike=aes128-sha1-modp2048!

keyexchange=ikev2

reauth=no

ikelifetime=28800s

dpddelay=30s

dpdtimeout=120s

dpdaction=clear

esp=aes128-sha1-modp2048!

keylife=3600s

rekeymargin=540s

type=tunnel

compress=no

authby=secret

auto=add

keyingtries=%forever

其实大体上就是把server1的配置中的left和right调换过来。

当然，这边的right用了域名lan-router1.router，这个域名是会解析到lan-router1 的pppoe0接口的IP的。

此外，这边的auto是add，dpdaction是clear，主要原因是server1处于内网，在server2是无法主动发起协商请求的，所以让StrongSwan启动时仅加载此配置，不作任何其它操作，并且心跳回应超时后，不重建连接。

编辑/etc/ipsec.secrets，在末尾加入（其中的pre-shared-key是密码，记得改成你自己定的值）：

0.0.0.0 lan-router1.router @lan-router2-id @server1-id : PSK "pre-shared-key"

1	0.0.0.0 lan-router1.router @lan-router2-id @server1-id : PSK "pre-shared-key"

2.3 重启StrongSwan并发起协商构建连接

server1和lan-router2执行下面的命令重启StrongSwan：

ipsec restart

1	ipsec restart

发起协商是仅能从server1发起的，原因上一篇文章和开头已提过：

root@server1:~# ipsec status
Routed Connections:
peer-server2-tunnel-1{1}:  ROUTED, TUNNEL, reqid 1
peer-server2-tunnel-1{1}:   192.168.1.0/24 === 10.0.0.0/24
Security Associations (0 up, 0 connecting):
  none

root@server1:~# ipsec up peer-server2-tunnel-1
initiating IKE_SA peer-server2-tunnel-1[6] to 5.3.2.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.2[500] to 5.3.2.1[500] (464 bytes)
received packet: from 5.3.2.1[500] to 192.168.1.2[500] (462 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
authentication of 'server1-id' (myself) with pre-shared key
establishing CHILD_SA peer-server2-tunnel-1
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.2[4500] to 5.3.2.1[4500] (364 bytes)
received packet: from 5.3.2.1[4500] to 192.168.1.2[4500] (316 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of 'lan-router2-id' with pre-shared key successful
IKE_SA peer-server2-tunnel-1[6] established between 192.168.1.2[server1-id]...5.3.2.1[lan-router2-id]
scheduling rekeying in 28010s
maximum IKE_SA lifetime 28550s
received netlink error: Network is unreachable (101)
unable to install source route for 192.168.1.6
CHILD_SA peer-server2-tunnel-1{2} established with SPIs cc4adf80_i c367b3b2_o and TS 192.168.1.0/24 === 10.0.0.0/24
peer supports MOBIKE
connection 'peer-server2-tunnel-1' established successfully

root@server1:~# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=202 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=207 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=207 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=202 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=201 ms
^C
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 201.606/204.301/207.931/2.942 ms

root@server1:~# ipsec status

Routed Connections:

peer-server2-tunnel-1{1}: ROUTED, TUNNEL, reqid 1

peer-server2-tunnel-1{1}: 192.168.1.0/24 === 10.0.0.0/24

Security Associations (0 up, 0 connecting):

none

root@server1:~# ipsec up peer-server2-tunnel-1

initiating IKE_SA peer-server2-tunnel-1[6] to 5.3.2.1

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 192.168.1.2[500] to 5.3.2.1[500] (464 bytes)

received packet: from 5.3.2.1[500] to 192.168.1.2[500] (462 bytes)

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]

local host is behind NAT, sending keep alives

authentication of 'server1-id' (myself) with pre-shared key

establishing CHILD_SA peer-server2-tunnel-1

generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]

sending packet: from 192.168.1.2[4500] to 5.3.2.1[4500] (364 bytes)

received packet: from 5.3.2.1[4500] to 192.168.1.2[4500] (316 bytes)

parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]

authentication of 'lan-router2-id' with pre-shared key successful

IKE_SA peer-server2-tunnel-1[6] established between 192.168.1.2[server1-id]...5.3.2.1[lan-router2-id]

scheduling rekeying in 28010s

maximum IKE_SA lifetime 28550s

received netlink error: Network is unreachable (101)

unable to install source route for 192.168.1.6

CHILD_SA peer-server2-tunnel-1{2} established with SPIs cc4adf80_i c367b3b2_o and TS 192.168.1.0/24 === 10.0.0.0/24

peer supports MOBIKE

connection 'peer-server2-tunnel-1' established successfully

root@server1:~# ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=202 ms

64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=207 ms

64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=207 ms

64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=202 ms

64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=201 ms

--- 10.0.0.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4004ms

rtt min/avg/max/mdev = 201.606/204.301/207.931/2.942 ms

如果up有提示successfully，但是ping不通的话，见本文2.3防火墙的配置。

在lan-router2上测试：

root@lan-router2:~# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=205 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=215 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=221 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=214 ms
64 bytes from 192.168.1.2: icmp_seq=5 ttl=64 time=215 ms
^C
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 205.575/214.439/221.194/5.054 ms

root@lan-router2:~# ping 192.168.1.2

PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.

64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=205 ms

64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=215 ms

64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=221 ms

64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=214 ms

64 bytes from 192.168.1.2: icmp_seq=5 ttl=64 time=215 ms

--- 192.168.1.2 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4002ms

rtt min/avg/max/mdev = 205.575/214.439/221.194/5.054 ms

因为设置了心跳，所以无需担心路由器上的NAT记录超时，此外server1上设置了自动重连，所以更换IP或者其它原因导致VPN断开后，只要ddns更新的DNS记录生效了或者网络恢复正常，理论上server1是会自动重连的，当然，理论上。

2. 其它配置

2.1 L2TPv3、GRE等应用

通过上面构造的VPN，因为server1和lan-router2都是分别拥有一个固定的内网IP的，所以可以直接指定双方的内网IP构建L2TPv3（详见上一篇文章）或者GRE之类的。

2.2 启用IPv4转发以及设置SNAT规则

上面配置的都是/24的子网，如果两边都未启用IPv4转发，双方都仅能访问对方的IP。

本文的拓扑中，server1是需要启用IPv4转发并设置SNAT的，lan-router2上一般不需要进行这两项配置。

如何启用IPv4转发以及设置SNAT规则，网络上很多资料，这个各位自行按实际情况解决。

2.3 防火墙的配置

这里给个匹配IPsec流量的规则，自行按需应用吧：

-m policy --dir in|out --pol ipsec

1	-m policy --dir in\|out --pol ipsec

例如lan-router2上pppoe0接口可能配了防火墙对入网流量进行了较为严格的入网流量控制，会导致lan-router2可以主动访问server1但server1无法主动访问lan-router2，加入以下规则即可解决：

iptables -I INPUT -i pppoe0 -s 192.168.1.0/24 -m policy --dir in --pol ipsec -j ACCEPT

1	iptables -I INPUT -i pppoe0 -s 192.168.1.0/24 -m policy --dir in --pol ipsec -j ACCEPT

转发的类似，加入FORWARD链即可。

Linux L2TPv3以及ip-xfrm的配置

L2TPv3：http://man7.org/linux/man-pages/man8/ip-l2tp.8.html

ip-xfrm：http://man7.org/linux/man-pages/man8/ip-xfrm.8.html

这两个都是kernel内置的功能，通过这两个可以直接构建加密的VPN。

本文尝试使用ip-xfrm创建加密的隧道，并基于此隧道构建L2TPv3 VPN。

1. 生成密钥与ID

不使用StrongSwan，手动配置ip-xfrm时需要用到：

HASH_KEY=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null | xxd -p -c 64`
ENCRYPT_KEY=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null | xxd -p -c 64`
ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null | xxd -p -c 8`
echo -e "HASH_KEY=${HASH_KEY}\nENCRYPT_KEY=${ENCRYPT_KEY}\nID=${ID}"

HASH_KEY=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null | xxd -p -c 64`

ENCRYPT_KEY=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null | xxd -p -c 64`

ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null | xxd -p -c 8`

echo -e "HASH_KEY=${HASH_KEY}\nENCRYPT_KEY=${ENCRYPT_KEY}\nID=${ID}"

复制上面四行命令后输出的内容，粘贴到left和right上运行，用于设置变量

2. 配置ip-xfrm

这里得分两种情况，一种是left和right都不经过NAT直接持有公网IP，另一种是left或者right任何一端经过NAT。

为什么要这样区分？因为ip-xfrm传输加密报文使用的协议ESP是L3的，一般情况下无法NAT，需要使用L4封装才能正常使用；其次，L4被SNAT后的源端口（source port），可能会被改变。

下面以UDP端口1801作为L2TPv3的通讯端口，对ip-xfrm进行配置。

2.1 不经过NAT

拓扑如下：

首先在left配置ip-xfrm：

# 执行第一步所输出的
root@left:~# HASH_KEY=...
root@left:~# ENCRYPT_KEY=...
root@left:~# ID=...
# 设置IP地址变量
root@left:~# SOURCE_IP="192.168.1.1"
root@left:~# DESTINATION_IP="192.168.2.1"
root@left:~# L2TPV3_PORT="1801"

root@left:~# ip xfrm state add src ${SOURCE_IP} dst ${DESTINATION_IP} \
    proto esp spi ${ID} reqid ${ID} mode transport \
    replay-window 0 \
    auth sha1 ${HASH_KEY} \
    enc aes ${ENCRYPT_KEY}
root@left:~# ip xfrm state add src ${DESTINATION_IP} dst ${SOURCE_IP} \
    proto esp spi ${ID} reqid ${ID} mode transport \
    replay-window 32 \
    auth sha1 ${HASH_KEY} \
    enc aes ${ENCRYPT_KEY}

root@left:~# ip xfrm policy add src ${SOURCE_IP} dst ${DESTINATION_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \
    dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport
root@left:~# ip xfrm policy add src ${DESTINATION_IP} dst ${SOURCE_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \
    dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

# 执行第一步所输出的

root@left:~# HASH_KEY=...

root@left:~# ENCRYPT_KEY=...

root@left:~# ID=...

# 设置IP地址变量

root@left:~# SOURCE_IP="192.168.1.1"

root@left:~# DESTINATION_IP="192.168.2.1"

root@left:~# L2TPV3_PORT="1801"

root@left:~# ip xfrm state add src ${SOURCE_IP} dst ${DESTINATION_IP} \

proto esp spi ${ID} reqid ${ID} mode transport \

replay-window 0 \

auth sha1 ${HASH_KEY} \

enc aes ${ENCRYPT_KEY}

root@left:~# ip xfrm state add src ${DESTINATION_IP} dst ${SOURCE_IP} \

proto esp spi ${ID} reqid ${ID} mode transport \

replay-window 32 \

auth sha1 ${HASH_KEY} \

enc aes ${ENCRYPT_KEY}

root@left:~# ip xfrm policy add src ${SOURCE_IP} dst ${DESTINATION_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \

dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

root@left:~# ip xfrm policy add src ${DESTINATION_IP} dst ${SOURCE_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \

dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

然后配置right：

# 执行第一步所输出的 
root@left:~# HASH_KEY=...
root@left:~# ENCRYPT_KEY=...
root@left:~# ID=...
# 设置IP地址变量
SOURCE_IP="192.168.2.1"
DESTINATION_IP="192.168.1.1"
L2TPV3_PORT="1801"

ip xfrm state add src ${SOURCE_IP} dst ${DESTINATION_IP} \
    proto esp spi ${ID} reqid ${ID} mode transport \
    replay-window 0 \
    auth sha1 ${HASH_KEY} \
    enc aes ${ENCRYPT_KEY}
ip xfrm state add src ${DESTINATION_IP} dst ${SOURCE_IP} \
    proto esp spi ${ID} reqid ${ID} mode transport \
    replay-window 32 \
    auth sha1 ${HASH_KEY} \
    enc aes ${ENCRYPT_KEY}

ip xfrm policy add src ${SOURCE_IP} dst ${DESTINATION_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \
    dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport
ip xfrm policy add src ${DESTINATION_IP} dst ${SOURCE_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \
    dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

# 执行第一步所输出的

root@left:~# HASH_KEY=...

root@left:~# ENCRYPT_KEY=...

root@left:~# ID=...

# 设置IP地址变量

SOURCE_IP="192.168.2.1"

DESTINATION_IP="192.168.1.1"

L2TPV3_PORT="1801"

ip xfrm state add src ${SOURCE_IP} dst ${DESTINATION_IP} \

proto esp spi ${ID} reqid ${ID} mode transport \

replay-window 0 \

auth sha1 ${HASH_KEY} \

enc aes ${ENCRYPT_KEY}

ip xfrm state add src ${DESTINATION_IP} dst ${SOURCE_IP} \

proto esp spi ${ID} reqid ${ID} mode transport \

replay-window 32 \

auth sha1 ${HASH_KEY} \

enc aes ${ENCRYPT_KEY}

ip xfrm policy add src ${SOURCE_IP} dst ${DESTINATION_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \

dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

ip xfrm policy add src ${DESTINATION_IP} dst ${SOURCE_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \

dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

上面的配置命令，state是指定left到right的之间数据封装使用ESP协议，指定使用sha1算法进行签名，aes-128进行加密。policy指定当L2TPv3的UDP数据包在left和right之间传输时，使用刚刚在state里面配置的规则进行封装。

2.2 经过NAT

拓扑：

上图中left和right都被NAT过，这里需要注意：至少要保证left或者right的一个UDP端口能被对方访问，如果双方都被NAT，且路由器都没有映射端口到它们那，那这个VPN就无法构建。

这里假定right的路由把到2.3.5.6的流量都转发给了192.168.2.2。

NAT还有一个比较大的问题，就是SNAT后源端口可能会改变，假定left和right设定了ESP通过双方的UDP端口4500封装，如果left的kernel从源端口4500发送UDP封装的ESP数据包到2.3.5.6:4500，right收到的数据包的来源端口有可能不是4500，这样会内核就找不到对应的xfrm规则，不会对解除该ESP的封装。即使你通过抓包或者其它方法获取到了被SNAT后的端口，如果这个NAT记录一段时间后无任何流量，路由器会清理掉该记录，后面再SNAT的端口可能又是另一个了。所以，这就是为什么IPsec会有NAT-T。

不过，即使解决SNAT和NAT记录超时问题，也还不足，虽然可以直接手动配置espinudp的规则，但是还是得依赖外部程序，内核才会解除ESP的UDP封装。

2.2.1 方式一：使用StrongSwan配置ip-xfrm

StrongSwan的实现其实也是ip-xfrm，使用StrongSwan，需要开放UDP端口500和4500，这里假设right的路由已把这两个端口转发到right。

在left和right安装StrongSwan：

apt install strongswan

1	apt install strongswan

在left的/etc/ipsec.conf加入记录：

conn peer-2.3.5.6-1801
        left=192.168.1.2
        leftid="@left-id"
        right=2.3.5.6
        rightid="@right-id"
        leftprotoport=udp/1801
        rightprotoport=udp/1801
        ike=aes128-sha1-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
        esp=aes128-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=transport
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever

conn peer-2.3.5.6-1801

left=192.168.1.2

leftid="@left-id"

right=2.3.5.6

rightid="@right-id"

leftprotoport=udp/1801

rightprotoport=udp/1801

ike=aes128-sha1-modp2048!

keyexchange=ikev2

reauth=no

ikelifetime=28800s

dpddelay=30s

dpdtimeout=120s

dpdaction=restart

esp=aes128-sha1-modp2048!

keylife=3600s

rekeymargin=540s

type=transport

compress=no

authby=secret

auto=route

keyingtries=%forever

在left的/etc/ipsec.secrets加入记录（把pre-shared-key改成你自己指定的密钥）：

192.168.1.2 2.3.5.6 @left-id @right-id : PSK "pre-shared-key"

1	192.168.1.2 2.3.5.6 @left-id @right-id : PSK "pre-shared-key"

在right的/etc/ipsec.conf加入记录（这里的auto是add不是route，因为只有right的路由器是为right映射了端口的，left没有，right是无法主动向left发起协商请求的）：

conn peer-1.2.3.2-1801
        left=192.168.2.2
        leftid="@right-id"
        right=1.2.3.2
        rightid="@left-id"
        leftprotoport=udp/1801
        rightprotoport=udp/1801
        ike=aes128-sha1-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=clear
        esp=aes128-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=transport
        compress=no
        authby=secret
        auto=add
        keyingtries=%forever

conn peer-1.2.3.2-1801

left=192.168.2.2

leftid="@right-id"

right=1.2.3.2

rightid="@left-id"

leftprotoport=udp/1801

rightprotoport=udp/1801

ike=aes128-sha1-modp2048!

keyexchange=ikev2

reauth=no

ikelifetime=28800s

dpddelay=30s

dpdtimeout=120s

dpdaction=clear

esp=aes128-sha1-modp2048!

keylife=3600s

rekeymargin=540s

type=transport

compress=no

authby=secret

auto=add

keyingtries=%forever

在right的/etc/ipsec.secrets加入记录（left和right的PSK要一致）：

192.168.2.2 1.2.3.2 @right-id @left-id : PSK "pre-shared-key"

1	192.168.2.2 1.2.3.2 @right-id @left-id : PSK "pre-shared-key"

注意，在StrongSwan的配置文件中的left和right并不代表拓扑图中的left和right，left是本机，right是对方；另外，ipsec.secrets的格式是：

left_ip right_ip left_id right_id : PSK "pre-shared-key"

1	left_ip right_ip left_id right_id : PSK "pre-shared-key"

上面StrongSwan加入的记录，大概意思就是该规则应用于left和right的udp端口1801之间的通讯，并且让内核在遇到匹配left和right 1801端口的通讯时自动配置ip-xfrm，此外，30秒进行一次心跳，120秒无回应则重建连接。

在两边都重启StrongSwan：

ipsec restart

1	ipsec restart

正常来说，后面构建L2TPv3后，1801端口有流量，StrongSwan会自动配置ip-xfrm，不过可以手动up试试是否成功（这里只能在left上进行，前面已提过right是无法主动向left发起协商请求的）：

root@left:~# ipsec up peer-2.3.5.6-1801
initiating IKE_SA peer-192.168.1.2-1801[4] to 2.3.5.6
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.2[500] to 2.3.5.6[500] (464 bytes)
received packet: from 2.3.5.6[500] to 192.168.1.2[500] (462 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of 'left' (myself) with pre-shared key
establishing CHILD_SA peer-2.3.5.6-1801
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.2[4500] to 2.3.5.6[4500] (364 bytes)
received packet: from 2.3.5.6[4500] to 192.168.1.2[4500] (284 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
authentication of 'right-id' with pre-shared key successful
IKE_SA peer-2.3.5.6-1801[4] established between 192.168.1.2[left]...2.3.5.6[right-id]
scheduling rekeying in 27781s
maximum IKE_SA lifetime 28321s
CHILD_SA peer-2.3.5.6-1801{2} established with SPIs c903d293_i cbbfce0b_o and TS 192.168.1.2/32[udp/1801] === 2.3.5.6/32[udp/1801]
connection 'peer-2.3.5.6-1801' established successfully

root@left:~# ipsec up peer-2.3.5.6-1801

initiating IKE_SA peer-192.168.1.2-1801[4] to 2.3.5.6

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 192.168.1.2[500] to 2.3.5.6[500] (464 bytes)

received packet: from 2.3.5.6[500] to 192.168.1.2[500] (462 bytes)

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]

local host is behind NAT, sending keep alives

remote host is behind NAT

authentication of 'left' (myself) with pre-shared key

establishing CHILD_SA peer-2.3.5.6-1801

generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]

sending packet: from 192.168.1.2[4500] to 2.3.5.6[4500] (364 bytes)

received packet: from 2.3.5.6[4500] to 192.168.1.2[4500] (284 bytes)

parsed IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]

authentication of 'right-id' with pre-shared key successful

IKE_SA peer-2.3.5.6-1801[4] established between 192.168.1.2[left]...2.3.5.6[right-id]

scheduling rekeying in 27781s

maximum IKE_SA lifetime 28321s

CHILD_SA peer-2.3.5.6-1801{2} established with SPIs c903d293_i cbbfce0b_o and TS 192.168.1.2/32[udp/1801] === 2.3.5.6/32[udp/1801]

connection 'peer-2.3.5.6-1801' established successfully

2.2.2 方式二：手动配置ip-xfrm

下面的配置步骤，即使全部对了，应该也是无法通的，抓包可以看到封装为UDP的ESP数据包，但是内核不会解除封装，不过如果你left和right两边都运行StrongSwan（不需要进行任何配置），监听着4500端口，就可以通。

left：

# 执行第一步所输出的
root@left:~# HASH_KEY=...
root@left:~# ENCRYPT_KEY=...
root@left:~# ID=...
# 设置IP地址变量
root@left:~# SOURCE_IP="192.168.1.2"
root@left:~# DESTINATION_IP="2.3.5.6"
root@left:~# L2TPV3_PORT="1801"

root@left:~# ip xfrm state add src ${SOURCE_IP} dst ${DESTINATION_IP} proto esp spi ${ID} reqid ${ID} mode transport \
    replay-window 0 \
    encap espinudp 4500 4500 0.0.0.0 \
    auth sha1 ${HASH_KEY} enc aes ${ENCRYPT_KEY}
root@left:~# ip xfrm state add src ${DESTINATION_IP} dst ${SOURCE_IP} proto esp spi ${ID} reqid ${ID} mode transport \
    replay-window 32 \
    encap espinudp 4500 4500 0.0.0.0 \
    auth sha1 ${HASH_KEY} enc aes ${ENCRYPT_KEY}

root@left:~# ip xfrm policy add src ${SOURCE_IP} dst ${DESTINATION_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \
    dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport
root@left:~# ip xfrm policy add src ${DESTINATION_IP} dst ${SOURCE_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \
    dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

# 执行第一步所输出的

root@left:~# HASH_KEY=...

root@left:~# ENCRYPT_KEY=...

root@left:~# ID=...

# 设置IP地址变量

root@left:~# SOURCE_IP="192.168.1.2"

root@left:~# DESTINATION_IP="2.3.5.6"

root@left:~# L2TPV3_PORT="1801"

root@left:~# ip xfrm state add src ${SOURCE_IP} dst ${DESTINATION_IP} proto esp spi ${ID} reqid ${ID} mode transport \

replay-window 0 \

encap espinudp 4500 4500 0.0.0.0 \

auth sha1 ${HASH_KEY} enc aes ${ENCRYPT_KEY}

root@left:~# ip xfrm state add src ${DESTINATION_IP} dst ${SOURCE_IP} proto esp spi ${ID} reqid ${ID} mode transport \

replay-window 32 \

encap espinudp 4500 4500 0.0.0.0 \

auth sha1 ${HASH_KEY} enc aes ${ENCRYPT_KEY}

root@left:~# ip xfrm policy add src ${SOURCE_IP} dst ${DESTINATION_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \

dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

root@left:~# ip xfrm policy add src ${DESTINATION_IP} dst ${SOURCE_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \

dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

right：

root@right:~# LEFT_ESPINUDP_PORT="4500" # 这里是left的4500端口被路由器SNAT后的端口，不一定是4500，可以先跳到第三步在left配置好L2TPv3并配置IP，产生流量并抓包查看SNAT后的端口，或者自己想办法获取吧

# 执行第一步所输出的
root@right:~# HASH_KEY=...
root@right:~# ENCRYPT_KEY=...
root@right:~# ID=...
# 设置IP地址变量
root@right:~# SOURCE_IP="192.168.2.2"
root@right:~# DESTINATION_IP="1.2.3.2"
root@right:~# L2TPV3_PORT="1801"

root@right:~# ip xfrm state add src ${SOURCE_IP} dst ${DESTINATION_IP} proto esp spi ${ID} reqid ${ID} mode transport \
    replay-window 0 \
    encap espinudp 4500 ${LEFT_ESPINUDP_PORT} 0.0.0.0 \
    auth sha1 ${HASH_KEY} enc aes ${ENCRYPT_KEY}
root@right:~# ip xfrm state add src ${DESTINATION_IP} dst ${SOURCE_IP} proto esp spi ${ID} reqid ${ID} mode transport \
    replay-window 32 \
    encap espinudp ${LEFT_ESPINUDP_PORT} 4500 0.0.0.0 \
    auth sha1 ${HASH_KEY} enc aes ${ENCRYPT_KEY}

root@right:~# ip xfrm policy add src ${SOURCE_IP} dst ${DESTINATION_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \
    dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport
root@right:~# ip xfrm policy add src ${DESTINATION_IP} dst ${SOURCE_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \
    dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

root@right:~# LEFT_ESPINUDP_PORT="4500" # 这里是left的4500端口被路由器SNAT后的端口，不一定是4500，可以先跳到第三步在left配置好L2TPv3并配置IP，产生流量并抓包查看SNAT后的端口，或者自己想办法获取吧

# 执行第一步所输出的

root@right:~# HASH_KEY=...

root@right:~# ENCRYPT_KEY=...

root@right:~# ID=...

# 设置IP地址变量

root@right:~# SOURCE_IP="192.168.2.2"

root@right:~# DESTINATION_IP="1.2.3.2"

root@right:~# L2TPV3_PORT="1801"

root@right:~# ip xfrm state add src ${SOURCE_IP} dst ${DESTINATION_IP} proto esp spi ${ID} reqid ${ID} mode transport \

replay-window 0 \

encap espinudp 4500 ${LEFT_ESPINUDP_PORT} 0.0.0.0 \

auth sha1 ${HASH_KEY} enc aes ${ENCRYPT_KEY}

root@right:~# ip xfrm state add src ${DESTINATION_IP} dst ${SOURCE_IP} proto esp spi ${ID} reqid ${ID} mode transport \

replay-window 32 \

encap espinudp ${LEFT_ESPINUDP_PORT} 4500 0.0.0.0 \

auth sha1 ${HASH_KEY} enc aes ${ENCRYPT_KEY}

root@right:~# ip xfrm policy add src ${SOURCE_IP} dst ${DESTINATION_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \

dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

root@right:~# ip xfrm policy add src ${DESTINATION_IP} dst ${SOURCE_IP} proto udp sport ${L2TPV3_PORT} dport ${L2TPV3_PORT} \

dir out tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid ${ID} mode transport

3. 配置L2TPv3

在left和right上都执行一样的命令配置L2TPv3：

L2TP_ID="1000" # 如果有多个，就换成不同的ID

# 下面的三行变量设置，如果前面使用了StrongSwan，未设置的话这里再设置一次，否则直接跳过
SOURCE_IP="本地的IP" # 本地经NAT，是内网IP就填内网IP，无NAT就是公网IP
DESTINATION_IP="对方的IP" # 对方的公网IP
L2TPV3_PORT="1801"
ip l2tp add tunnel tunnel_id ${L2TP_ID} peer_tunnel_id ${L2TP_ID} \
    encap udp local ${SOURCE_IP} remote ${DESTINATION_IP} \
    udp_sport ${L2TPV3_PORT} udp_dport ${L2TPV3_PORT}
ip l2tp add session name l2tpeth100 tunnel_id ${L2TP_ID} session_id ${L2TP_ID} \
    peer_session_id ${L2TP_ID} # name后面的l2tpeth100是虚拟网卡的名称

L2TP_ID="1000" # 如果有多个，就换成不同的ID

# 下面的三行变量设置，如果前面使用了StrongSwan，未设置的话这里再设置一次，否则直接跳过

SOURCE_IP="本地的IP" # 本地经NAT，是内网IP就填内网IP，无NAT就是公网IP

DESTINATION_IP="对方的IP" # 对方的公网IP

L2TPV3_PORT="1801"

ip l2tp add tunnel tunnel_id ${L2TP_ID} peer_tunnel_id ${L2TP_ID} \

encap udp local ${SOURCE_IP} remote ${DESTINATION_IP} \

udp_sport ${L2TPV3_PORT} udp_dport ${L2TPV3_PORT}

ip l2tp add session name l2tpeth100 tunnel_id ${L2TP_ID} session_id ${L2TP_ID} \

peer_session_id ${L2TP_ID} # name后面的l2tpeth100是虚拟网卡的名称

无误的话，在left和right上执行ip link show会看到一个名为l2tpeth100的虚拟网卡：

root@left:~# ip link show
1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
...
9: l2tpeth100: &lt;BROADCAST,MULTICAST&gt; mtu 1404 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 86:d4:ea:0c:6a:dc brd ff:ff:ff:ff:ff:ff
root@left:~# ip link set l2tpeth100 up
root@left:~# ip addr add 192.168.200.1/24 dev l2tpeth100

root@right:~# ip link show
1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
...
24: l2tpeth100: &lt;BROADCAST,MULTICAST&gt; mtu 1404 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 92:85:53:77:f1:b6 brd ff:ff:ff:ff:ff:ff
root@right:~# ip link set l2tpeth100 up
root@right:~# ip addr add 192.168.200.2/24 dev l2tpeth100
root@right:~# ping 192.168.200.1
PING 192.168.200.1 (192.168.200.1) 56(84) bytes of data.
64 bytes from 192.168.200.1: icmp_seq=1 ttl=64 time=1.54 ms
64 bytes from 192.168.200.1: icmp_seq=2 ttl=64 time=0.940 ms
64 bytes from 192.168.200.1: icmp_seq=3 ttl=64 time=1.00 ms
64 bytes from 192.168.200.1: icmp_seq=4 ttl=64 time=0.982 ms
64 bytes from 192.168.200.1: icmp_seq=5 ttl=64 time=1.22 ms
64 bytes from 192.168.200.1: icmp_seq=6 ttl=64 time=1.22 ms
^C
--- 192.168.200.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5002ms
rtt min/avg/max/mdev = 0.940/1.153/1.548/0.211 ms
root@right:~# arp -an | grep l2tpeth100
? (192.168.200.1) at 86:d4:ea:0c:6a:dc [ether] on l2tpeth100

root@left:~# ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

...

9: l2tpeth100: <BROADCAST,MULTICAST> mtu 1404 qdisc noop state DOWN mode DEFAULT group default qlen 1000

link/ether 86:d4:ea:0c:6a:dc brd ff:ff:ff:ff:ff:ff

root@left:~# ip link set l2tpeth100 up

root@left:~# ip addr add 192.168.200.1/24 dev l2tpeth100

root@right:~# ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

...

24: l2tpeth100: <BROADCAST,MULTICAST> mtu 1404 qdisc noop state DOWN mode DEFAULT group default qlen 1000

link/ether 92:85:53:77:f1:b6 brd ff:ff:ff:ff:ff:ff

root@right:~# ip link set l2tpeth100 up

root@right:~# ip addr add 192.168.200.2/24 dev l2tpeth100

root@right:~# ping 192.168.200.1

PING 192.168.200.1 (192.168.200.1) 56(84) bytes of data.

64 bytes from 192.168.200.1: icmp_seq=1 ttl=64 time=1.54 ms

64 bytes from 192.168.200.1: icmp_seq=2 ttl=64 time=0.940 ms

64 bytes from 192.168.200.1: icmp_seq=3 ttl=64 time=1.00 ms

64 bytes from 192.168.200.1: icmp_seq=4 ttl=64 time=0.982 ms

64 bytes from 192.168.200.1: icmp_seq=5 ttl=64 time=1.22 ms

64 bytes from 192.168.200.1: icmp_seq=6 ttl=64 time=1.22 ms

--- 192.168.200.1 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 5002ms

rtt min/avg/max/mdev = 0.940/1.153/1.548/0.211 ms

root@right:~# arp -an | grep l2tpeth100

? (192.168.200.1) at 86:d4:ea:0c:6a:dc [ether] on l2tpeth100

L2TPv3是附带以太网头的，所以还可以桥接组网。

Freeradius Server & Freeradius Client with Poptop Server and L2TP Over IPSec(可统计流量)

本文于2014年3月22日发布，2014年9月8日更新。

此Shell Script可选择安装Freeradius Server，Freeradius Client，Poptop Server(PPTP)，L2TP Over IPSec。

其中Freeradius Server是提供验证服务，Freeradius Client与Freeradius Server通讯，至于Poptop Server和L2TP嘛，你懂的。

目前支持的Linux发行版本有：CentOS 6，Debian 6/7/8，Ubuntu 12/13/14。

要安装Freeradius Server，要求有一个可用的MySQL Server。

安装前服务器的配置：

先确定服务器的hostname为正确的FQDN格式。不带“.”的hostname是错误的。

执行:

hostname -i

1	hostname -i

输出的内容应该是你服务器的IP(使用NAT网络，输出的是内网IP)，否则请执行：

echo "服务器IP $(hostname -A)" >> /etc/hosts

1	echo "服务器IP $(hostname -A)" >> /etc/hosts

1. 安装各种相关程序：

CentOS 6：

安装并启动MySQL Server：

yum install -y mysql-server mysql-devel mysql-client

service mysqld restart

yum install -y mysql-server mysql-devel mysql-client

service mysqld restart

设置MySQL root用户密码：

/usr/bin/mysqladmin -u root password 'root用户密码'

1	/usr/bin/mysqladmin -u root password 'root用户密码'

安装wget：

yum install -y wget

1	yum install -y wget

Ubuntu/Debian：

安装并启动MySQL Server：

apt-get update && apt-get install -y mysql-server

1	apt-get update && apt-get install -y mysql-server

安装wget：

apt-get install -y wget

1	apt-get install -y wget

2. 开始安装

wget http://soft.yzs.me/freeradius.sh -O /tmp/freeradius.sh && bash /tmp/freeradius.sh

1	wget http://soft.yzs.me/freeradius.sh -O /tmp/freeradius.sh && bash /tmp/freeradius.sh

填写的相关信息：

1. CentOS 6
2. Ubuntu/Debian
Select your operating system(1 or 2):2        #此处选择系统的发行版本,1为CentOS 6，2为Ubuntu或Debian
Install selection
==========
1. FreeRadius Server with FreeRadius Client,Poptop Server and L2TP Over IPSec(Require MySQL Server).
2. FreeRadius Client,Poptop Server and L2TP Over IPSec(Require FreeRadius Server communication secret).
3. FreeRadius Server Only(Require MySQL Server).
4. Poptop Server Only
5. L2TP Over IPSec Only
==========
Please choose a selection(1,2,3,4 or 5):1        #此处选择要安装的程序
Input the MySQL root password:9p_VbAAduxMXriWfke37_6NXYNGsw2W0EF85E3bqRnNCx0wPI0        #此处输入MySQL的root密码
Set the MySQL password of user radius(Leave blank to create automatically):        #此处输入要在MySQL中新建的radius用户的密码，留空可自动生成
Set the MySQL password of user radius to 8b66e9f5dc29b07752093c9d5f5029c0
127.0.0.2
208.51.63.115
192.168.0.56
Select your IP:208.51.63.115        #此处输入你的服务器的IP
Please input the IPSec PSK:P9oqRR8eru8d1SnOUwZ7jAIPPqx4Wv        #此处输入IPSec的PSK

1. CentOS 6

2. Ubuntu/Debian

Select your operating system(1 or 2):2 #此处选择系统的发行版本,1为CentOS 6，2为Ubuntu或Debian

Install selection

==========

1. FreeRadius Server with FreeRadius Client,Poptop Server and L2TP Over IPSec(Require MySQL Server).

2. FreeRadius Client,Poptop Server and L2TP Over IPSec(Require FreeRadius Server communication secret).

3. FreeRadius Server Only(Require MySQL Server).

4. Poptop Server Only

5. L2TP Over IPSec Only

==========

Please choose a selection(1,2,3,4 or 5):1 #此处选择要安装的程序

Input the MySQL root password:9p_VbAAduxMXriWfke37_6NXYNGsw2W0EF85E3bqRnNCx0wPI0 #此处输入MySQL的root密码

Set the MySQL password of user radius(Leave blank to create automatically): #此处输入要在MySQL中新建的radius用户的密码，留空可自动生成

Set the MySQL password of user radius to 8b66e9f5dc29b07752093c9d5f5029c0

127.0.0.2

208.51.63.115

192.168.0.56

Select your IP:208.51.63.115 #此处输入你的服务器的IP

Please input the IPSec PSK:P9oqRR8eru8d1SnOUwZ7jAIPPqx4Wv #此处输入IPSec的PSK

选项2会额外要求输入Freeradius Server的IP以及通讯密钥。

看到“Enjoy it now.”，即表示已成功安装。

添加用户：

在radcheck中添加响应的记录即可，例如添加一个用户名为username，密码为password的用户，密码以明文保存，可执行：

echo "INSERT INTO radcheck (id,username,attribute,op,value) VALUES ('','username','Cleartext-Password',':=','password')" | mysql -u root -p radius

1	echo "INSERT INTO radcheck (id,username,attribute,op,value) VALUES ('','username','Cleartext-Password',':=','password')" \| mysql -u root -p radius

流量统计&限制：

使用本Shell Script安装的Freeradius Server，可使用三种不同周期的流量统计&限制方式，分别为一小时(Hourly-Traffic)，一天(Daily-Traffic)和一个月(Monthly-Traffic)。

例如要限制用户名为username的用户一个月流量为1GB，即1024 MB，则在表radcheck中插入响应的记录，执行：

echo "INSERT INTO radcheck (id,username,attribute,op,value) VALUES ('','username','Monthly-Traffic',':=','1024')" | mysql -u root -p radius

1	echo "INSERT INTO radcheck (id,username,attribute,op,value) VALUES ('','username','Monthly-Traffic',':=','1024')" \| mysql -u root -p radius

其中流量的单位为Mbytes。

至于更多的功能，我就不在此作文章了，各位可自行查看Freeradius的WIKI。

关于OpenVZ的问题：

可能有人会问支不支持OpenVZ。

如果准确来说的话，各位不应该问我的Shell Script支不支持OpenVZ，而应该问你的OpenVZ VPS支不支持我的Shell Script。

OpenVZ须具备下述条件方可使用PPTP，L2TP以及IPSec：

1. OpenVZ VPS拥有以下设备文件以及对其操作的权限：

/dev/ppp
/dev/tun

1 2	/dev/ppp /dev/tun

2. 物理服务器已开启以下模块：

af_key
esp4
ppp_async
ppp-compress-18
ppp_deflate
ppp_generic
ppp_mppe
pppoatm
pppol2tp
tun
xfrm4_mode_transport
xfrm4_mode_tunnel
xfrm_ipcomp

af_key

esp4

ppp_async

ppp-compress-18

ppp_deflate

ppp_generic

ppp_mppe

pppoatm

pppol2tp

tun

xfrm4_mode_transport

xfrm4_mode_tunnel

xfrm_ipcomp

3. OpenVZ VPS拥有IPTABLES NAT模块的权限。

可通过执行此命令进行检查：

iptables -L -n -t nat

1	iptables -L -n -t nat

不出现

can’t initialize iptables table `nat': Table does not exist (do you need to insm Perhaps iptables or your kernel needs to be upgraded.

1	can’t initialize iptables table `nat': Table does not exist (do you need to insm Perhaps iptables or your kernel needs to be upgraded.

则表示拥有IPTABLES NAT模块的权限。

PPTP，L2TP的使用方法：http://www.ipfog.com/knowledgebase.php?action=displaycat&catid=5