溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
PPTP、L2TP和IPsec的區別及優缺點
1、PPTP協議是點對點隧道協議:
其將控制包與數據包分開,控制包采用TCP控制,用于嚴格的狀態查詢及信令信息;數據包部分先封裝在PPP協議中,然后封裝到GRE V2協議中。
2、L2TP是國際標準隧道協議:
它結合了PPTP協議以及第二層轉發L2F協議的優點,能以隧道方式使PPP包通過各種網絡協議,包括ATM、SONET和幀中繼。但是 L2TP沒有任何加密措施,更多是和IPSec協議結合使用,提供隧道驗證。
3、兩者的聯系與區別:
聯系:PPTP和L2TP都使用PPP協議對數據進行封裝,然后添加附加包頭用于數據在互聯網絡上的傳輸。盡管兩個協議非常相似,但是仍存在以 下幾方面的不同
區別:
1)PPTP要求互聯網絡為IP網絡。L2TP只要求隧道媒介提供面向數據包的點對點的連接。L2TP可以在IP(使用UDP),楨中繼永久虛 擬電路(PVCs),X.25虛擬電路(VCs)或ATM VCs網絡上使用。
2)PPTP只能在兩端點間建立單一隧道。L2TP支持在兩端點間使用多隧道。使用L2TP,用戶可以針對不同的服務質量創建不同的隧道。
3)L2TP可以提供包頭壓縮。當壓縮包頭時,系統開銷(overhead)占用4個字節,而PPTP協議下要占用6個字節。
4)L2TP可以提供隧道驗證,而PPTP不支持隧道驗證。但當L2TP或PPTP與IPSEC共同使用時,可由IPSEC提供隧道驗證,不需 在第2層協議上驗證隧道。
IPSec的優點
如果在路由器或防火墻上執行了IPSec,它就會為周邊的通信提供強有力的安全保障。一個公司或工作組內部的通信將不涉及與安全相關的費用。下文敘 述了IPSec的一些優點:
IPSec在傳輸層之下,對于應用程序來說是透明的。當在路由器或防火墻上安裝IPSec時,無需更改用戶或服務器系統中的軟件設置。即使在終端系 統中執行IPSec,應用程序一類的上層軟件也不會被影響。
IPSec對終端用戶來說是透明的,因此不必對用戶進行安全機制的培訓。
如果需要的話,IPSec可以為個體用戶提供安全保障,這樣做就可以保護企業內部的敏感信息。
IPSec正向Internet靠攏。已經有一些機構部分或全部執行了IPSec。IAB的前任總裁Christian Huitema認為,關于如何保證Internet安全的討論是他所見過的最激烈的討論之一。討論的話題之一就是安全是否在恰當的協議層上被使用。想要提 供IP級的安全,IPSec必須成為配置在所有相關平臺(包括Windows NT,Unix和Macintosh系統)的網絡代碼中的一部分。
實際上,現在發行的許多Internet應用軟件中已包含了安全特征。例如,Netscape Navigator和Microsoft Internet Explorer支持保護互聯網通信的安全套層協議(SSL),還有一部分產品支持保護Internet上信用卡交易的安全電子交易協議(SET)。然 而,×××需要的是網絡級的功能,這也正是IPSec所提供的。
本文部署基于ipsec 的l2tp
1.基礎環境
[root@bogon tmp]# cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core) [root@bogon tmp]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.56.11 netmask 255.255.255.0 broadcast 192.168.56.255 inet6 fe80::20c:29ff:fe19:7f25 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:19:7f:25 txqueuelen 1000 (Ethernet) RX packets 655392 bytes 86779661 (82.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 853465 bytes 156410883 (149.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.1 netmask 255.0.0.0 broadcast 10.255.255.255 inet6 fe80::20c:29ff:fe19:7f2f prefixlen 64 scopeid 0x20<link> ether 00:0c:29:19:7f:2f txqueuelen 1000 (Ethernet) RX packets 222 bytes 22794 (22.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 215 bytes 26245 (25.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@bogon tmp]#
2.安裝軟件
在centos7 版本后, 提供ipsec 服務包由libreswan替代了openswan
yum install xl2tpd yum install libreswan
3.修改ipsec的配置文件(在配置文件里加入這一行,充許傳透nat建立l2tp連接)
[root@bogon tmp]# vim /etc/ipsec.conf #其余的不變 nat_traversal=yes #新加的 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10, %v6:fd00::/8,%v6:fe80::/10
4.建立ipsec 與 l2tp 服務關聯的配置文件
cd /etc/ipsec.d/ [root@bogon ipsec.d]# cat l2tp_psk.conf #此文件不存在 需要手動創建 conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8h keylife=1h type=transport left=192.168.56.11 leftprotoport=17/1701 right=%any rightprotoport=17/%any [root@bogon ipsec.d]#
5.當建立l2tp連接時,需要輸入預共享密匙,以下為預共享密匙的配置文件
[root@bogon ipsec.d]# cat /etc/ipsec.secrets include /etc/ipsec.d/*.secrets [root@bogon ipsec.d]# cd /etc/ipsec.d/ [root@bogon ipsec.d]# ll total 40 -rw------- 1 root root 9216 Apr 11 01:50 cert9.db -rw------- 1 root root 11264 Apr 11 01:50 key4.db -rw-r--r-- 1 root root 362 Apr 11 01:47 l2tp_psk.conf -rw-r--r-- 1 root root 33 Apr 11 01:49 linuxcc_l2tp.secrets -rw------- 1 root root 419 Apr 11 01:50 pkcs11.txt drwx------ 2 root root 90 Apr 11 01:44 policies -rw-r--r-- 1 root root 1338 Nov 12 09:58 v6neighbor-hole.conf [root@bogon ipsec.d]# cat linuxcc_l2tp.secrets #沒有的話自己創建 192.168.56.11 %any: PSK "123456" [root@bogon ipsec.d]#
6.修改內核支持,可以對照以下配置修改,或者直接復制,修改完后運行sysctl -p 使配置生效
vim /etc/sysctl.conf 添加進去 sysctl -p 生效 vm.swappiness = 0 net.ipv4.neigh.default.gc_stale_time=120 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.all.arp_announce=2 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_synack_retries = 2 net.ipv4.conf.lo.arp_announce=2 net.ipv4.ip_forward = 1 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_source_route = 0
7.檢驗ipsec服務配置:
ipsec setup start
ipsec verify 此處出錯 以及解決辦法
[root@bogon ipsec.d]# ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-514.10.2.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help [root@bogon ipsec.d]# echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter #解決辦法 [root@bogon ipsec.d]# ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-514.10.2.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] [root@bogon ipsec.d]#
8.啟動服務
systemctl start ipsec systemctl enable ipsec
9.安裝配置xl2tpd服務
yum install xl2tpd vi /etc/xl2tpd/xl2tpd.conf #修改l2tp的配置文件 [root@bogon xl2tpd]# cat xl2tpd.conf ; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] ipsec saref = yes #此處添加上去 listen-addr = 192.168.56.11 #外網 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes [lns default] ip range = 10.0.0.100-10.0.0.200 #要和自己的內網一直 分配給客戶端的IP地址 local ip = 192.168.56.11 require chap = yes refuse pap = yes require authentication = yes name = Linux×××server ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
10.修改xl2tpd屬性配置文件
vi /etc/ppp/options.xl2tpd
[root@bogon xl2tpd]# cat /etc/ppp/options.xl2tpd ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 #只修改DNS 建議改成網關的IP # ms-dns 192.168.1.1 # ms-dns 192.168.1.3 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 # To allow authentication against a Windows domain EXAMPLE, and require the # user to be in a group "××× Users". Requires the samba-winbind package require-mschap-v2 # plugin winbind.so # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\××× Users"' # You need to join the domain on the server, for example using samba: # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html [root@bogon xl2tpd]#
11.添加用戶名密碼
[root@bogon xl2tpd]# cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses ***12345 * 123456 * [root@bogon xl2tpd]#
12.啟動l2tp服務
systemctl start xl2tpd systemctl enable xl2tpd systemctl status xl2tpd
13.客戶端連接windows
windows+R
輸入 regedit 找到此路徑
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\
然后重啟電腦
14.開啟連接 切記按照順序
到此完畢
錯誤:手機連接不了 電腦可以連接
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
