VPN服务器实施方案

VPN系统实施方案-1-VPN服务器系统实施方案1.PPTPVPN的基本原理PPTPVPN本质上是虚拟的点对点链路，它先把到达远方内网的数据包打包成PPP帧，然后再对这些PPP帧进行二次封装，以便于能够在其他物理链路上进行传送。PPTPVPN有控制信道和数据信道之分，控制信道连接到VPN报务器的TCP1723端口，起着控制和管理VPN隧道的功能，数据信道是传送PPP帧的信道，关于PPTP数据帧的封装过程如图所示：在打包PPP帧的过程中，将对PPP数据包进行加密，为了取得最大的安全性，我们这里将使用MPPE加密和MSCHAPv2身份验证方法。2.安装、配置PPTPVPN服务器2.1系统配置服务器：CentOS5.5final内核版本：2.6.18-8.e15客户端：WindowXPProfessional由于Linux本身并没有集成PPTP功能，所以需要安装几种程序以让我们的RedHat支持PPTP，根据内核的版本，下载相应的安装包。2.2下载并安装PPTPVPN2.2.1下载所需软件wget://poptop.sourceforge.net/yum/stable/packages/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpmwget://poptop.sourceforge.net/yum/stable/rhel5Server/i386/ppp-2.4.4-14.1.rhel5.i386.rpm2.2.2安装配置VPN[root@POPTOPhome]#rpm-ivhdkms-2.0.17.5-1.noarch.rpmwarning:dkms-2.0.17.5-1.noarch.rpm:HeaderV3DSAsignature:NOKEY,keyID862acc42VPN系统实施方案-2-Preparing...############################[100%]1:dkms############################[100%][root@POPTOPhome]#rpm-ivhkernel_ppp_mppe-1.0.2-3dkms.noarch.rpmwarning:kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm:HeaderV3DSAsignature:NOKEY,keyID862acc42Preparing...############################[100%]1:kernel_ppp_mppe############################[100%]Creatingsymlink/var/lib/dkms/kernel_ppp_mppe/1.0.2/source-/usr/src/kernel_ppp_mppe-1.0.2DKMS:addCompleted.Kernelpreparationunnecessaryforthiskernel.Skipping...Runningthepre_buildscript:Buildingmodule:cleaningbuildarea....makeKERNELRELEASE=2.6.18-194.el5-C/lib/modules/2.6.18-194.el5/buildM=/var/lib/dkms/kernel_ppp_mppe/1.0.2/build.....(badexitstatus:2)Error!Badreturnstatusformodulebuildonkernel:2.6.18-194.el5(i686)Consultthemake.loginthebuilddirectory/var/lib/dkms/kernel_ppp_mppe/1.0.2/build/formoreinformation.Error!Couldnotlocateppp_generic.koformodulekernel_ppp_mppeintheDKMStree.Youmustrunadkmsbuildforkernel2.6.18-194.el5(i686)first.上面的错误好像没有影响[root@POPTOPhome]#[root@POPTOPhome]#rpm-qakernel_ppp_mppekernel_ppp_mppe-1.0.2-3dkmsPPTP需要PPP支持，虽然系统本身有PPP功能，但它并不一定支持MPPE.如果不支持则需要更新系统的PPP组件，参数-U就是更新的意思。[root@POPTOPhome]#rpm-Uvhppp-2.4.4-14.1.rhel5.i386.rpmwarning:ppp-2.4.4-14.1.rhel5.i386.rpm:HeaderV3DSAsignature:NOKEY,keyID862acc42Preparing...#########################################[100%]1:ppp#########################################[100%]要使用MPPE加密，还需要内核支持，Linux2.6.14起Linux核心提供完整的PPTP支援《包括自由版本的MPPE》。查看内核版本可以使用命令：uname–r，如果内核版本低于2.6.14则还要下载一个MPPE内核补丁：kernel-mppe-2.4.20-8.i686.rpm查看系统版本：VPN系统实施方案-3-[root@POPTOP~]#uname-r2.6.18-194.el5所以不需要打补丁了。[root@POPTOPhome]#rpm-ivhpptpd-1.3.4-2.rhel5.i386.rpmwarning:pptpd-1.3.4-2.rhel5.i386.rpm:HeaderV3DSAsignature:NOKEY,keyID862acc42Preparing...###########################################[100%]1:pptpd###########################################[100%][root@POPTOPhome]#2.2.3修改配置文件需要修改如下3个配置文件：带底纹的就是需要我们修改的地方，其他加了红色注释的是说明，确实设置的。/etc/pptpd.conf/etc/ppp/options.pptpd/etc/ppp/chap-secretsll/etc/pptpd.conf服务pptpd运行时使用的配置文件################################################################################$Id:pptpd.conf,v1.102006/09/0423:30:57quozlExp$##SamplePoptopconfigurationfile/etc/pptpd.conf##Changesareeffectivewhenpptpdisrestarted.################################################################################TAG:ppp#Pathtothepppdprogram,default'/usr/sbin/pppd'onLinux#ppp/usr/sbin/pppd#TAG:option#SpecifiesthelocationofthePPPoptionsfile.#BydefaultPPPlooksin'/etc/ppp/options'#option/etc/ppp/options.pptpd#指定pptpd用到的选项文件#TAG:debug#Turnson(more)debuggingtosyslog##debugVPN系统实施方案-4-#TAG:stimeout#Specifiestimeout(inseconds)onstartingctrlconnection##stimeout10#TAG:noipparam#Suppressthepassingoftheclient'sIPaddresstoPPP,whichis#donebydefaultotherwise.##noipparam#TAG:logwtmp#Usewtmp(5)torecordclientconnectionsanddisconnections.#logwtmp#TAG:bcrelayif#Turnsonbroadcastrelaytoclientsfrominterfaceif##bcrelayeth2#好像用不到，后面再研究#TAG:delegate#DelegatestheallocationofclientIPaddressestopppd.##Withoutthisoption,whichisthedefault,pptpdmanagesthelistof#IPaddressesforclientsandpassesthenextfreeaddresstopppd.#Withthisoption,pptpddoesnotpassanaddress,andsopppdmayuse#radiusorchap-secretstoallocateanaddress.##delegate#TAG:connections#Limitsthenumberofclientconnectionsthatmaybeaccepted.##IfpptpdisallocatingIPaddresses(e.g.delegateisnot#used)thenthenumberofconnectionsisalsolimitedbythe#remoteipoption.Thedefaultis100.#connections100VPN系统实施方案-5-#TAG:localip#TAG:remoteip#SpecifiesthelocalandremoteIPaddressranges.##Theseoptionsareignoredifdelegateoptionisset.##Anyaddressesworkaslongasthelocalmachinetakescareofthe#routing.ButifyouwanttouseMS-Windowsnetworking,youshould#useIPaddressesoutoftheLANaddressspaceandusetheproxyarp#optioninthepppdoptionsfile,orrunbcrelay.##YoucanspecifysingleIPaddressesseperatedbycommasoryoucan#specifyranges,orboth.Forexample:##192.168.0.234,192.168.0.245-249,192.168.0.254##IMPORTANTRESTRICTIONS:##1.Nospacesarepermittedbetweencommasorwithinaddresses.##2.IfyougivemoreIPaddressesthanthevalueofconnections,#itwillstartatthebeginningofthelistand