VyOS的L2TP/IPsec VPN配置
VyOS的L2TP/IPsec VPN配置
2023-10-26 06:49
基于VyOS的L2TP/IPsec VPN配置的简化脚本。
**前提条件**:
- 使用此脚本之前,请确保您已经安装并运行了VyOS。
- 该配置假定您的外部接口名为`eth0`,且它有一个公网IP地址。如果您的环境不同,请相应地修改。
- 我们将使用预共享密钥 (PSK) "SecretPSK"。出于安全考虑,请使用一个更强的PSK。
```bash
configure
# 设置外部接口
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'WAN'
# 设置L2TP/IPsec
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
# 定义IKE和ESP设置
set vpn ipsec ike-group IKE-L2TP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-L2TP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-L2TP proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-L2TP lifetime '3600'
set vpn ipsec ike-group IKE-L2TP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-L2TP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-L2TP dead-peer-detection timeout '120'
set vpn ipsec esp-group ESP-L2TP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-L2TP proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-L2TP lifetime '3600'
# 定义L2TP服务器
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'SecretPSK'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access client-ip-pool start '10.0.1.100'
set vpn l2tp remote-access client-ip-pool stop '10.0.1.200'
set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'
set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'
# 创建VPN用户
set vpn l2tp remote-access authentication local-users username admin password admin
# 提交和保存配置
commit
save
```
执行此脚本之前,请确保:
- 调整各个值以符合您的实际网络环境和安全需求。
- 在生产环境中,不建议使用简单的用户名和密码(如“admin”和“admin”)。确保使用强密码以提高安全性。
- 在执行任何脚本或命令之前,请确保备份现有的配置。