PPTP:点对点隧道协议(Point to Point Tunneling Protocol)
点对点隧道协议(PPTP)是一种支持多协议虚拟专用网络的网络技术。通过该协议,远程用户能够通过 Microsoft Windows NT 工作站、Windows 95 和 Windows 98 操作系统以及其它装有点对点协议的系统安全访问公司网络,并能拨号连入本地 ISP,通过 Internet 安全链接到公司网络。
PPTP 可以用于在 IP 网络上建立 PPP 会话隧道。在这种配置下,PPTP 隧道和 PPP 会话运行在两个相同的机器上,呼叫方充当 PNS。PPTP 使用客户机-服务器结构来分离当前网络访问服务器具备的一些功能并支持虚拟专用网络。PPTP 作为一个呼叫控制和管理协议,它允许服务器控制来自 PSTN 或 ISDN 的拨入电路交换呼叫访问并初始化外部电路交换连接。
PPTP 使用 GRE 的扩展版本来传输用户 PPP 包。
操作系统:
centos5
确定内核是否支持mppe:
modprobe ppp-compress-18 && echo ok
如果显示ok,内核已经具备了mppe支持。
用以下命令检查PPP是否支持MPPE:
strings ‘/usr/sbin/pppd’ |grep -i mppe | wc –lines
如果以上命令输出为“0”则表示不支持;输出为“30”或更大的数字就表示支持。
编译内核支持mppe
选以下选项
CONFIG_PPP_MPPE=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_NAT_PPTP=m
CONFIG_PPP=m
CONFIG_PPP_MULTILINK=y
CONFIG_PPP_FILTER=y
CONFIG_PPP_ASYNC=m
CONFIG_PPP_SYNC_TTY=m
CONFIG_PPP_DEFLATE=m
CONFIG_PPP_BSDCOMP=m
CONFIG_PPP_MPPE=m
CONFIG_PPPOE=m
CONFIG_PPPOL2TP=m
不编译内核内核支持mppe
http://sourceforge.net/project/showfiles.php?group_id=44827
下载
dkms-2.0.6-1.noarch.rpm
kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
dkms是一个新的软件,能让你在不编译内核的基础上,外挂一些内核的模块。
kernel_ppp_mppe就是mppe支持的内核模块了。
安装pptpd
http://poptop.sourceforge.net/
wget http://nchc.dl.sourceforge.net/sourceforge/poptop/pptpd-1.3.4.tar.gz
tar xfz pptpd-1.3.4.tar.gz -C /usr/local/src
cd /usr/local/src/pptpd-1.3.4/
./configure –prefix=/usr/local
make && make install
配置pppd和pptpd
pppd的默认配置文件在 /etc/ppp
pptpd的配置文件在 /etc/pptpd.conf
vi /etc/pptpd.conf
ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
debug
Logwtmp
localip 10.168.168.51
remoteip 10.168.168.52-100
netmask 255.255.255.0
#localip是pptpd的对外服务的ip,也就是客户端需要拨号的ip,remoteip是拨号服务器分配给拨号用户的ip ,可以用-表示ip范围
vi /etc/ppp/options.pptpd
#
# Authentication
auth
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
##-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
##+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40 # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
# Add an entry to this system’s ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients — James Cameron)
proxyarp
debug
dump
logfile /var/log/pptpd.log
# Miscellaneous
# Disable BSD-Compress compression
#nobsdcomp
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
#novj
#novjccomp
# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd
#lcp-echo-failure 30
#lcp-echo-interval 5
noipdefault
#ipcp-accept-local
#ipcp-accept-remote
#mru 1454
#mtu 1454
ms-dns 10.168.168.171
vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
“veryi.com” pptpd “iamok” *
第一个veryi.com是用户,第二个iamok是密码,*表示任意ip
vi /etc/init.d/pptpd
#!/bin/bash
#
# chkconfig: 35 95 15
# description: pptpd
# processname: pptpd
# pidfile: /var/run/pptpd.pid
# config: /etc/pptpd.conf
# source function library
. /etc/init.d/functions
pptpd=/usr/local/sbin/pptpd
prog=pptpd
RETVAL=0
start() {
echo -n $”Starting pptpd services: ”
RETVAL=$?
daemon $pptpd
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/pptpd
}
stop() {
killproc pptpd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/pptpd
}
case “$1″ in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
;;
condrestart)
if [ -f /var/lock/subsys/pptpd ]; then
stop
start
fi
;;
status)
status pptpd
RETVAL=$?
;;
*)
echo $”Usage: $0 {start|stop|restart|condrestart|status}”
exit 1
esac
exit $RETVAL
chmod +x /etc/init.d/pptpd
chkconfig –level 345 pptpd on
启动pptpd
/etc/init.d/pptpd restart
防火墙配置:
vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 1723 -j ACCEPT
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
windows客户端配置:
新建一个vpn连接,把“在远程网络上使用默认网关”这个选项取消(不打勾)。
网络->TCP/IP属性->高级->设置->在远程网络上使用默认网关