Vultr：帮我看下这 L2TP iPSec 连不上问题出在哪里？

This topic created in 4138 days ago, the information mentioned may be changed or developed.

貌似都没有错误。。手机连接提示：服务器未响应。

[root@vultr ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K2.6.32-504.3.3.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Hardware RNG detected, testing if used properly [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

我能想到的几个出问题的地方，大家帮我看看，分析分析。。

[root@vultr ~]# vi /etc/ipsec.secrets

108.61.201.*** %any: PSK "vpnsos"

[root@vultr ~]# vi /etc/ipsec.secrets

# Generated by iptables-save v1.4.7 on Mon Jan 5 09:54:49 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:140]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8989 -j ACCEPT
-A FORWARD -s 172.16.36.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356
COMMIT
# Completed on Mon Jan 5 09:54:49 2015
# Generated by iptables-save v1.4.7 on Mon Jan 5 09:54:49 2015
*nat
:PREROUTING ACCEPT [103:7248]
:POSTROUTING ACCEPT [18:1188]
:OUTPUT ACCEPT [18:1188]
-A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source 108.61.201.***
COMMIT
# Completed on Mon Jan 5 09:54:49 2015

IPSEC

root@vultr

TCP

17 replies 2019-05-07 11:35:34 +08:00

wzxjohn

Jan 19, 2015

不贴 Log 光贴配置怎帮你。。。。。。

kxmp

Jan 19, 2015

l2tp被封了啊....
我都测过了.
你只要syslog在你连的时候一动不动那就是100%被封了.

luo362722353

Jan 19, 2015 via iPhone

先这样试试看，不确保你可以连
server ipsec restart
xl2tpd
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

希望可以帮到您

@DearTanker

DearTanker

Jan 19, 2015

@wzxjohn
@kxmp

怎么看log，真心小白，别笑我。。

@luo362722353

好的，我试试。。

evilyau

Jan 19, 2015

Github 有个 InstaVPN ，用过最好用的L2TP

Phant0m

Jan 19, 2015 via iPad

@evilyau 求链接

RHFS

Jan 19, 2015

@evilyau 不会被干扰吗

@Phant0m https://github.com/sockeye44/instavpn 随便搜一下都搜的到。。。

DearTanker

Jan 20, 2015

@RHFS 这个。。centos能装么？(_`)

DearTanker

Jan 20, 2015

@luo362722353 惊，可以连上了，可是不能上网。。。

RHFS

Jan 20, 2015 via iPhone

@DearTanker 貌似不能昨晚折腾了一下网络太卡就没搞了系统要求是Ubuntu14 看了一下简介，感觉不错

luo362722353

Jan 20, 2015 via iPhone

@DearTanker
怎么会呢…

如果是eth0不出意外就是正常的啊
执行
xl2tpd
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
如果连不上…请ifconfig后贴数据给我看看…

其次是

配置文件/etc/sysctl.conf（修改内核转发参数）
确定正确？

kxmp

Jan 25, 2015

@DearTanker
> tail -f /var/log/syslog
然后开始连接.看看日志动了没.没动你就没必要去干别的事情了.

DearTanker

Jul 10, 2015

@kxmp 这几天继续折腾，还是不行。。

tail: cannot open `/var/log/syslog' for reading: No such file or directory

DearTanker

Jul 10, 2015

@wzxjohn
@kxmp
@luo362722353

Jul 10 22:44:47 vultr sshd[1396]: Server listening on 0.0.0.0 port 22.
Jul 10 22:44:47 vultr sshd[1396]: Server listening on :: port 22.
Jul 10 22:44:50 vultr sshd[1856]: reverse mapping checking getaddrinfo for 46.236.25.117.broad.xm.fj.dynamic.163data.com.cn [117.25.236.46] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 10 22:44:50 vultr sshd[1856]: Accepted password for root from 117.25.236.46 port 58434 ssh2
Jul 10 22:44:50 vultr sshd[1856]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [RFC 3947] method set to=109
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [Dead Peer Detection]
Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: responding to Main Mode from unknown peer 120.32.228.110
Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
Jul 10 22:45:34 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Jul 10 22:45:34 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
Jul 10 22:45:37 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Jul 10 22:45:37 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
Jul 10 22:45:40 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Jul 10 22:45:40 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
Jul 10 22:45:40 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Jul 10 22:45:40 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
Jul 10 22:45:53 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Jul 10 22:45:53 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500

kxmp

Sep 27, 2015

你这个是收到不明信息... 验证信息的数据包被弄坏了所以你连不上

litp

May 7, 2019

@DearTanker 哥们你的这个当年配置成功了么！我现在也遇到连接不上的问题

litp

May 7, 2019

@DearTanker 找到问题了，居然是运营商有关系
https://github.com/hwdsl2/setup-ipsec-vpn/issues/244