有关部署L2TP/IPsec的问题 - V2EX
首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
marklrh
V2EX    问与答

有关部署L2TP/IPsec的问题

  •   
  •   marklrh 2014-01-31 10:19:26 +08:00 15871 次点击
    这是一个创建于 4274 天前的主题,其中的信息可能已经有所发展或是发生改变。
    我是如下设置的 /etc/ipsec.conf

    version 2.0 # conforms to second version of ipsec.conf specification

    # basic configuration
    config setup
    # Do not set debug options to debug configuration issues!
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    # plutodebug="control parsing"
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    #
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    #
    # Enable core dumps (might require system changes, like ulimit -C)
    # This is required for abrtd to work properly
    # Note: incorrect SElinux policies might prevent pluto writing the core
    #dumpdir=/var/run/pluto/
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    protostack=netkey

    conn %default
    forceencaps=yes

    conn L2TP-PSK-NAT
    rightsubnet=vhost:%no,%priv
    also=L2TP-PSK-noNAT

    conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=106.0.0.0
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any


    上边的ip没放真的,我换了个别的
    问题是,当我运行$ipsec verify的时候:

    Openswan U2.6.39/K3.12.6-x86_64-linode36 (netkey)
    See `ipsec --copyright' for copyright information.
    Checking for IPsec support in kernel [OK]
    NETKEY: Testing XFRM related proc values
    ICMP default/send_redirects [OK]
    ICMP default/accept_redirects [OK]
    XFRM larval drop [OK]
    Hardware random device check [N/A]
    Two or more interfaces found, checking IP forwarding [OK]
    Checking rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED]
    Checking that pluto is running [OK]
    Pluto listening for IKE on udp 500 [OK]
    Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
    Pluto listening for IKE/NAT-T on udp 4500 [OK]
    Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
    Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
    Checking NAT and MASQUERADEing [TEST INCOMPLETE]
    Checking 'ip' command [OK]
    Checking 'iptables' command [OK]


    Checking NAT and MASQUERADEing 那里出了问题,google了半天也没发现解决方案。
    看了一下/var/log/auth.log可以确定设备连接vpn不成功是因为NAT转发的问题。

    求解决方案,多谢!
  • conf
  • RP
  • proc
    4 条回复    1970-01-01 08:00:00 +08:00
    alexrezit
       
    alexrezit  
       2014-01-31 10:57:10 +08:00
    确定你 iptables 配置好了?
    alexrezit
        2
    alexrezit  
       2014-01-31 11:00:26 +08:00
    Oh nvm.

    为什么配置跟我的差好多...
    maoyipeng
        3
    maoyipeng  
       2014-01-31 11:24:42 +08:00 via Android
    建议换个strongswan试试吧
    geeklian
        4
    geeklian  
       2014-01-31 13:44:16 +08:00
    自搭梯子用http://www.softether-download.com/files/softether/
    图形界面就搭好l2tp、openvpn种种了...

    若是生产环境,再说其他的...
    关于     帮助文档     自助推广系统     博客     API     FAQ     Solana     4210 人在线   最高记录 6679       Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 33ms UTC 10:14 PVG 18:14 LAX 03:14 JFK 06:14
    Do have faith in what you're doing.
    ubao snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86