V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
marklrh
V2EX  ›  问与答

有关部署L2TP/IPsec的问题

  •  
  •   marklrh · 2014-01-31 10:19:26 +08:00 · 15567 次点击
    这是一个创建于 3983 天前的主题,其中的信息可能已经有所发展或是发生改变。
    我是如下设置的 /etc/ipsec.conf

    version 2.0 # conforms to second version of ipsec.conf specification

    # basic configuration
    config setup
    # Do not set debug options to debug configuration issues!
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    # plutodebug="control parsing"
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    #
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    #
    # Enable core dumps (might require system changes, like ulimit -C)
    # This is required for abrtd to work properly
    # Note: incorrect SElinux policies might prevent pluto writing the core
    #dumpdir=/var/run/pluto/
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    protostack=netkey

    conn %default
    forceencaps=yes

    conn L2TP-PSK-NAT
    rightsubnet=vhost:%no,%priv
    also=L2TP-PSK-noNAT

    conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=106.0.0.0
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any


    上边的ip没放真的,我换了个别的
    问题是,当我运行$ipsec verify的时候:

    Openswan U2.6.39/K3.12.6-x86_64-linode36 (netkey)
    See `ipsec --copyright' for copyright information.
    Checking for IPsec support in kernel [OK]
    NETKEY: Testing XFRM related proc values
    ICMP default/send_redirects [OK]
    ICMP default/accept_redirects [OK]
    XFRM larval drop [OK]
    Hardware random device check [N/A]
    Two or more interfaces found, checking IP forwarding [OK]
    Checking rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED]
    /proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED]
    Checking that pluto is running [OK]
    Pluto listening for IKE on udp 500 [OK]
    Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
    Pluto listening for IKE/NAT-T on udp 4500 [OK]
    Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
    Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
    Checking NAT and MASQUERADEing [TEST INCOMPLETE]
    Checking 'ip' command [OK]
    Checking 'iptables' command [OK]


    Checking NAT and MASQUERADEing 那里出了问题,google了半天也没发现解决方案。
    看了一下/var/log/auth.log可以确定设备连接vpn不成功是因为NAT转发的问题。

    求解决方案,多谢!
    4 条回复    1970-01-01 08:00:00 +08:00
    alexrezit
        1
    alexrezit  
       2014-01-31 10:57:10 +08:00
    确定你 iptables 配置好了?
    alexrezit
        2
    alexrezit  
       2014-01-31 11:00:26 +08:00
    Oh nvm.

    为什么配置跟我的差好多...
    maoyipeng
        3
    maoyipeng  
       2014-01-31 11:24:42 +08:00 via Android
    建议换个strongswan试试吧
    geeklian
        4
    geeklian  
       2014-01-31 13:44:16 +08:00
    自搭梯子用http://www.softether-download.com/files/softether/
    图形界面就搭好l2tp、openvpn种种了...

    若是生产环境,再说其他的...
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5814 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 02:35 · PVG 10:35 · LAX 18:35 · JFK 21:35
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.