我按照这里的指示进行操作: http://samsclass.info/ipv6/proj/proj-L5-VPN-Server.html
我使用了与该站点上发布的完全相同的文件。在我的路由器上,我已将 500 UDP 和 4500 UDP 端口转发到 Ubuntu 盒子。在 Android 上,当我尝试时,它会转到“正在连接...”,然后最终“超时”。也在 iOS(iPad)上进行了测试,同样不起作用。我注意到 syslog 中没有来自 xl2tpd 的每次连接尝试,所以我猜 openswan ipsec 没有将流量传递给 xl2tpd?
指南中的所有步骤均已完成:
added local ip address 172.22.1.1 eth0:0 (the Ubuntu box has eth0 192.168.0.50)
installed openswan
edited ipsec.conf, ipsec.secrets
stopped redirects
ipsec verify
restarted openswan
installed xl2tpd
edited xl2tpd.conf
ppp was already installed, so skipped this step
edited options.xl2tpd and chaps-secrets
restarted xl2tpd
[ipsec.conf]
# diff ipsec.conf ipsec.conf.template
21c21
< left=192.168.0.50
---
> left=YOUR.SERVER.IP.ADDRESS
.50 IP地址是我局域网上Ubuntu服务器的eth0 IP地址。
[ipsec.秘密]
# cat /etc/ipsec.secrets
192.168.0.50 %any: PSK "YourSharedSecret"
[xl2tpd.conf / options.xl2tpd / chap-秘密]
所有 3 个文件与网站上提供的示例相同。
=== /var/log/auth.log
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [RFC 3947] method set to=115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [Dead Peer Detection]
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: responding to Main Mode from unknown peer 166.147.67.29
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: Main mode peer ID is ID_IPV4_ADDR: '10.4.23.140'
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: deleting connection "L2TP-PSK-NAT" instance with peer 166.147.67.29 {isakmp=#0/ipsec=#0}
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: new NAT mapping for #1, was 166.147.67.29:58529, now 166.147.67.29:37048
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: received and ignored informational message
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: the peer proposed: 98.201.212.153/32:17/1701 -> 10.4.23.140/32:17/0
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: responding to Quick Mode proposal {msgid:76a9dec2}
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: us: 192.168.0.50<192.168.0.50>:17/1701
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: them: 166.147.67.29[10.4.23.140]:17/0===10.4.23.140/32
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x01bbb0b5 <0xee2829cb xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=166.147.67.29:37048 DPD=none}
=== /var/log/syslog
Sep 20 02:00:52 sbowne kernel: [28283.272399] NET: Unregistered protocol family 15
Sep 20 02:00:52 sbowne ipsec_setup: ...Openswan IPsec stopped
Sep 20 02:00:52 sbowne kernel: [28283.357232] NET: Registered protocol family 15
Sep 20 02:00:52 sbowne ipsec_setup: Starting Openswan IPsec U2.6.38/K3.8.0-19-generic...
Sep 20 02:00:52 sbowne ipsec_setup: Using NETKEY(XFRM) stack
Sep 20 02:00:52 sbowne kernel: [28283.414490] Initializing XFRM netlink socket
Sep 20 02:00:52 sbowne kernel: [28283.446177] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.450489] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.459554] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.462983] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.470054] AVX or AES-NI instructions are not detected.
Sep 20 02:00:52 sbowne ipsec_setup: multiple ip addresses, using 192.168.0.50 on eth0
Sep 20 02:00:52 sbowne ipsec_setup: ...Openswan IPsec started
Sep 20 02:00:52 sbowne ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Sep 20 02:00:52 sbowne pluto: adjusting ipsec.d to /etc/ipsec.d
Sep 20 02:00:52 sbowne ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Sep 20 02:00:52 sbowne ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Sep 20 02:03:17 sbowne xl2tpd[8264]: death_handler: Fatal signal 15 received
Sep 20 02:03:19 sbowne xl2tpd[12634]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Sep 20 02:03:19 sbowne xl2tpd[12634]: setsockopt recvref[30]: Protocol not available
Sep 20 02:03:19 sbowne xl2tpd[12634]: This binary does not support kernel L2TP.
Sep 20 02:03:19 sbowne xl2tpd[12635]: xl2tpd version xl2tpd-1.3.1 started on sbowne PID:12635
Sep 20 02:03:19 sbowne xl2tpd[12635]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 20 02:03:19 sbowne xl2tpd[12635]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 20 02:03:19 sbowne xl2tpd[12635]: Inherited by Jeff McAdams, (C) 2002
Sep 20 02:03:19 sbowne xl2tpd[12635]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 20 02:03:19 sbowne xl2tpd[12635]: Listening on IP address 0.0.0.0, port 1701