我正在尝试在 OpenNebula 启动的 2 个 VM 之间设置 IPSec。我为此使用了 OpenSWAN。这是 ipsec.conf 文件
config setup
oe=off
interfaces=%defaultroute
protostack=klips
conn host-to-host
left=10.141.0.135 # Local IP address
connaddrfamily=ipv4
leftrsasigkey=key
right=10.141.0.132 # Remote IP address
rightrsasigkey=key
ike=aes128 # IKE algorithms (AES cipher)
esp=aes128 # ESP algorithns (AES cipher)
auto=add
pfs=yes
forceencaps=yes
type=tunnel
我能够与 netkey 建立连接,但 klips 不起作用。
ipsec barf 显示
#71: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.141.0.132 port 500, complainant 10.141.0.135: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Tcpdump 显示
22:50:20.592685 IP 10.141.0.132.isakmp > 10.141.0.135.isakmp: isakmp: phase 1 I ident
22:50:25.602182 ARP, Request who-has 10.141.0.135 tell 10.141.0.132, length 46
22:50:26.602082 ARP, Request who-has 10.141.0.135 tell 10.141.0.132, length 46
22:50:27.601985 ARP, Request who-has 10.141.0.135 tell 10.141.0.132, length 46
ipsec eroute 显示
0 10.141.0.135/32 -> 10.141.0.132/32 => %trap
可能是什么问题呢?
答案1
根据您的内核,您可能需要补丁。较新的内核默认支持 NETKEY
要仅启用 NETKEY,请使用 protostack=netkey