Openswan ipsec 传输隧道未启动

tag-icon tag-icon ipsec openswan
Openswan ipsec 传输隧道未启动

在 ClusterA 和 BI 上已安装 Debian Squeeze 上的“openswan”包。

ClusterA ip为172.16.0.107,B为172.16.0.108

当它们互相 ping 时,却无法到达目的地。

/etc/ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
        protostack=netkey
        oe=off

conn L2TP-PSK-CLUSTER
        type=transport
        left=172.16.0.107
        right=172.16.0.108
        auto=start
        ike=aes128-sha1-modp2048
        authby=secret
        compress=yes

/etc/ipsec.secrets:

172.16.0.107 172.16.0.108 : PSK "L2TPKEY"
172.16.0.108 172.16.0.107 : PSK "L2TPKEY"

以下是两台机器上 ipsec verify 的结果:

root@cluster2:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.28/K2.6.32-5-amd64 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
root@cluster2:~#

这是 ipsec auto --status 输出的结尾:

000 "cluster": 172.16.0.108<172.16.0.108>[+S=C]...172.16.0.107<172.16.0.107>[+S=C]; prospective erouted; eroute owner: #0
000 "cluster":     myip=unset; hisip=unset;
000 "cluster":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "cluster":   policy: PSK+ENCRYPT+COMPRESS+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "cluster":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "cluster":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #3: "cluster":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 298s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #2: "cluster":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 13s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: "cluster":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2991s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000

有趣的是,如果我在服务器上执行 ike-scan,将发生以下情况:

似乎没有考虑我的 ike 设置

root@cluster1:~# ike-scan -M 172.16.0.108
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.0.108    Main Mode Handshake returned
    HDR=(CKY-R=641bffa66ba717b6)
    SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
    VID=4f45517b4f7f6e657a7b4351
    VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.008 seconds (118.19 hosts/sec).  1 returned handshake; 0 returned notify
root@cluster1:~#

我不知道这里发生了什么,根据示例,这几乎是我能拥有的最简单的配置。

答案1

事实证明 NETKEY 不支持 compress=yes。

删除该设置后,效果很好。

相关内容