我有一个非 NATed Openswan+xl2tpd 服务器(Ubuntu 12.04),我使用 NAT 后面的 Windows 8 连接到该服务器。客户端在一段时间内没有执行任何操作后(30 到 60 分钟之间,但我没有计时)会断开连接。
客户端没有启用终止不活动连接的功能。它也不会进入睡眠模式。我还尝试将终止时间设置为 24 小时,但这没有帮助。
客户端所在的 NAT 路由器是 Debian Linux,并且它是路由器是 Cisco,它直接将我们连接到服务器所在的数据中心。我们的其他连接(如 SSH)都不会因不活动而断开(因为路由器很便宜)。不过,我确实尝试在以下位置打开 keepalive /etc/ipsec.conf:
config setup
(...snip...)
nat_traversal=yes
force_keepalive=yes
keep_alive=10
但这并没有帮助。
正如您在稍后的配置中看到的,死对等检测的操作是明确的。这将是第一个要修复的建议,但我需要明确,因为人们将从任何地方进行连接,除了厨房水槽。此外,正如我所说,在我现在的测试设置中,我看不到任何设备终止其连接。(编辑:“重启”也有同样的效果)
以下是一次这样的情况:
Jul 18 16:18:06 host xl2tpd[1918]: Maximum retries exceeded for tunnel 49070. Closing.
Jul 18 16:18:06 host xl2tpd[1918]: Terminating pppd: sending TERM signal to pid 18359
Jul 18 16:18:06 host xl2tpd[1918]: Connection 4 closed to 89.188.x.y, port 1701 (Timeout)
Jul 18 16:18:11 host xl2tpd[1918]: Unable to deliver closing message for tunnel 49070. Destroying anyway.
另一边是:
Jul 18 17:44:39 host xl2tpd[1918]: udp_xmit failed to 89.188.x.y:1701 with err=-1:Operation not permitted
Jul 18 17:44:43 xl2tpd[1918]: last message repeated 4 times
Jul 18 17:44:43 host xl2tpd[1918]: Maximum retries exceeded for tunnel 10918. Closing.
Jul 18 17:44:43 host xl2tpd[1918]: udp_xmit failed to 89.188.x.y:1701 with err=-1:Operation not permitted
Jul 18 17:44:43 host xl2tpd[1918]: Terminating pppd: sending TERM signal to pid 26338
Jul 18 17:44:43 host xl2tpd[1918]: Connection 6 closed to 89.188.x.y, port 1701 (Timeout)
Jul 18 17:44:44 host xl2tpd[1918]: udp_xmit failed to 89.188.x.y:1701 with err=-1:Operation not permitted
Jul 18 17:44:48 xl2tpd[1918]: last message repeated 3 times
Jul 18 17:44:48 host xl2tpd[1918]: Unable to deliver closing message for tunnel 10918. Destroying anyway.
Jul 18 17:44:59 host xl2tpd[1918]: Can not find tunnel 10918 (refhim=0)
Jul 18 17:44:59 host xl2tpd[1918]: network_thread: unable to find call or tunnel to handle packet. call = 0, tunnel = 10918 Dumping.
Jul 18 17:45:09 host xl2tpd[1918]: Can not find tunnel 10918 (refhim=0)
Jul 18 17:45:09 host xl2tpd[1918]: network_thread: unable to find call or tunnel to handle packet. call = 0, tunnel = 10918 Dumping.
Jul 18 17:45:19 host xl2tpd[1918]: Can not find tunnel 10918 (refhim=0)
Jul 18 17:45:19 host xl2tpd[1918]: network_thread: unable to find call or tunnel to handle packet. call = 0, tunnel = 10918 Dumping.
Jul 18 17:45:29 host xl2tpd[1918]: Can not find tunnel 10918 (refhim=0)
Jul 18 17:45:29 host xl2tpd[1918]: network_thread: unable to find call or tunnel to handle packet. call = 0, tunnel = 10918 Dumping.
Jul 18 17:45:39 host xl2tpd[1918]: Can not find tunnel 10918 (refhim=0)
Jul 18 17:45:39 host xl2tpd[1918]: network_thread: unable to find call or tunnel to handle packet. call = 0, tunnel = 10918 Dumping.
Jul 18 17:45:49 host xl2tpd[1918]: Can not find tunnel 10918 (refhim=0)
Jul 18 17:45:49 host xl2tpd[1918]: network_thread: unable to find call or tunnel to handle packet. call = 0, tunnel = 10918 Dumping.
版本:
- Ubuntu 12.04
- Openswan:2.6.37-1
- xl2tpd:3.1+dfsg-1
- 内核:3.2.0-49-通用
配置:
/etc/ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
oe=off
protostack=netkey
force_keepalive=yes
keep_alive=10
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=2
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd:
require-mschap-v2
refuse-mschap
ms-dns 10.152.2.1
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
答案1
在您的 /etc/ppp/options.xl2tpd 文件中,您有“idle 1800”,也就是 30 分钟。
您可以尝试将该值设置为更高的数字,或者做一些可怕的事情,如下所示:
while true; do echo "c default" 1>/var/run/xl2tpd/l2tp-control; sleep 1500; done
答案2
很可能您的会话重新通信未完成。我首先会查看:
- ubuntu 防火墙规则 ( iptables-save)
- ubuntu 计算机上的 ipsec 相关网络流量 ( tcpdump -s 0 -w capturefile.pcap -n -i $vpn_external_interface '$remote_client_ip or icmp or ip proto 50 or udp port 500')
- 事件日志中的 ipsec 相关事件。这本文记录了一些事件,它是为 Windows 7 编写的,但也适用于 Windows 8。
- Cisco 路由器(如果您有权访问它)空闲连接暂停范围。