Openswan 连接后路由记录不良

Openswan 连接后路由记录不良

我在 openswan 配置中遇到问题。连接到服务器后,在客户端的路由表中创建以下几行:

Dest                mask   Gateway        Conn  Metric
  0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.102   4245
  0.0.0.0          0.0.0.0   Kapcsolaton belüli       172.22.1.10     21

Server: Public IP: 100.100.100.100
DHCP Pool: 172.22.1.10-172.22.1.20
Client: behind router :
- router WAN IP: 200.200.200.200
- router LAN IP: 192.168.1.1
- client IP: 192.168.1.102

“ipsec verify” 到处都显示 OK,除了这个:机会加密支持 [已禁用](但我不敢相信这是问题所在……)

日志记录在调试模式下运行。这是我的 auth.log。这些行是在连接正在进行时创建的。

May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: 

received Delete SA(0xa37e281a) payload: deleting IPSEC State #2
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0}
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: received and ignored informational message
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: received Delete SA payload: deleting ISAKMP State #1
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0}
May 23 21:19:12 <server hostname> pluto[10384]: packet from 200.200.200.200:41505: received and ignored informational message
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: received Vendor ID payload [RFC 3947] method set to=109
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [FRAGMENTATION]
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [Vid-Initial-Contact]
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [IKE CGA version 1]
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: responding to Main Mode from unknown peer 200.200.200.200
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: STATE_MAIN_R1: sent MR1, expecting MI2
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: STATE_MAIN_R2: sent MR2, expecting MI3
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.102'
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0}
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: new NAT mapping for #3, was 200.200.200.200:38824, now 200.200.200.200:41505
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: the peer proposed: 100.100.100.100/32:17/1701 -> 192.168.1.102/32:17/0
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: Virtual IP 192.168.1.102/32 overlaps with connection vpn-teszt"" (kind=CK_PERMANENT) '200.200.200.200'
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: Kernel method 'netkey' does not support overlapping IP ranges
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: responding to Quick Mode proposal {msgid:01000000}
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4:     us: 100.100.100.100<100.100.100.100>[+S=C]:17/1701
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4:   them: 200.200.200.200[192.168.1.102,+S=C]:17/1701===192.168.1.102/32
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x8b1543f8 <0x0ea8c020 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.102 NATD=200.200.200.200:41505 DPD=none}

ipsec.conf:

version 2.0
config setup
        forwardcontrol=no
        nat_traversal=yes
        oe=off
        protostack=netkey
        syslog=auth.debug
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=109.61.102.18
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

conn vpn-teszt
        authby=secret
        auto=add
        left=<server hostname>
        leftid=@<server hostname>
        leftnexthop=%defaultroute          leftrsasigkey=0sAQOLR9JpZSVxZYqkEKOXHMiry8UvCqVYZw/HgYEWKrwippm+jXFNcm7TOxctnAopy7F0vAIm4YX2I9BsoQvfy330Mz7WrzfGgwuE66fVVwQ22mAQ+dyOP4AbVFcaSTCYJ0labJY5onL3JmLLmFTReca6n2L76SdBV3FNhJVd4Z+7NlzvKe0i+v5luemFewMyzuB2XgwATnH7Anf04LKiow0u21j3bcp4QfLi9VF1gdQbiCP1DrwrZp8K2MYmVrYv9xbW34oifEeFjFGqc1gCmoBWVAyTXBFDRnmDgUttbYSfy6UApQ7U/1czQcq/YSYrpvv8E9yURKtnQ5oV+h49
        right=200.200.200.200
        rightid=200.200.200.200
        rightnexthop=172.22.1.1
        rightsubnet=192.168.1.0/24
        type=transport

ipsec.secret::PSK“密码”

我也安装了 xl2tpd。xl2tpd.conf:

[lns default]                                                   ; Our fallthrough LNS definition
; exclusive = no                                                ; * Only permit one tunnel per host
ip range = 172.22.1.10-172.22.1.20      ; * Allocate from this IP range
; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
; ip range = 192.168.0.5                                ; * But this one is okay
; ip range = lac1-lac2                                  ; * And anything from lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8               ; * These can connect as LAC's
; no lac = untrusted.marko.net                  ; * This guy can't connect
; hidden bit = no                                               ; * Use hidden AVP's?
local ip = 172.22.1.1                           ; * Our local IP to use
length bit = yes                                                ; * Use length bit in payload?
; require chap = yes                                    ; * Require CHAP auth. by peer
refuse pap = yes                                                ; * Refuse PAP authentication
refuse chap = yes                                               ; * Refuse CHAP authentication
; refuse authentication = no                    ; * Refuse authentication altogether
require authentication = yes                    ; * Require peer to authenticate
; unix authentication = no                              ; * Use /etc/passwd for auth.
name = <server hostname>                                          ; * Report this as our hostname
ppp debug = yes                                         ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file

选项.l2tpd.lns:

crtscts
idle 1800
mtu 1500
mru 1500
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
ms-dns 8.8.4.4
ms-dns 8.8.8.8
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
logfile /var/log/ppp.log

连接后,客户端从服务器获取 IP(172.22.1.10),但服务器无法 ping 通,因为客户端路由表已被覆盖。

你能帮帮我吗,这是什么问题?

附言:抱歉我的英语不好!:)

问候,jjani

相关内容