OpenSwan IPsec 连接在 30 秒后断开

tag-icon tag-icon linux ipsec openswan linuxmint cloudstack
OpenSwan IPsec 连接在 30 秒后断开

我正在尝试通过 IPsec L2TP 从我的 Linux Mint 16 盒连接到 CloudStack 服务器。连接建立成功(ping 跨隧道工作)。但是 30 秒后 IPsec 隧道突然终止。什么可能导致这种持续行为以及如何修复它?

隧道是使用 OpenSwan (U2.6.38/K(目前未加载内核代码)) 和 Werner Jaeger 1.0.9 的 L2TP IPsec VPN 管理器设置的。客户端位于 NAT 路由器后面,服务器位于公共 IP 上(CloudStack 4.2)

运行 ipsec verify 会抱怨内核不支持 IPsec。不确定这是否是个问题,因为连接正在建立:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K(no kernel code presently loaded)
Checking for IPsec support in kernel                            [FAILED]
 SAref kernel support                                           [N/A]
Checking that pluto is running                                  [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

隧道配置:

版本 2.0 # 符合 ipsec.conf 规范的第二版

config setup
    # plutodebug="parsing emitting control private"
    plutodebug=none
    strictcrlpolicy=no
    nat_traversal=yes
    interfaces=%defaultroute
    oe=off
    # which IPsec stack to use. netkey,klips,mast,auto or none
    protostack=netkey

conn %default
    keyingtries=3
    pfs=no
    rekey=yes
    type=transport
    left=%defaultroute
    leftprotoport=17/1701
    rightprotoport=17/1701

conn Tunnel1
   authby=secret

    right=37.48.75.97
    rightid=""
    auto=add

VPN 连接建立的日志文件:

aug. 23 17:12:54.708 ipsec_setup: Starting Openswan IPsec U2.6.38/K3.11.0-12-generic...
aug. 23 17:12:55.155 ipsec_setup: multiple ip addresses, using  192.168.178.32 on eth0
aug. 23 17:12:55.165 ipsec__plutorun: Starting Pluto subsystem...
aug. 23 17:12:55.174 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
aug. 23 17:12:55.177 recvref[30]: Protocol not available
aug. 23 17:12:55.177 xl2tpd[14339]: This binary does not support kernel L2TP.
aug. 23 17:12:55.178 Starting xl2tpd: xl2tpd.
aug. 23 17:12:55.178 xl2tpd[14345]: xl2tpd version xl2tpd-1.3.1 started on desktopmint PID:14345
aug. 23 17:12:55.178 xl2tpd[14345]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
aug. 23 17:12:55.179 xl2tpd[14345]: Forked by Scott Balmos and David Stipp, (C) 2001
aug. 23 17:12:55.179 xl2tpd[14345]: Inherited by Jeff McAdams, (C) 2002
aug. 23 17:12:55.179 xl2tpd[14345]: Forked again by Xelerance (www.xelerance.com) (C) 2006
aug. 23 17:12:55.180 xl2tpd[14345]: Listening on IP address 0.0.0.0, port 1701
aug. 23 17:12:55.214 ipsec__plutorun: 002 added connection description "Tunnel1"
aug. 23 17:13:15.532 104 "Tunnel1" #1: STATE_MAIN_I1: initiate
aug. 23 17:13:15.532 003 "Tunnel1" #1: ignoring unknown Vendor ID payload [4f45755c645c6a795c5c6170]
aug. 23 17:13:15.532 003 "Tunnel1" #1: received Vendor ID payload [Dead Peer Detection]
aug. 23 17:13:15.533 003 "Tunnel1" #1: received Vendor ID payload [RFC 3947] method set to=115 
aug. 23 17:13:15.533 106 "Tunnel1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
aug. 23 17:13:15.534 003 "Tunnel1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
aug. 23 17:13:15.534 108 "Tunnel1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
aug. 23 17:13:15.534 010 "Tunnel1" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
aug. 23 17:13:15.545 003 "Tunnel1" #1: received Vendor ID payload [CAN-IKEv2]
aug. 23 17:13:15.547 004 "Tunnel1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
aug. 23 17:13:15.547 117 "Tunnel1" #2: STATE_QUICK_I1: initiate
aug. 23 17:13:15.547 010 "Tunnel1" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
aug. 23 17:13:15.548 004 "Tunnel1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x0ecef28b <0x3e1fbe3b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
aug. 23 17:13:16.549 xl2tpd[14345]: Connecting to host <VPN gateway>, port 1701
aug. 23 17:13:18.576 xl2tpd[14345]: Connection established to <VPN gateway>, 1701.  Local: 21163, Remote: 12074 (ref=0/0).
aug. 23 17:13:18.576 xl2tpd[14345]: Calling on tunnel 21163
aug. 23 17:13:18.577 xl2tpd[14345]: check_control: Received out of order control packet on tunnel 12074 (got 0, expected 1)
aug. 23 17:13:18.577 xl2tpd[14345]: handle_packet: bad control packet!
aug. 23 17:13:18.577 xl2tpd[14345]: check_control: Received out of order control packet on tunnel 12074 (got 0, expected 1)
aug. 23 17:13:18.577 xl2tpd[14345]: handle_packet: bad control packet!
aug. 23 17:13:18.599 xl2tpd[14345]: Call established with <VPN gateway>, Local: 39035, Remote: 57266, Serial: 1 (ref=0/0)
aug. 23 17:13:18.605 xl2tpd[14345]: start_pppd: I'm running: 
aug. 23 17:13:18.605 xl2tpd[14345]: "/usr/sbin/pppd" 
aug. 23 17:13:18.606 xl2tpd[14345]: "passive" 
aug. 23 17:13:18.606 xl2tpd[14345]: "nodetach" 
aug. 23 17:13:18.606 xl2tpd[14345]: ":" 
aug. 23 17:13:18.606 xl2tpd[14345]: "file" 
aug. 23 17:13:18.606 xl2tpd[14345]: "/etc/ppp/Tunnel1.options.xl2tpd" 
aug. 23 17:13:18.606 xl2tpd[14345]: "ipparam" 
aug. 23 17:13:18.607 xl2tpd[14345]: "<VPN gateway>" 
aug. 23 17:13:18.607 xl2tpd[14345]: "/dev/pts/4" 
aug. 23 17:13:18.607 pppd[14438]: Plugin passprompt.so loaded.
aug. 23 17:13:18.607 pppd[14438]: pppd 2.4.5 started by root, uid 0
aug. 23 17:13:18.608 pppd[14438]: Using interface ppp0
aug. 23 17:13:18.608 pppd[14438]: Connect: ppp0 <--> /dev/pts/4
aug. 23 17:13:21.650 pppd[14438]: CHAP authentication succeeded: Access granted
aug. 23 17:13:21.651 pppd[14438]: CHAP authentication succeeded
aug. 23 17:13:21.692 pppd[14438]: local  IP address 10.1.2.2
aug. 23 17:13:21.693 pppd[14438]: remote IP address 10.1.2.1
aug. 23 17:13:21.693 pppd[14438]: primary   DNS address 10.1.2.1
aug. 23 17:13:21.694 pppd[14438]: secondary DNS address 10.1.2.1

aug. 23 17:13:46.528 Stopping xl2tpd: xl2tpd.
aug. 23 17:13:46.528 xl2tpd[14345]: death_handler: Fatal signal 15 received
aug. 23 17:13:46.529 pppd[14438]: Modem hangup
aug. 23 17:13:46.529 pppd[14438]: Connect time 0.5 minutes.
aug. 23 17:13:46.529 pppd[14438]: Sent 1866 bytes, received 1241 bytes.
aug. 23 17:13:46.529 pppd[14438]: Connection terminated.
aug. 23 17:13:46.562 ipsec_setup: Stopping Openswan IPsec...
aug. 23 17:13:46.576 pppd[14438]: Exit.

当隧道停止时,Syslog 提供了更多详细信息:

Aug 23 17:13:22 desktopmint kernel: [ 6870.640048] device ppp0 entered promiscuous mode
Aug 23 17:13:22 desktopmint kernel: [ 6870.648955] device ppp0 left promiscuous mode
Aug 23 17:13:26 desktopmint kernel: [ 6875.148476] device ppp0 entered promiscuous mode
Aug 23 17:13:46 desktopmint L2tpIPsecVpnControlDaemon: Opening client connection
Aug 23 17:13:46 desktopmint L2tpIPsecVpnControlDaemon: Executing command service xl2tpd stop
Aug 23 17:13:46 desktopmint xl2tpd[14345]: death_handler: Fatal signal 15 received
Aug 23 17:13:46 desktopmint L2tpIPsecVpnControlDaemon: Command service xl2tpd stop finished with exit code 0
Aug 23 17:13:46 desktopmint pppd[14438]: Modem hangup
Aug 23 17:13:46 desktopmint pppd[14438]: Connect time 0.5 minutes.
Aug 23 17:13:46 desktopmint pppd[14438]: Sent 1866 bytes, received 1241 bytes.
Aug 23 17:13:46 desktopmint pppd[14438]: Connection terminated.
Aug 23 17:13:46 desktopmint avahi-daemon[1193]: Withdrawing workstation service for ppp0.
Aug 23 17:13:46 desktopmint kernel: [ 6894.747292] device ppp0 left promiscuous mode
Aug 23 17:13:46 desktopmint NetworkManager[1306]:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Aug 23 17:13:46 desktopmint L2tpIPsecVpnControlDaemon: Executing command ipsec setup stop
Aug 23 17:13:46 desktopmint ipsec_setup: Stopping Openswan IPsec...
Aug 23 17:13:46 desktopmint pppd[14438]: Exit.
Aug 23 17:13:48 desktopmint kernel: [ 6896.490565] NET: Unregistered protocol family 15
Aug 23 17:13:48 desktopmint ipsec_setup: ...Openswan IPsec stopped

相关内容