openswan 和 xl2tpd 隧道不工作?

openswan 和 xl2tpd 隧道不工作?

几周以来,我一直想在 debian wheezy 中使用 xl2tpd 和 openswan 设置 l2tp 隧道,外部接口是具有动态 ip 的 ppp0,内部接口是 eth0,ip 地址为 192.168.1.1。l2tp
服务器为我提供了 user_id、密码和预共享 psk_key,它的 ip 是 217.147.94.149。ipsec
日志显示连接已建立,但没有 pppx 接口,这些是配置和日志文件:
ipsec.conf:


version 2.0
config setup 
      dumpdir=/var/run/pluto/
      nat_traversal=yes
      virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
      oe=off
      protostack=netkey
      plutostderrlog=/var/log/pluto.log
      interfaces="%defaultroute"

conn  xltunnel

      authby=secret
      pfs=no
      auto=add
      rekey=no
      type=transport
      left=%defaultroute
      leftnexthop=%defaultroute
      leftprotoport=17/1701
      leftsourceip=192.168.1.1
      leftsubnet=192.168.1.0/24
      right=217.147.94.149
      rightid=217.147.94.149
      rightprotoport=17/1701

xl2tpd.conf:

[global]
access control = no
port = 1701
ipsec saref = yes
auth file = /etc/ppp/chap-secrets
debug tunnel = yes

[lac securitykiss]
lns = 217.147.94.149
hostname = client_id
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.3
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = securitykiss
redial = yes
redial timeout = 10
max redials = 6 

选项.xl2tpd:


ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
proxyarp
connect-delay 5000
plugin pppol2tp.so
lock
debug
name securitykiss
noccp
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
logfile /var/log/xl2tpd.log

ipsec.秘密:


217.147.94.149 %any : PSK "psk_key" 

章节秘密:


client_id securitykiss "password" *
securitykiss client_id "password" * 

冥王星.日志:


# ipsec auto --up xltunnel
104 "xltunnel" #1: STATE_MAIN_I1: initiate
003 "xltunnel" #1: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
003 "xltunnel" #1: received Vendor ID payload [XAUTH]
003 "xltunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "xltunnel" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "xltunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "xltunnel" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "xltunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "xltunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
117 "xltunnel" #2: STATE_QUICK_I1: initiate
004 "xltunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xced0d73f 

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-4-686-pae (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

[FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [OK]

To start the l2tp tunnel i run the command:


echo "c securitykiss" > /var/run/xl2tpd/l2tp-control 

But "ip link" didn't show the pppx for l2tp tunnel:

#ip link

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:  mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT qlen 1000
link/ether 00:07:e9:a8:ea:93 brd ff:ff:ff:ff:ff:ff
3: ppp0:  mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 3
link/ppp 

答案1

您需要根据执行的“ipsec verify”步骤的结果启用 IP 转发,并禁用 send_redirects。

这应该可以解决问题:

echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

然后再次运行“ipsec verify”,该故障应该消失。

相关内容