几周以来,我一直想在 debian wheezy 中使用 xl2tpd 和 openswan 设置 l2tp 隧道,外部接口是具有动态 ip 的 ppp0,内部接口是 eth0,ip 地址为 192.168.1.1。l2tp
服务器为我提供了 user_id、密码和预共享 psk_key,它的 ip 是 217.147.94.149。ipsec
日志显示连接已建立,但没有 pppx 接口,这些是配置和日志文件:
ipsec.conf:
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
interfaces="%defaultroute"
conn xltunnel
authby=secret
pfs=no
auto=add
rekey=no
type=transport
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/1701
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=217.147.94.149
rightid=217.147.94.149
rightprotoport=17/1701
xl2tpd.conf:
[global]
access control = no
port = 1701
ipsec saref = yes
auth file = /etc/ppp/chap-secrets
debug tunnel = yes
[lac securitykiss]
lns = 217.147.94.149
hostname = client_id
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.3
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = securitykiss
redial = yes
redial timeout = 10
max redials = 6
选项.xl2tpd:
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
proxyarp
connect-delay 5000
plugin pppol2tp.so
lock
debug
name securitykiss
noccp
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
logfile /var/log/xl2tpd.log
ipsec.秘密:
217.147.94.149 %any : PSK "psk_key"
章节秘密:
client_id securitykiss "password" *
securitykiss client_id "password" *
冥王星.日志:
# ipsec auto --up xltunnel
104 "xltunnel" #1: STATE_MAIN_I1: initiate
003 "xltunnel" #1: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
003 "xltunnel" #1: received Vendor ID payload [XAUTH]
003 "xltunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "xltunnel" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "xltunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "xltunnel" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "xltunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "xltunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
117 "xltunnel" #2: STATE_QUICK_I1: initiate
004 "xltunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xced0d73f
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-4-686-pae (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
[FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [OK]
To start the l2tp tunnel i run the command:
echo "c securitykiss" > /var/run/xl2tpd/l2tp-control
But "ip link" didn't show the pppx for l2tp tunnel:
#ip link
1: lo: mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT qlen 1000
link/ether 00:07:e9:a8:ea:93 brd ff:ff:ff:ff:ff:ff
3: ppp0: mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 3
link/ppp
答案1
您需要根据执行的“ipsec verify”步骤的结果启用 IP 转发,并禁用 send_redirects。
这应该可以解决问题:
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
然后再次运行“ipsec verify”,该故障应该消失。