IPSec VPN 隧道问题

IPSec VPN 隧道问题

我的连接 IPSec 有问题。这是我的图表。 图表

连接 VPN 不正常必须重新启动 IPsec ==> 正常,然后不正常

root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
root@vungtau:~# /etc/init.d/ipsec restart 
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
Escape character is '^]'.
^[$^]
telnet> q
Connection closed.

5m 后无法 telnet 到 10.225.198.3 3900(隧道 VPN 仍然有效)

root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out

状态VPN

IPsec running  - pluto pid: 11088
pluto pid 11088
1 tunnels up
some eroutes exist

有时状态为 2 或 3 或 4 或 5 或 0 隧道 UP

IPsec running  - pluto pid: 11088
pluto pid 11088
3 tunnels up
some eroutes exist

=> 我的 VPN 连接发生了什么情况,为什么?我能做些什么?

这是我的配置

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Do not set debug options to debug configuration issues!
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    # plutodebug="control parsing"
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    #
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    #
    # Enable core dumps (might require system changes, like ulimit -C)
    # This is required for abrtd to work properly
    # Note: incorrect SElinux policies might prevent pluto writing the core
    dumpdir=/var/run/pluto/
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast


    #protostack=auto
    protostack=netkey

    # Use this to log to a file, or disable logging on embedded systems (like openwrt)
    #plutostderrlog=/dev/null


conn vpntanza
        authby=secret
        auto=start
        ike=aes128-sha1;modp1024
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        phase2=esp
        phase2alg=3des,aes
        compress=no
        pfs=yes
        type=tunnel

        #FROM TTV
        left=125.X.X.X.X
        leftsourceip=10.58.82.179
#        leftsourceip=125.X.X.X
        leftsubnet=10.58.82.0/24

        ## for direct routing ##
        leftnexthop=%defaultroute
        rightnexthop=%defaultroute

        #TO 
        right=169.255.X.X
        rightsubnet=10.225.196.0/22


#include /etc/ipsec.d/*.conf

相关内容