我的连接 IPSec 有问题。这是我的图表。
连接 VPN 不正常必须重新启动 IPsec ==> 正常,然后不正常
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
root@vungtau:~# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
Escape character is '^]'.
^[$^]
telnet> q
Connection closed.
5m 后无法 telnet 到 10.225.198.3 3900(隧道 VPN 仍然有效)
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
状态VPN
IPsec running - pluto pid: 11088
pluto pid 11088
1 tunnels up
some eroutes exist
有时状态为 2 或 3 或 4 或 5 或 0 隧道 UP
IPsec running - pluto pid: 11088
pluto pid 11088
3 tunnels up
some eroutes exist
=> 我的 VPN 连接发生了什么情况,为什么?我能做些什么?
这是我的配置
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
#protostack=auto
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
conn vpntanza
authby=secret
auto=start
ike=aes128-sha1;modp1024
## phase 1 ##
keyexchange=ike
## phase 2 ##
phase2=esp
phase2alg=3des,aes
compress=no
pfs=yes
type=tunnel
#FROM TTV
left=125.X.X.X.X
leftsourceip=10.58.82.179
# leftsourceip=125.X.X.X
leftsubnet=10.58.82.0/24
## for direct routing ##
leftnexthop=%defaultroute
rightnexthop=%defaultroute
#TO
right=169.255.X.X
rightsubnet=10.225.196.0/22
#include /etc/ipsec.d/*.conf