服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 连接时,CentOS上的L2TP&IPSec(OpenSwan)超时
Intereting Posts
通过〜/ .ssh / config禁用密码validation? pipe理docker群外部IP的常见做法是什么? 如何login到VisualSVN服务器(启用Single Sign-On)下的其他用户下,而不是当前login到Windows机器? 我如何安装Webmin模块? 使用2端口LSI 9286-8e卡来控制24个SAS硬盘 SQL Server CAL如何计算? 我只能使用乘客2.2.9,nginx 0.7.65和sinatra 0.94来服务https吗? 克隆服务器到远程存储 DNS不能parsing该域上configuration区域以外的域 如何将Office 2007 Enterprise安装到Server 2008 R2terminal服务器上 同时使用两个以太网端口时吞吐量下降 在我的服务器上设置SSL HTTP标头不匹配 RDS 2016会议限制 平均负载较高,但CPU / IO数据较低 – 如何诊断? (包括dmesg输出)

连接时,CentOS上的L2TP&IPSec(OpenSwan)超时

我在设置一个非常简单的VPN时遇到了很大的麻烦。 使用Centos 6。

我的服务器地址:61.34.26.32(虚构)

每当我尝试连接(从iPhone5或MacOS X)我得到连接超时。

我还没有在Windows上尝试,但至less应该在Mac上工作,以满足我的需求。

我正在拉我的头发! 已经花了4个多小时,一定在这里错过了一些非常明显的东西,但不知道是什么。

这是我的错误日志: 

Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [RFC 3947] method set to=109 Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b] Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110 Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110 Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110 Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring Vendor ID payload [FRAGMENTATION 80000000] Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [Dead Peer Detection] Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: responding to Main Mode from unknown peer 178.197.232.17 Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: STATE_MAIN_R1: sent MR1, expecting MI2 Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: STATE_MAIN_R2: sent MR2, expecting MI3 Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000 Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: Main mode peer ID is ID_IPV4_ADDR: '10.131.32.219' Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT" Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: deleting connection "L2TP-PSK-NAT" instance with peer 178.197.232.17 {isakmp=#0/ipsec=#0} Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: new NAT mapping for #19, was 178.197.232.17:229, now 178.197.232.17:24818 Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024} Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: the peer proposed: 61.34.26.32/32:17/1701 -> 10.131.32.219/32:17/0 Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: responding to Quick Mode proposal {msgid:fcf22de5} Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: us: 61.34.26.32<61.34.26.32>[+S=C]:17/1701 Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: them: 178.197.232.17[10.131.32.219,+S=C]:17/54977===10.131.32.219/32 Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x020bc811 <0x4fd90791 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=178.197.232.17:24818 DPD=none} Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received Delete SA(0x020bc811) payload: deleting IPSEC State #20 Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received and ignored informational message Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received Delete SA payload: deleting ISAKMP State #19 Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17: deleting connection "L2TP-PSK-NAT" instance with peer 178.197.232.17 {isakmp=#0/ipsec=#0} Jan 21 16:15:46 isis pluto[9793]: packet from 178.197.232.17:24818: received and ignored informational message

ipsec.conf文件: 

 config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=61.34.26.32 leftprotoport=17/1701 right=%any rightprotoport=17/%any

iptables: 

 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [420453:322899972] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT -A INPUT -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT -A INPUT -j LOG --log-prefix REJECTEDINPUT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth0 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT -A FORWARD -j LOG --log-prefix REJECTEDFORWARD -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p esp -j ACCEPT -A OUTPUT -p ah -j ACCEPT -A OUTPUT -p udp --sport 500 -j ACCEPT -A OUTPUT -p udp --sport 4500 -j ACCEPT -A OUTPUT -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [180037:54564759] :POSTROUTING ACCEPT [149:12428] :OUTPUT ACCEPT [12263:921919] -I POSTROUTING 1 -p 50 -j ACCEPT -A POSTROUTING -o eth0 -d ! 10.1.2.0/24 -j MASQUERADE COMMIT

最后是xl2tpd.conf 

 [global] ipsec saref = yes listen-addr = 61.34.26.32 [lns default] ip range = 10.1.2.2-10.1.2.254 local ip = 10.1.2.1 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes