打开连接后Openswan路由logging不好

我在openswanconfiguration中遇到问题。 在路由表中，在连接到服务器之后，在客户端上创build以下行：

Dest mask Gateway Conn Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.102 4245 0.0.0.0 0.0.0.0 Kapcsolaton belüli 172.22.1.10 21 Server: Public IP: 100.100.100.100 DHCP Pool: 172.22.1.10-172.22.1.20 Client: behind router : - router WAN IP: 200.200.200.200 - router LAN IP: 192.168.1.1 - client IP: 192.168.1.102 

“ipsecvalidation”无处不在说好，除了：机会encryption支持[禁用]（但我不相信这是问题…）

日志logging在debugging模式下运行。 这是我的auth.log。 这些线路是在连接正在进行时创build的。

 May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: received Delete SA(0xa37e281a) payload: deleting IPSEC State #2 May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0} May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: received and ignored informational message May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: received Delete SA payload: deleting ISAKMP State #1 May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0} May 23 21:19:12 <server hostname> pluto[10384]: packet from 200.200.200.200:41505: received and ignored informational message May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008] May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: received Vendor ID payload [RFC 3947] method set to=109 May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109 May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [FRAGMENTATION] May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [Vid-Initial-Contact] May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [IKE CGA version 1] May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: responding to Main Mode from unknown peer 200.200.200.200 May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: STATE_MAIN_R1: sent MR1, expecting MI2 May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: STATE_MAIN_R2: sent MR2, expecting MI3 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.102' May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT" May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0} May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: new NAT mapping for #3, was 200.200.200.200:38824, now 200.200.200.200:41505 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048} May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: the peer proposed: 100.100.100.100/32:17/1701 -> 192.168.1.102/32:17/0 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: Virtual IP 192.168.1.102/32 overlaps with connection vpn-teszt"" (kind=CK_PERMANENT) '200.200.200.200' May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: Kernel method 'netkey' does not support overlapping IP ranges May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: responding to Quick Mode proposal {msgid:01000000} May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: us: 100.100.100.100<100.100.100.100>[+S=C]:17/1701 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: them: 200.200.200.200[192.168.1.102,+S=C]:17/1701===192.168.1.102/32 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x8b1543f8 <0x0ea8c020 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.102 NATD=200.200.200.200:41505 DPD=none} 

ipsec.conf文件：

• 跳过VPN隧道
• 为路由的OpenVPNconfigurationShorewall
• 将公共子网路由到客户端位置
• 在Linux和IP优先级Qdisc pfifo_fast
• VLAN间路由

 version 2.0 config setup forwardcontrol=no nat_traversal=yes oe=off protostack=netkey syslog=auth.debug virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=109.61.102.18 leftprotoport=17/1701 right=%any rightprotoport=17/%any conn vpn-teszt authby=secret auto=add left=<server hostname> leftid=@<server hostname> leftnexthop=%defaultroute leftrsasigkey=0sAQOLR9JpZSVxZYqkEKOXHMiry8UvCqVYZw/HgYEWKrwippm+jXFNcm7TOxctnAopy7F0vAIm4YX2I9BsoQvfy330Mz7WrzfGgwuE66fVVwQ22mAQ+dyOP4AbVFcaSTCYJ0labJY5onL3JmLLmFTReca6n2L76SdBV3FNhJVd4Z+7NlzvKe0i+v5luemFewMyzuB2XgwATnH7Anf04LKiow0u21j3bcp4QfLi9VF1gdQbiCP1DrwrZp8K2MYmVrYv9xbW34oifEeFjFGqc1gCmoBWVAyTXBFDRnmDgUttbYSfy6UApQ7U/1czQcq/YSYrpvv8E9yURKtnQ5oV+h49 right=200.200.200.200 rightid=200.200.200.200 rightnexthop=172.22.1.1 rightsubnet=192.168.1.0/24 type=transport 

ipsec.secret：：PSK“密码”

我也安装了xl2tpd。 xl2tpd.conf：

 [lns default] ; Our fallthrough LNS definition ; exclusive = no ; * Only permit one tunnel per host ip range = 172.22.1.10-172.22.1.20 ; * Allocate from this IP range ; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts ; ip range = 192.168.0.5 ; * But this one is okay ; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP ; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's ; no lac = untrusted.marko.net ; * This guy can't connect ; hidden bit = no ; * Use hidden AVP's? local ip = 172.22.1.1 ; * Our local IP to use length bit = yes ; * Use length bit in payload? ; require chap = yes ; * Require CHAP auth. by peer refuse pap = yes ; * Refuse PAP authentication refuse chap = yes ; * Refuse CHAP authentication ; refuse authentication = no ; * Refuse authentication altogether require authentication = yes ; * Require peer to authenticate ; unix authentication = no ; * Use /etc/passwd for auth. name = <server hostname> ; * Report this as our hostname ppp debug = yes ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file 

options.l2tpd.lns：

 crtscts idle 1800 mtu 1500 mru 1500 nodefaultroute debug lock proxyarp connect-delay 5000 ms-dns 8.8.4.4 ms-dns 8.8.8.8 name l2tpd lcp-echo-interval 30 lcp-echo-failure 4 logfile /var/log/ppp.log 

连接之后，客户端从服务器获得IP（172.22.1.10），但是服务器不是ping，因为客户端路由表被覆盖。

你能帮我吗，这是什么问题？

PS：对不起，我的英文！ 🙂

问候，jjani