由于周我想设置x2tpd l2tp隧道和debian喘息openswan,外部接口是ppp0dynamicip和内部接口是eth0与ip地址192.168.1.1。
l2tp服务器给我的user_id,密码和预共享psk_key和它的ip 217.147.94.149。
ipsec日志显示连接已build立但没有pppx接口,这些是configuration和日志文件:
ipsec.conf文件:
version 2.0 config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12 oe=off protostack=netkey plutostderrlog=/var/log/pluto.log interfaces="%defaultroute" conn xltunnel authby=secret pfs=no auto=add rekey=no type=transport left=%defaultroute leftnexthop=%defaultroute leftprotoport=17/1701 leftsourceip=192.168.1.1 leftsubnet=192.168.1.0/24 right=217.147.94.149 rightid=217.147.94.149 rightprotoport=17/1701 xl2tpd.conf:
[global] access control = no port = 1701 ipsec saref = yes auth file = /etc/ppp/chap-secrets debug tunnel = yes [lac securitykiss] lns = 217.147.94.149 hostname = client_id ip range = 10.1.2.2-10.1.2.255 local ip = 10.1.2.3 assign ip = yes require chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes name = securitykiss redial = yes redial timeout = 10 max redials = 6
options.xl2tpd:
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 8.8.4.4 auth crtscts idle 1800 mtu 1200 mru 1200 nodefaultroute proxyarp connect-delay 5000 plugin pppol2tp.so lock debug name securitykiss noccp proxyarp lcp-echo-interval 30 lcp-echo-failure 4 logfile /var/log/xl2tpd.log
ipsec.secrets:
217.147.94.149 %any : PSK "psk_key"
CHAP-秘密:
client_id securitykiss "password" * securitykiss client_id "password" *
pluto.log:
# ipsec auto --up xltunnel 104 "xltunnel" #1: STATE_MAIN_I1: initiate 003 "xltunnel" #1: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb] 003 "xltunnel" #1: received Vendor ID payload [XAUTH] 003 "xltunnel" #1: received Vendor ID payload [Dead Peer Detection] 003 "xltunnel" #1: received Vendor ID payload [RFC 3947] method set to=109 106 "xltunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "xltunnel" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected 108 "xltunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "xltunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048} 117 "xltunnel" #2: STATE_QUICK_I1: initiate 004 "xltunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xced0d73f
# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.37/K3.2.0-4-686-pae (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support [OK]
要启动l2tp隧道我运行命令:
echo "c securitykiss" > /var/run/xl2tpd/l2tp-control
但是“ip link”没有显示l2tp隧道的pppx:
#ip链接 1:lo:mtu 16436 qdisc noqueue state UNKNOWN模式DEFAULT 链接/回放00:00:00:00:00:00 brd 00:00:00:00:00:00 2:eth0:mtu 1500 qdisc pfifo_fast状态DOWN模式DEFAULT qlen 1000 link / ether 00:07:e9:a8:ea:93 brd ff:ff:ff:ff:ff:ff 3:ppp0:mtu 1500 qdisc pfifo_fast状态UNKNOWN模式DEFAULT qlen 3 链接/ PPP
您需要启用IP转发,并按照您所做的“ipsecvalidation”步骤的结果禁用send_redirects。
这应该做的伎俩:
echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done
然后再次运行“ipsecvalidation”,那个失败应该消失。