有关部署L2TP/IPsec的问题

2014-01-31 10:19:26 +08:00
 marklrh
我是如下设置的 /etc/ipsec.conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
#dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey

conn %default
forceencaps=yes

conn L2TP-PSK-NAT
rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=106.0.0.0
leftprotoport=17/1701
right=%any
rightprotoport=17/%any


上边的ip没放真的,我换了个别的
问题是,当我运行$ipsec verify的时候:

Openswan U2.6.39/K3.12.6-x86_64-linode36 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]


Checking NAT and MASQUERADEing 那里出了问题,google了半天也没发现解决方案。
看了一下/var/log/auth.log可以确定设备连接vpn不成功是因为NAT转发的问题。

求解决方案,多谢!
15567 次点击
所在节点    问与答
4 条回复
alexrezit
2014-01-31 10:57:10 +08:00
确定你 iptables 配置好了?
alexrezit
2014-01-31 11:00:26 +08:00
Oh nvm.

为什么配置跟我的差好多...
maoyipeng
2014-01-31 11:24:42 +08:00
建议换个strongswan试试吧
geeklian
2014-01-31 13:44:16 +08:00
自搭梯子用http://www.softether-download.com/files/softether/
图形界面就搭好l2tp、openvpn种种了...

若是生产环境,再说其他的...

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/98738

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX