version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core #dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey
Openswan U2.6.39/K3.12.6-x86_64-linode36 (netkey) See `ipsec --copyright' for copyright information. Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Hardware random device check [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED] Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK]
Checking NAT and MASQUERADEing 那里出了问题,google了半天也没发现解决方案。 看了一下/var/log/auth.log可以确定设备连接vpn不成功是因为NAT转发的问题。