近年来最累的一次折腾。有必要好好记录一下。跟了网上N个教程,有好几个都走不通。最后自己彻底整理了一次。把自己的经验和配置分享出来。
首先隆重感谢一下至今素未谋面的老熊,真是好人啊。06年的时候就在plesk服务器换ip的事上,帮了我好大的忙。没想到这次在我卡在第6步,最绝望的时候,这只熊的婀娜身影再一次出现在了我的生活中。还在漆黑的深夜中陪伴在我的身边。以下隆重公布一下他的QQ,造福广大网友!QQ: 499******* (后几位号码,为符合当地莫名其妙的“相关法规”,被系统自动屏蔽。。。)
其次要感谢老熊的同事,百忙中写好的防火墙规则,让我10分钟之内,就被兴奋得昏了头的我,给无情覆盖了。以至于下次人家重写之后,很自觉的在/root下给留了个备份。[emot]zan[/emot]
1. 先安装openswan
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof wget http://download.openswan.org/openswan/openswan-2.6.38.tar.gz tar zxvf openswan-2.6.38.tar.gz cd openswan-2.6.38 make programs install
gkp说“安装 openswan,记得别用2.6.26,宁可用2.6.24。他和xl2tpd存在严重兼容性bug”
2. 安装xl2tpd
在centos 6官方的yum源中,没有这个软件包。需要安装fedora的epel源。
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-7.noarch.rpm #CentOS 5用这个地址: rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm yum install xl2tpd -y
如果上面这个安装地址如果不对了。参照这个fedora epel的faq页(https://fedoraproject.org/wiki/EPEL/FAQ/zh-cn#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F)
安装其他一些linux软件源,参照这页:http://dingxuan.info/blog/post/repo-sources.php
编辑 /etc/ipsec.conf 注意$esojourn.org替换成你机器的ip。这个IP应该是你的公网IP,不是本机内网IP。
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/local/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey #这里注释说可以用auto,但实际上不行。还得老老实实写netkey # Use this to log to a file, or disable logging on embedded systems (like openwrt) #plutostderrlog=/dev/null # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=add conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=$esojourn.org #这里写公网IP,没固定IP的就到花生壳弄个动态域名解析。 leftid=$esojourn.org leftprotoport=17/1701 right=%any
修改ipsec密钥
vi /etc/ipsec.secrets www.esojourn.org %any: PSK "myps" #www.esojourn.org改成公网ip,没固定IP的,就到花生壳弄个动态域名解析。http://www.oray.com/peanuthull/ #myps改成密码
3. 修改/etc/sysctl.conf,开启路由功能
vi /etc/sysctl.conf
星云说:
将下面两项找到:
net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1
改为:
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0
之后先让修改后的配置生效,再测试一下,
sysctl -p service ipsec start ipsec verify
如果行了就这样了,但实际上,我反复测试之后,干脆在sysctl.conf最下面,加了这一段。加好后别忘了再sysctl -p一下。
#added for xl2tpd net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
如果ipsec verify返回这样,就可以了。
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.24/K2.6.32.16-linode28 (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
我的经验中,这里可能会出这么几个故障:
第一:
SAref kernel support [N/A]
这样的话, /etc/xl2tpd/xl2tpd.conf这个文件里
[global] ipsec saref = no
第二:
Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK]
ip转发检查失败。
Paul和Steve说:只要 cat /proc/sys/net/ipv4/ip_forward 返回结果是1就没事。这个我已经证实了。
第三:返回结果里,就没有Two or more interfaces found, checking IP forwarding和Checking NAT and MASQUERADEing这两项。碰上这个我也没办法了。重装了系统,又瞎折腾一通之后就好了。
[ 2012-7-6 ]
第四:更新加入一个新的情况
Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [FAILED] Please enable /proc/sys/net/core/xfrm_larval_drop or NETKEY will cause non-POSIX compliant long time-outs Checking that pluto is running [OK]
出这毛病,照着说明,
echo 1 > /proc/sys/net/core/xfrm_larval_drop vi /etc/bashrc
然后把“echo 1 > /proc/sys/net/core/xfrm_larval_drop”这句加进去。以后每次开机自动执行一下。
4. 编辑 /etc/xl2tpd/xl2tpd.conf
vi /etc/xl2tpd/xl2tpd.conf
; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] listen-addr = esojourn.org ;这里写内网IP。或者加;注释掉也问题不大。 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ipsec saref = no ;这里一般都让写yes,但如果刚才你的ipsec verify中,有报SAref kernel support[N/A]的话,这里就写no。 ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; ipsec refinfo = 30 ; ; forceuserspace = yes ; ; debug tunnel = yes [lns default] ip range = 192.168.7.128-192.168.7.254 ;这里写vpn client的ip段 local ip = 192.168.7.1 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
5. 修改 /etc/ppp/options.xl2tpd
vi /etc/ppp/options.xl2tpd
require-mschap-v2 ipcp-accept-local ipcp-accept-remote ms-dns 8.8.4.4 ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000
vi /etc/ppp/chap-secrets
#文件格式 # user server password ip username * userpass * #改成你的用户名 密码
6. 最关键的iptables配置
做完上面这堆步骤之后,客户端建个连接就可以验证进入vpn主机了。但是无法访问内外网。我就是在这里卡了一个多星期。网上的资料,有的没说这一步。有的说了也没说全。我发个权威的吧。
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 192.168.7.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.7.0/24 -j ACCEPT iptables-save service iptables restart
192.168.7.0/24根据实际情况替换。
vi /etc/sysconfig/iptables 看到的应该是类似这样。
最上面先是nat规则,下面是filter规则。
下面filter表里,先把VPN要用到的udp端口1701,500,4500都打开。要用openvp的话,还要开1194。
另外filter表里,一定要有FORWARD规则。这点在网上好几个教程里都没说!坑死人。
#下面规则做参考啊,新手别完全照抄。 *nat :PREROUTING ACCEPT [39:3503] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Jun 28 15:50:40 2012 # Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [121:13264] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.7.0/24 -j ACCEPT -A FORWARD -s 192.168.7.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jun 28 15:50:40 2012
最后
service xl2tpd restart service iptables restart chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on
请教博主一个问题,在配置l2tp vpn时,执行ipsec verify 这一步时提示-bash::psec :comand not found,这个该如何解决呢?
有联系方式么,想和你交流一下!
请问链接的时候 错误718 怎么处理啊?
请问 如果vps 有两个ip连接vpn后显示的ip 为拨入时的ip应该怎么配置?按照以上的配置 貌似不能链接
请教:启动ipsec的时候会提示出错,但没有具体的出错信息,只是一行空行。
# service ipsec start
failed to start openswan IKE daemon – the following error occured:
问一下,你这个案子是又网卡的l2tp vpn吗?单网卡的可以实现吗?
请问 双ip 可以实现 两个ip都能用l2tp拨通吗?
博主,请教一个问题。执行过 xl2tpd -D 后出现如下代码正常么?正常的话为何 netstat -an 中没有监听 1701 呢
/]# xl2tpd -D
xl2tpd[12565]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
xl2tpd[12565]: setsockopt recvref[22]: Protocol not available
xl2tpd[12565]: This binary does not support kernel L2TP.
xl2tpd[12565]: xl2tpd version xl2tpd-1.2.4 started on 207-226-138-166.static.pccwglobal.net PID:12565
xl2tpd[12565]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[12565]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[12565]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[12565]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[12565]: Listening on IP address 0.0.0.0, port 1701
博主,你好,我按照你的教程配置之后 客户端是xp,vpn能连接但是查看/var/log/secure发现ipsec没有起到作用,这是什么情况?
这个是我的规则怎么就不好用呢?而且这个防火墙一关就可以联网。*filter:FORWARD ACCEPT [0:0]:INPUT ACCEPT [0:0]:RH-Firewall-1-INPUT – [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 –dport 5353 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp –dport 10000 –state NEW -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp –dport 22 –state NEW -j ACCEPT-A INPUT -p udp -m state -m udp –dport 1701 –state NEW -j ACCEPT-A INPUT -p udp -m state -m udp –dport 500 –state NEW -j ACCEPT-A INPUT -p udp -m state -m udp –dport 4500 –state NEW -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited-A FORWARD -s 10.0.99.0/24 -j ACCEPT-A FORWARD -d 10.0.99.0/24 -j ACCEPTCOMMIT*mangle:FORWARD ACCEPT [0:0]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:PREROUTING ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]COMMIT*nat:OUTPUT ACCEPT [0:0]:PREROUTING ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]-A POSTROUTING -s 10.0.99.0/24 -o eth0 -j MASQUERADECOMMIT# Completed
请教一下博主,这个试验的网络环境是什么样的呢,VPN服务器是放在内网下的吗,我按照这个做的,在内网可以连接成功,可是放到外网环境就连不上来,路由器上做了映射。
映射我也做了,做了映射后目的IP地址不是要变化的么,这样不是和NAT一样了,会不会有影响,现在的情况是WIN7连报809错误,是不是客户端不支持NAT穿越的原因呢,日志上也看不出什么,还有就是iptables,我看楼主的文章说是不开iptables也可以连上,我现在就连不上。希望楼主有时间能帮一下我,我的QQ:284693977,非常感谢您。
非常感谢能抽出时间,希望能与您交流一下
# service ipsec start
failed to start openswan IKE daemon – the following error occured:
可以拨号 但检测ip发现,ip没变..
[root@localhost openswan-2.6.38]# sysctl -pnet.ipv4.ip_forward = 1net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1error: "net.bridge.bridge-nf-call-ip6tables" is an unknown keyerror: "net.bridge.bridge-nf-call-iptables" is an unknown keyerror: "net.bridge.bridge-nf-call-arptables" is an unknown keykernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 4294967295kernel.shmall = 268435456[root@localhost openswan-2.6.38]# service ipsec startfailed to start openswan IKE daemon – the following error occured:can not load config '/etc/ipsec.conf': /etc/ipsec.conf:71: syntax error, unexpected STRING, expecting EOL [#▒▒▒▒д▒▒▒▒IP▒▒û▒̶▒IP▒ľ͵▒▒▒▒▒▒Ū▒▒̬▒▒▒▒▒▒▒][root@localhost openswan-2.6.38]#[root@localhost openswan-2.6.38]#[root@localhost openswan-2.6.38]# ipsec verifyChecking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path [OK]Linux Openswan U2.6.32/K(no kernel code presently loaded)Checking for IPsec support in kernel [FAILED] SAref kernel support [N/A]Checking that pluto is running [FAILED] whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")Checking for 'ip' command [OK]Checking /bin/sh is not /bin/dash [OK]Checking for 'iptables' command [OK]Opportunistic Encryption Support [DISABLED] can not load config '/etc/ipsec.conf': /etc/ipsec.conf:71: syntax error, unexpected STRING, expecting EOL [#▒▒▒▒д▒▒▒▒IP▒▒û▒̶▒IP▒ľ͵▒▒▒▒▒▒Ū▒▒̬▒▒▒▒▒▒▒]
配置成功后,iPhone可以成功连上vpn,但无法上网,服务器上也没有开防火墙。请问你碰到过这种情况么?谢谢
需要开防火墙的。里面要加转发规则,见上面第6点。
一步一步做到ipsec verify的时候得到的结果是
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
SAref kernel support [N/A]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for NAT-T on udp 4500 [FAILED]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for ‘ip’ command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]
查了好多资料,都没找到解决办法,怎么办好?
[root@www openswan-2.6.38]# make install
OBJDIR: OBJ.linux.x86_64
(cd /root/openswan-2.6.38/OBJ.linux.x86_64 && OBJDIRTOP=/root/openswan-2.6.38/OBJ.linux.x86_64 OBJDIR=/root/openswan-2.6.38/OBJ.linux.x86_64 make install )
make[1]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64′
make[2]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib’
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libopenswan’
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libopenswan’
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libpluto’
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libpluto’
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto’
make[4]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libaes’
make[4]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libaes’
make[4]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libdes’
make[4]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libdes’
make[4]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libmd5′
make[4]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libmd5′
make[4]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libsha1′
make[4]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libsha1′
make[4]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libsha2′
make[4]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libsha2′
make[4]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libmd2′
make[4]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/libmd2′
make[4]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/liboswcrypto’
make[4]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto/liboswcrypto’
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libcrypto’
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libwhack’
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libwhack’
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libipsecconf’
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib/libipsecconf’
make[2]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/lib’
make[2]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs’
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs/proc’
# remove any old vendor file installed previously
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs/proc’
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs/pluto’
mkdir -p /usr/local/libexec/ipsec /usr/local/lib/ipsec
mkdir -p -m 755 /etc/ipsec.d
mkdir -p -m 755 /etc/ipsec.d/cacerts
mkdir -p -m 755 /etc/ipsec.d/aacerts
mkdir -p -m 755 /etc/ipsec.d/ocspcerts
mkdir -p -m 755 /etc/ipsec.d/certs
mkdir -p -m 755 /etc/ipsec.d/crls
mkdir -p -m 700 /etc/ipsec.d/private
mkdir -p -m 700 /var/run/pluto
install -b –suffix=.old pluto whack /usr/local/libexec/ipsec
#install –mode=u+rxs,g+rx,o+rx –group=root -b –suffix=.old whackinit /usr/local/libexec/ipsec
if true ; then install -b –suffix=.old _pluto_adns /usr/local/libexec/ipsec ; fi
install /root/openswan-2.6.38/programs/pluto/pluto.8 /usr/local/man/man8/ipsec_pluto.8
sh /root/openswan-2.6.38/packaging/utils/manlink /root/openswan-2.6.38/programs/pluto/pluto.8 | \
while read from to ; \
do \
ln -s -f ipsec_$from /usr/local/man/man8/$to; \
done
install /root/openswan-2.6.38/programs/pluto/ipsec.secrets.5 /usr/local/man/man5
sh /root/openswan-2.6.38/packaging/utils/manlink /root/openswan-2.6.38/programs/pluto/ipsec.secrets.5 | \
while read from to ; \
do \
ln -s -f $from /usr/local/man/man5/$to; \
done
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs/pluto’
info: addcon/Makefile: MAKECMDGOALS=”install”
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs/addconn’
# remove any old vendor file installed previously
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs/addconn’
make[3]: Entering directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs/_confread’
/usr/bin/xmlto man /root/openswan-2.6.38/programs/_confread/ipsec.conf.5.xml
/usr/bin/xmlto: line 576: 23871 已杀死 “$XSLTPROC_PATH” $XSLTOPTS -o “$XSLT_PROCESSED” “$STYLESHEET” “$INPUT_FILE”
make[3]: *** [ipsec.conf.5] 错误 1
make[3]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs/_confread’
make[2]: *** [install] 错误 1
make[2]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64/programs’
make[1]: *** [install] 错误 1
make[1]: Leaving directory `/root/openswan-2.6.38/OBJ.linux.x86_64′
make: *** [install] 错误 2
这是怎么回事?
卸载xmlto后,openswan-2.6.38终于可以正常安装了,但是ipsec verify 的时候提示我
-bash: /usr/sbin/ipsec: 没有那个文件或目
# ipsec verify
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.9.3-x86_64-linode33 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [FAILED]
whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)
Two or more interfaces found, checking IP forwarding [FAILED]
whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)
Checking NAT and MASQUERADEing [OK]
Checking for ‘ip’ command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]
can not load config ‘/etc/ipsec.conf’: /etc/ipsec.conf:64: syntax error, unexpected STRING, expecting EOL [#这里写公网IP,没固定IP的就到花生壳弄个动态域名解析。]
/etc/ipsec.conf 里面的 IP 公网 IP 已经写上了,但是就是这里通不过, orz.
不知道是不是在执行 make programs install 出现下面的错误导致的.
cc1: 错误:-Werror=cpp:没有选项 -Wcpp
make[3]: *** [addrtoa.o] 错误 1
make[3]: Leaving directory `/root/openswan-2.6.39/OBJ.linux.x86_64/lib/libopenswan’
make[2]: *** [programs] 错误 1
make[2]: Leaving directory `/root/openswan-2.6.39/OBJ.linux.x86_64/lib’
make[1]: *** [programs] 错误 1
make[1]: Leaving directory `/root/openswan-2.6.39/OBJ.linux.x86_64′
make: *** [programs] 错误 2
貌似把/etc/ipsec.conf里那个注释语句被程序认为是配置文件的一部分了?
“ #这里写公网IP,没固定IP的就到花生壳弄个动态域名解析。”
这个整句删掉?
您好!首先谢谢您的分享,完全按您的教程(openswan版本号一致),只要不是用ipsec的共享密钥,就可以成功连接我自己搭建的l2tp,但是客户端一开启配置共享密钥就无法连接,windows,安卓也就好说了(不用密钥呗),苦于ios。。。跟本无法用,在围墙中苦苦挣扎。。。
所以想请教下您:
我的VPS上有一个防火墙,在防火墙上面我通过web界面开通了4500:tcp/udp,500:udp,1701:tcp/udp
而Linux-server则是完全按照您的/etc/sysconfig/iptables中填写,各表都加载正常。
/var/log/secure日志如下:
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: received Vendor ID payload [RFC 3947] method set to=115
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [FRAGMENTATION]
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [IKE CGA version 1]
Dec 3 14:48:11 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: initial Main Mode message received on 10.81.14.45:500 but no connection has been authorized with policy=PSK
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: received Vendor ID payload [RFC 3947] method set to=115
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [FRAGMENTATION]
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: ignoring Vendor ID payload [IKE CGA version 1]
Dec 3 14:48:12 i-hdkkd3bo pluto[907]: packet from 1.202.99.36:500: initial Main Mode message received on 10.81.14.45:500 but no connection has been authorized with policy=PSK
ipsec verify:(这个应该没啥问题)
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K2.6.32-431.29.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for ‘ip’ command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]
sysctl -p:这个貌似也木问题
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: “net.bridge.bridge-nf-call-ip6tables” is an unknown key
error: “net.bridge.bridge-nf-call-iptables” is an unknown key
error: “net.bridge.bridge-nf-call-arptables” is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
fs.file-max = 65535
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
cat /etc/ipsec.conf
# /etc/ipsec.conf – Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = “all”, “none” or a combation from below:
# “raw crypt parsing emitting control klips pfkey natt x509 dpd private”
# eg:
# plutodebug=”control parsing”
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts=”–perpeerlog”
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as “private” address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=119.254.101.144
leftid=119.254.101.144
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
我也要感谢您的留言。没想到这么多年了,还有人来。心里想起一句话,“fresh meat!”(如果您老到玩过diablo 1也许能明白。)
抱歉,没精力仔细看了。根据您的描述,凭印象给建议个方向。iptables是难点。照抄八成不行,得花时间搞懂。
# Generated by iptables-save v1.4.7 on Thu Dec 3 13:31:09 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Dec 3 13:31:09 2015
# Generated by iptables-save v1.4.7 on Thu Dec 3 13:31:09 2015
*filter
:INPUT ACCEPT [5:348]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:592]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 21 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 5277 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 1194 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 1701 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 500 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 4500 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -d 192.168.7.0/24 -j ACCEPT
-A FORWARD -s 192.168.7.0/24 -j ACCEPT
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMI
这个是linux-server的iptables规则
service ipsec status
IPsec running – pluto pid: 5620
pluto pid 5620
No tunnels up
。。。。。。。。。。。。。。。。。。。。。。。。
-A INPUT -p udp -m state –state NEW -m tcp –dport 1701 -j ACCEPT
我次奥了,给你一百个攒
就是少了这条网上都查不到
iptables -I FORWARD -d 192.168.7.0/24 -j ACCEPT