CentOS 6安装Openswan问题求助

发布于 2021-11-29 02:01:26 字数 6813 浏览 865 评论 2

按照 http://www.esojourn.org/wp/?p=404 博文,配置centos 6下l2tp + ipsec VPN服务器,但是现在遇到了点问题。

ipsec verify如下:

[root@www ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K(no kernel code presently loaded)
Checking for IPsec support in kernel                            [FAILED]
 SAref kernel support                                           [N/A]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [FAILED]
 Pluto listening for NAT-T on udp 4500                          [FAILED]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

ipsec whach --status 如下:

[root@www ~]# ipsec whack --status
000 using kernel interface: noklips
000 %myid = (none)
000 debug none
000  
000 virtual_private (%priv):
000 - allowed 4 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8
000 - disallowed 0 subnets: 
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 
000          private address space in internal use, it should be excluded!
000  
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "L2TP-PSK-NAT": xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>:17/1701...%virtual===?; unrouted; eroute owner: #0
000 "L2TP-PSK-NAT":     myip=unset; hisip=unset;
000 "L2TP-PSK-NAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 
000 "L2TP-PSK-NAT":   policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: ; 
000 "L2TP-PSK-NAT":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "L2TP-PSK-noNAT": xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>:17/1701...%any; unrouted; eroute owner: #0
000 "L2TP-PSK-noNAT":     myip=unset; hisip=unset;
000 "L2TP-PSK-noNAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 
000 "L2TP-PSK-noNAT":   policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: ; 
000 "L2TP-PSK-noNAT":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000  
000
pluto.log如下(第一次安装的Openswan是2.6.32,是通过yum安装的,后来卸载后已经通过make安装2.6.38,但是日志里没提到2.6.38)

[root@www ~]# cat pluto.log 
Plutorun started on Wed May 22 17:47:55 MSD 2013
adjusting ipsec.d to /etc/ipsec.d
nss directory plutomain: /etc/ipsec.d
NSS Initialized
Non-fips mode set in /proc/sys/crypto/fips_enabled
Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:13694
Non-fips mode set in /proc/sys/crypto/fips_enabled
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [enabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   NAT-Traversal support  [enabled]
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
no helpers will be started, all cryptographic operations will be done inline
No Kernel NETKEY interface detected
No Kernel MASTKLIPS interface detected
No Kernel KLIPS interface detected
Using 'no_kernel' interface code on 2.6.32-042stab076.8
Changed path to directory '/etc/ipsec.d/cacerts'
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
  Warning: empty directory
| selinux support is NOT enabled. 
added connection description "L2TP-PSK-NAT"
added connection description "L2TP-PSK-noNAT"
listening for IKE messages
no public interfaces found
loading secrets from "/etc/ipsec.secrets"
shutting down
forgetting secrets
"L2TP-PSK-noNAT": deleting connection
"L2TP-PSK-NAT": deleting connection


想知道为什么ipsec verify后有这么多失败的,该怎么解决?

Checking for IPsec support in kernel                            [FAILED]
 SAref kernel support                                           [N/A]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [FAILED]
 Pluto listening for NAT-T on udp 4500                          [FAILED]
Two or more interfaces found, checking IP forwarding            [FAILED]

多谢了! (如果需要其他日志或配置文件,请指明,我会继续贴上来的)


如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

绝影如岚 2021-11-30 10:43:48

你那个问题解决没,我今天也是这个问题,和你的一样。

卸妝后依然美 2021-11-30 08:19:45

如果是openvz的VPS的话,目前没有很好的解决办法~

Checking for IPsec support in kernel  [FAILED]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for NAT-T on udp 4500 [FAILED]

我目前测试没有成功过,openvz后台打开ppp和tun开关试试

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文