OpenSwan隧道未与值班警卫建立
OpenSwan隧道未与值班警卫建立
提问于 2016-01-20 01:56:40
几个星期以来,我一直在努力解决这个问题。一开始我以为是在守望者那边,但看起来像我们这边。下面是设置: 1.运行Amazon和OpenSwan的OpenSwan实例。2.运行WatchGuard的另一面(右侧)。隧道没有安装。我将同一个ipsec.conf文件转到运行CentoS的RackSpace中的服务器上,隧道就会建立起来。不知道为什么。如果有人能帮忙的话,我已经附上了conf文件和日志文件。非常感谢。
#nual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
#virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
#nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf/etc/ipsec.d/con.conf
conn TestConn
authby=secret
auto=start
forceencaps=yes
left=%defaultroute
leftid=209.20.92.47
leftsourceip=209.20.92.47
leftsubnet=10.183.128.9/32
leftnexthop=%defaultroute
right=50.206.18.58
rightsubnet=10.10.2.61/32
esp=3des-sha1
#auth=esp
keyexchange=ike
ike=3des-sha1;modp1024
#salifetime=43200s
pfs=no
#dpdaction=restart
#aggrmode=no冥王星日志
Jan 19 19:32:24 ip-10-1-201-245 ipsec__plutorun: Starting Pluto subsystem...
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: nss directory plutomain: /etc/ipsec.d
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: NSS Initialized
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:29440
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: LEAK_DETECTIVE support [disabled]
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: OCF support for IKE [disabled]
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: SAref support [disabled]: Protocol not available
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: SAbind support [disabled]: Protocol not available
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: NSS support [enabled]
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: HAVE_STATSD notification support not compiled in
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: Setting NAT-Traversal port-4500 floating to on
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: port floating activation criteria nat_t=1/port_float=1
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: NAT-Traversal support [enabled]
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | event added at head of queue
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | event added at head of queue
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | event added after event EVENT_PENDING_DDNS
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: starting up 1 cryptographic helpers
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: started helper (thread) pid=140152581191424 (fd:8)
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: Using Linux 2.6 IPsec interface code on 4.1.13-18.26.amzn1.x86_64 (experimental code)
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | status value returned by setting the priority of this thread (id=0) 22
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | helper 0 waiting on fd: 9
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | process 29440 listening for PF_KEY_V2 on file descriptor 12
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | 02 07 00 02 02 00 00 00 01 00 00 00 00 73 00 00
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | pfkey_get: K_SADB_REGISTER message 1
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | AH registered with kernel.
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | 02 07 00 03 02 00 00 00 02 00 00 00 00 73 00 00
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | pfkey_get: K_SADB_REGISTER message 2
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | alg_init():memset(0x558361de3500, 0, 2016) memset(0x558361de3ce0, 0, 2048)
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_add():satype=3, exttype=14, alg_id=251
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_add():satype=3, exttype=14, alg_id=2
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_add():satype=3, exttype=14, alg_id=3
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_add():satype=3, exttype=14, alg_id=5
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_add():satype=3, exttype=14, alg_id=6
Jan 19 19:32:24 ip-10-1-201-245 pluto[29440]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0, ret=1编辑我不知道Amazon /OpenSwan是怎么回事。于是我切换到Ubuntu,使用相同的配置文件,隧道在第一次尝试中就建立了!双方都看到了隧道的建立。但是我们不能平。当我ping时,我看到数据包正在穿越隧道,我看到使用tcpdump。其他人看到我的包裹到达。但是,回复数据包没有到达我的服务器。我怀疑AWS设置不对。我确实禁用了对实例的源/目标检查,我向子网路由表添加了一个路由,将发送到隧道的数据包路由到运行OpenSwan的实例。还是不能打平。
你知道为什么平可能不起作用吗?我把这个发到AWS论坛上了,还没有答案。https://forums.aws.amazon.com/thread.jspa?threadID=223853&tstart=0
回答 1
Stack Overflow用户
回答已采纳
发布于 2016-01-29 22:57:03
我在AWS的支持下开了一张票。他们查看了日志文件和配置,并给出了为什么隧道没有建立的答案。我那部分是个愚蠢的错误。连接到运行OpenSwan的Amazon实例的路由没有互联网路由,因此它没有到达WG。一旦我增加了那条路线,隧道就建好了。Ubuntu之所以工作,是因为我在一个新的子网中实例化了这台机器,该子网有通向internet的路由。所以总是先平另一端的公共ip。我对AWS支援小组印象深刻。他们知道自己在做什么。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/34890233
复制相关文章
相似问题
腾讯云开发者
