2

我有一个 IP 地址为 @public_A 的 SonicWall 路由器。这个路由器后面是一个 LAN 192.168.2.0/24。另一方面,我有一台 IP 地址为 @public_B 的 Linux Ubuntu 机器

我的目标是为 Linux 实现一个 VPN IPSec 客户端,这样我就能够从我的 Linux 客户端机器向 192.168.2.0/24 LAN 发送消息。

该客户端已经存在于由 SonicWall 开发的 Windows 机器上,但不适用于 Linux 机器。

根据互联网上许多帖子的建议,我决定配置一个 OpenSwan 隧道以连接到这个 LAN。

ipsec.conf:

conn sonicwall
        type=tunnel
        left=public_B
        leftid=@yyyyyyyyyyyyyyy
        leftxauthclient=yes
        right=public_A
        rightsubnet=192.168.2.0/24
        rightxauthserver=yes
        rightid=@xxxxxxxxxxxxxxxx
        keyingtries=0
        pfs=no
        aggrmode=yes
        auto=add
        auth=esp
        esp=aes256-sha1
        #phase2alg=aes256-sha1
        ike=aes256-sha1;modp1536
        authby=secret
        leftxauthusername=USER
        #xauth=yes
        keyexchange=ike

启动时的日志:

~# ipsec whack --name sonicwall --initiate
002 "sonicwall" #9: initiating Aggressive Mode #9, connection "sonicwall"
112 "sonicwall" #9: STATE_AGGR_I1: initiate
003 "sonicwall" #9: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
003 "sonicwall" #9: ignoring unknown Vendor ID payload [xxxxxxxxxxxxxxxxxx]
003 "sonicwall" #9: received Vendor ID payload [RFC 3947] method set to=109 
003 "sonicwall" #9: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #9: received Vendor ID payload [XAUTH]
002 "sonicwall" #9: Aggressive mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
003 "sonicwall" #9: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
002 "sonicwall" #9: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "sonicwall" #9: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
002 "sonicwall" #9: XAUTH: Answering XAUTH challenge with user='USER'
002 "sonicwall" #9: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "sonicwall" #9: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
003 "sonicwall" #9: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
003 "sonicwall" #9: received and ignored informational message
002 "sonicwall" #9: XAUTH: Successfully Authenticated
002 "sonicwall" #9: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "sonicwall" #9: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "sonicwall" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#9 msgid:489fb919 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sonicwall" #10: STATE_QUICK_I1: initiate
002 "sonicwall" #10: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sonicwall" #10: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xff65c149 <0x6de1b3e3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

注意:在那之后我的路由表中没有添加任何路由。

我的隧道似乎功能齐全,但是:我无法向路由器后面的 LAN 发送任何消息。我不知道如何使用我刚刚设置的隧道至少向 LAN 中的机器发送 ping。我应该怎么做 ?

你也可以给我建议以达到我的目标,即使不是通过使用 OpenSwan

感谢阅读和帮助。

4

1 回答 1

1

成功通过身份验证后是否有任何新的网络接口?检查ip addr您是否有任何ppp0或类似的接口。

我不确定您的情况,因为您的身份验证方法与我过去配置的不同(预共享密钥 openswan + 用户/通过 xl2tpd)但是,如果有任何相似之处,ipsec auto --up ${connection_name}正常运行会使用用于身份验证的预共享密钥,但没有启动接口,此时我必须告诉 xl2tpd 进行连接,它使用用户和密码进行身份验证,然后创建接口ppp0

你的输出是什么ipsec verify(在启动 openswan 服务之后)?

于 2013-08-09T09:30:28.500 回答