tag:blogger.com,1999:blog-27216830.post6303277264169117066..comments2024-02-14T19:48:57.257+08:00Comments on 瘋狂帽客's Blog: Setup a L2TP over IPSec VPN Server on Linux瘋狂帽客http://www.blogger.com/profile/13547762133583400776noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-27216830.post-38232789571481755982010-04-15T19:10:40.417+08:002010-04-15T19:10:40.417+08:00瘋狂帽客兄,您好
我依照以上步驟設定,ipsec verify正常,打ps指令也看的到xl2tpd...瘋狂帽客兄,您好<br /><br />我依照以上步驟設定,ipsec verify正常,打ps指令也看的到xl2tpd有跑起來,但是從Client卻無法連線,從封包上來分析Server完全沒有反應<br /><br />在/var/log中也沒產生xl2tpd.log這檔案,請問是否還需要做些什麼設定?如何在做進一部的檢查?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-27216830.post-13251314679150058342010-04-15T19:06:15.708+08:002010-04-15T19:06:15.708+08:00This comment has been removed by the author.Unknownhttps://www.blogger.com/profile/16692247327708768661noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-50020285178563872552009-11-06T01:59:04.604+08:002009-11-06T01:59:04.604+08:00瘋狂帽客兄,您好
大底跟著你所寫的程序並不能起動L2TP over IPSEC. 還有不完善的地方...瘋狂帽客兄,您好<br /><br />大底跟著你所寫的程序並不能起動L2TP over IPSEC. 還有不完善的地方i.e.設定l2tp-psk.conf不能套用預設的文件於起動xl2tpd(希望你會教授l2tp-psk.conf配置). 在xl2tpd 1.2.4並沒有/example 的文件,只能在old version抽取.在connect時更有error789,應該是ipsec timeout. 還有甚麼不對?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-27216830.post-29155915506143348572008-10-07T20:05:00.000+08:002008-10-07T20:05:00.000+08:00您好~想跟您請教一些問題~我的配置如下A----eth0 router eth1----B A:...您好~<BR/>想跟您請教一些問題~<BR/><BR/>我的配置如下<BR/>A----eth0 router eth1----B<BR/> <BR/>A:192.168.1.100 <BR/>eth0:192.168.1.1 <BR/>eth1:192.168.2.1 <BR/>B192.168.2.100<BR/><BR/><BR/>ipsec.conf:<BR/>config setup<BR/> nat_traversal=yes<BR/> plutowait=yes<BR/> nhelpers=0<BR/><BR/>conn %default<BR/><BR/>conn test<BR/> authby=secret<BR/> auto=add<BR/> keyingtries=3<BR/> left=192.168.2.1<BR/> pfs=no<BR/> rekey=no<BR/> right=192.168.2.100<BR/><BR/>include /etc/ipsec.d/examples/no_oe.conf<BR/><BR/><BR/>ipsec.secrets:<BR/><BR/>: PSK "1234567890"<BR/><BR/><BR/>A是win xp 用mmc 開ipsec的功能 B是裝openswan的linux<BR/><BR/>目前沒辦法連上(動作是 A ping B)<BR/><BR/>用wireshark 看<BR/>在exchange key 之後<BR/>A會送一個 identification 的 payload給 B<BR/>可是 B會回送一個 hash的 payload 給A<BR/>查看/var/log/message<BR/>有這一段<BR/><BR/>Oct 8 18:37:27 haha pluto[6387]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.100'<BR/>Oct 8 18:37:27 haha pluto[6387]: "test" #1: no suitable connection for peer '192.168.1.100'<BR/>Oct 8 18:37:27 haha pluto[6387]: "test" #1: sending encrypted notification IN<BR/>VALID_ID_INFORMATION to 192.168.2.1:<BR/><BR/><BR/>(太長了@_@...)<BR/><BR/>請問是我的conf有什麼地方寫錯嗎??~Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-27216830.post-66055701943346182302008-10-06T17:19:00.000+08:002008-10-06T17:19:00.000+08:00l2tp-psk.conf沒找到中。OS: FC9xl2tpd-1.1.12-2.fc9.i386....l2tp-psk.conf沒找到中。<BR/>OS: FC9<BR/>xl2tpd-1.1.12-2.fc9.i386.rpm<BR/>openswan-2.6.09-2.fc9.i386.rpm<BR/><BR/>用find /|grep conf都沒有看到該檔案。<BR/>是要去哪裡找這個檔案呢?雖說有找到一個日本網站上有寫,但似乎也不能用阿。streitleakhttps://www.blogger.com/profile/18338253321798771284noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-19884850343156840272008-08-05T19:25:00.000+08:002008-08-05T19:25:00.000+08:00請問一下我用fedora 9安裝l2tp over ipsec vpn時,都無法架設成功,請問大大是...請問一下<BR/>我用fedora 9安裝l2tp over ipsec vpn時,都無法架設成功,請問大大是否有用fedora9架設成功過Unknownhttps://www.blogger.com/profile/15614520066955524301noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-30592855666504491922008-05-27T15:00:00.000+08:002008-05-27T15:00:00.000+08:00請問 瘋狂帽客兄您有試過 l2tpv3 嗎?有研究過 l2tpv3 的 server/client ...請問 瘋狂帽客兄<BR/>您有試過 l2tpv3 嗎?<BR/>有研究過 l2tpv3 的 server/client 的設定嗎?kenhttps://www.blogger.com/profile/09978341990643636794noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-41302054214482002342008-03-11T17:32:00.000+08:002008-03-11T17:32:00.000+08:00你好 我連log檔都還沒建立 因為rpm 安裝完成 service xl2tpd start 就...你好 我連log檔都還沒建立 因為rpm 安裝完成 service xl2tpd start 就失敗了 <BR/>log檔還沒建立在/var 裡面DANhttps://www.blogger.com/profile/14414532229657857781noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-28193532724508575262008-03-10T17:53:00.000+08:002008-03-10T17:53:00.000+08:00Dear Dan,Please check xl2tpd logs first.Dear Dan,<BR/>Please check xl2tpd logs first.瘋狂帽客https://www.blogger.com/profile/13547762133583400776noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-71333239224767570302008-03-09T22:53:00.000+08:002008-03-09T22:53:00.000+08:00請問一下 Xl2tpd 如果無法啟動是哪一種問題 因為只要start 就直接失敗 想請問一下怎們解決...請問一下 Xl2tpd 如果無法啟動是哪一種問題 因為只要start 就直接失敗 想請問一下怎們解決DANhttps://www.blogger.com/profile/14414532229657857781noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-19406220074414509432008-01-24T12:42:00.000+08:002008-01-24T12:42:00.000+08:00LAN to LAN IPSec設定請參考:http://go-linux.blogspot.com...LAN to LAN IPSec設定請參考:<BR/>http://go-linux.blogspot.com/2007/09/setup-ipsec-host-to-host-tunnel.html<BR/>稍為修改一下就可以了.<BR/><BR/>或是參考:<BR/>http://wiki.openswan.org/index.php/Openswan/Configure<BR/>更為詳細瘋狂帽客https://www.blogger.com/profile/13547762133583400776noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-1201913742899704562008-01-22T16:29:00.000+08:002008-01-22T16:29:00.000+08:00請問帽客兄,您好:如果我要架設 lan to lan 的 vpn ,是不是只要看 ipsec 的設定...請問帽客兄,您好:<BR/>如果我要架設 lan to lan 的 vpn ,是不是只要看 ipsec 的設定部份就好了?Markhttps://www.blogger.com/profile/08292719714746586742noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-83371298591168407092008-01-14T16:43:00.000+08:002008-01-14T16:43:00.000+08:00帽客兄你好,假如l2tp server 是在NAT裡面的話,那請問在ipsec.conf 或l2tp...帽客兄你好,假如l2tp server 是在NAT裡面的話,那請問在ipsec.conf 或l2tp-psk.cong 該怎麼設定呢?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-27216830.post-68070394782701978542007-12-25T20:25:00.000+08:002007-12-25T20:25:00.000+08:00我使用l2tp-psk.conf這個範例檔出現Opportunistic Encryption DN...我使用l2tp-psk.conf這個範例檔出現<BR/>Opportunistic Encryption DNS checks:<BR/><BR/>Does the machine have at least one non-private address? [OK]<BR/>Looking for TXT in reverse dns zone: 254.200.9.192.in-addr.arpa. [MISSING]<BR/><BR/>我也想不出跟DNS有什麼關係<BR/>真傷腦筋 沒加密的VPN很恐怖吧??<BR/>我執行<BR/>/etc/init.d/ipsec start<BR/>SMB就馬上掛掉<BR/>然後就趕快執行<BR/>/etc/init.d/ipsec stop<BR/>SMB就好了<BR/>不知哪的原因Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-27216830.post-11955487004260131232007-12-25T09:22:00.000+08:002007-12-25T09:22:00.000+08:00關於l2tp-psk.conf裡詳細的參數,請參考以下連結: http://wiki.openswa...關於l2tp-psk.conf裡詳細的參數,請參考以下連結: <BR/>http://wiki.openswan.org/index.php/Openswan/ConfFiles<BR/>這是Openswan的wiki。<BR/><BR/>l2tp-psk.conf與DNS有什麼關係?就我的理解是沒有任何的直接關係,l2tp-psk.conf是用來設定L2TP over IPSec的設定檔。瘋狂帽客https://www.blogger.com/profile/13547762133583400776noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-43266420679303566622007-12-24T22:56:00.000+08:002007-12-24T22:56:00.000+08:00NETKEY detected, testing for disabled ICMP send_re...NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<BR/><BR/>已解決<BR/>執行以下指令<BR/>[root@shtm ~]# ipsec verify<BR/>Checking your system to see if IPsec got installed and started correctly:<BR/>Version check and ipsec on-path [OK]<BR/>Linux Openswan Uopenswan-2.4.9-31.el5/K2.6.18-53.1.4.el5xen (netkey)<BR/>Checking for IPsec support in kernel [OK]<BR/>NETKEY detected, testing for disabled ICMP send_redirects [OK]<BR/>NETKEY detected, testing for disabled ICMP accept_redirects [OK]<BR/>Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]<BR/>Checking that pluto is running [OK]<BR/>Two or more interfaces found, checking IP forwarding [OK]<BR/>Checking NAT and MASQUERADEing <BR/>Checking for 'ip' command [OK]<BR/>Checking for 'iptables' command [OK]<BR/><BR/>Opportunistic Encryption DNS checks:<BR/><BR/> Does the machine have at least one non-private address? [OK]<BR/> Looking for TXT in reverse dns zone: 254.200.9.192.in-addr.arpa. [MISSING]<BR/><BR/>想請教 l2tp-psk.conf 裡的意思<BR/>可否請瘋狂帽客兄講解一下<BR/>l2tp-psk.conf跟dns有何關聯<BR/><BR/>麻煩你了 謝謝Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-27216830.post-79783693017395652352007-12-24T11:49:00.000+08:002007-12-24T11:49:00.000+08:00Hi Tony:關於您所提問的問題,以下是我的回答希望對您有幫助:1.那vi /etc/ipsec....Hi Tony:<BR/>關於您所提問的問題,以下是我的回答希望對您有幫助:<BR/>1.那vi /etc/ipsec.secret裡的IP是要設定真實IP還是虛擬IP? <BR/>-> Public IP address<BR/><BR/>2.xl2tpd設定檔裡面的local ip是設定虛擬IP OR?<BR/>-> Private IP address<BR/><BR/>3.xl2tpd設定檔裡面的IP RANG是要和家裡的網段一樣才可以存取分享的資源嗎?<BR/>-> 就算不一樣也可以,端看你iptables rule怎麼設計,其中也包含了些routing的觀念。瘋狂帽客https://www.blogger.com/profile/13547762133583400776noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-86738576459891604222007-12-24T11:45:00.000+08:002007-12-24T11:45:00.000+08:00Hi Tony & Sineed,解決這個問題的方法就是修改kernel的參數,至於是那些參數需要修...Hi Tony & Sineed,<BR/>解決這個問題的方法就是修改kernel的參數,至於是那些參數需要修改呢?Openswan有提供範例如下:<BR/><BR/># cat /etc/ipsec.d/examples/sysctl.conf<BR/><BR/># example entries for /etc/sysctl.conf<BR/># forwarding is needed for subnet or l2tp connections<BR/>net.ipv4.ip_forward = 1<BR/><BR/># rp_filter is stupid and cannot deal decrypted packets "appearing out of<BR/># nowhere"<BR/>net.ipv4.conf.default.rp_filter = 0<BR/><BR/># when using 1 interface for two networks, and in some other cases with<BR/># NETKEY, the kernel thinks it can be clever but breaks things.<BR/>net.ipv4.conf.all.send_redirects = 0<BR/>net.ipv4.conf.default.send_redirects = 0<BR/>net.ipv4.icmp_ignore_bogus_error_responses = 1<BR/>net.ipv4.conf.all.log_martians = 0<BR/>net.ipv4.conf.default.log_martians = 0<BR/><BR/># these are non-ipsec specific security policies you should use<BR/>net.ipv4.conf.default.accept_source_route = 0<BR/>net.ipv4.conf.all.accept_redirects = 0<BR/>net.ipv4.conf.default.accept_redirects = 0<BR/><BR/>把這些參數加入到/etc/sysctl.conf並執行sysctl -p,這樣就可以了。瘋狂帽客https://www.blogger.com/profile/13547762133583400776noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-47256178768242272172007-12-22T11:40:00.000+08:002007-12-22T11:40:00.000+08:00#ipsec verifyNETKEY detected, testing for disabled...#ipsec verify<BR/>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<BR/><BR/>Please disable /proc/sys/net/ipv4/conf/*/send_redirects<BR/>or NETKEY will cause the sending of bogus ICMP redirects!<BR/><BR/>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<BR/><BR/>Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<BR/>or NETKEY will accept bogus ICMP redirects!<BR/>Two or more interfaces found, checking IP forwarding [FAILED]<BR/><BR/>我也是這樣ㄝ 找了好久不知該如何解決Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-27216830.post-32427250290257951182007-12-18T12:51:00.000+08:002007-12-18T12:51:00.000+08:00您好~拜讀您的文章後已經安裝好VPN了(萬分感謝),有問題想請要一下,我家環境是IP分享器連CENT...您好~拜讀您的文章後已經安裝好VPN了(萬分感謝),有問題想請要一下,我家環境是IP分享器連CENTOS 5(跑DNS、MAIL SERVER),想利用公司網路連回家裡,問題是:<BR/>1.那vi /etc/ipsec.secret裡的IP是要設定真實IP還是虛擬IP?<BR/>2.xl2tpd設定檔裡面的local ip是設定虛擬IP OR?<BR/>3.xl2tpd設定檔裡面的IP RANG是要和家裡的網段一樣才可以存取分享的資源嗎?<BR/>4.#ipsec verify出現了錯誤訊息:<BR/>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<BR/><BR/> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<BR/> or NETKEY will cause the sending of bogus ICMP redirects!<BR/><BR/>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<BR/><BR/> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<BR/> or NETKEY will accept bogus ICMP redirects!<BR/>Two or more interfaces found, checking IP forwarding [FAILED]<BR/>可否幫忙指點一下Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-27216830.post-23831031005468375442007-08-31T11:17:00.000+08:002007-08-31T11:17:00.000+08:00Dear linux child,是的,您說的沒錯,要在VPN Server上設定Public IP...Dear linux child,<BR/>是的,您說的沒錯,要在VPN Server上設定Public IP address,而L2TP Client在設定VPN連線時就是輸入這組IP address。<BR/>建議您default firewall policy對於INPUT都是Drop只allow TCP/UDP 1701(L2TP) 與 TCP/UDP 500(IPSec)會比較安全。<BR/><BR/>至於是不是應該跟公司內網同個subnet,可以是,也可以不是,當user撥接成功後會多出一個pppx的interface。瘋狂帽客https://www.blogger.com/profile/13547762133583400776noreply@blogger.comtag:blogger.com,1999:blog-27216830.post-36316311610448600102007-08-31T10:56:00.000+08:002007-08-31T10:56:00.000+08:00瘋狂帽客兄,您好想跟您請教一些問題如果這個 VPN 要應用於 Internet 上是否要在 VPN ...瘋狂帽客兄,您好<BR/><BR/>想跟您請教一些問題<BR/>如果這個 VPN 要應用於 Internet 上<BR/>是否要在 VPN Server 上 bind 一個 public ip<BR/>然後使用者新增一個 vpn 連線時的 server ip 輸入該 public ip<BR/>請問是這樣嗎??<BR/><BR/>另外,192.168.1.x 那個網段是公司既有的 LAN Subnet 嗎??<BR/>還是只是一段虛擬的通道??<BR/><BR/>問題很多,還請見諒...^^"Anonymousnoreply@blogger.com