V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
DearTanker
V2EX  ›  问与答

Vultr:帮我看下这 L2TP iPSec 连不上问题出在哪里?

  •  
  •   DearTanker · 2015-01-19 17:44:08 +08:00 · 11078 次点击
    这是一个创建于 3601 天前的主题,其中的信息可能已经有所发展或是发生改变。
    貌似都没有错误。。手机连接提示:服务器未响应。

    [root@vultr ~]# ipsec verify

    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path [OK]
    Linux Openswan U2.6.38/K2.6.32-504.3.3.el6.x86_64 (netkey)
    Checking for IPsec support in kernel [OK]
    SAref kernel support [N/A]
    NETKEY: Testing XFRM related proc values [OK]
    [OK]
    [OK]
    Hardware RNG detected, testing if used properly [OK]
    Checking that pluto is running [OK]
    Pluto listening for IKE on udp 500 [OK]
    Pluto listening for NAT-T on udp 4500 [OK]
    Checking for 'ip' command [OK]
    Checking /bin/sh is not /bin/dash [OK]
    Checking for 'iptables' command [OK]
    Opportunistic Encryption Support [DISABLED]


    我能想到的几个出问题的地方,大家帮我看看,分析分析。。

    [root@vultr ~]# vi /etc/ipsec.secrets

    108.61.201.*** %any: PSK "vpnsos"

    [root@vultr ~]# vi /etc/ipsec.secrets

    # Generated by iptables-save v1.4.7 on Mon Jan 5 09:54:49 2015
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1:140]
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 8989 -j ACCEPT
    -A FORWARD -s 172.16.36.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356
    COMMIT
    # Completed on Mon Jan 5 09:54:49 2015
    # Generated by iptables-save v1.4.7 on Mon Jan 5 09:54:49 2015
    *nat
    :PREROUTING ACCEPT [103:7248]
    :POSTROUTING ACCEPT [18:1188]
    :OUTPUT ACCEPT [18:1188]
    -A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source 108.61.201.***
    COMMIT
    # Completed on Mon Jan 5 09:54:49 2015
    17 条回复    2019-05-07 11:35:34 +08:00
    wzxjohn
        1
    wzxjohn  
       2015-01-19 18:10:42 +08:00
    不贴 Log 光贴配置怎么帮你。。。。。。
    kxmp
        2
    kxmp  
       2015-01-19 18:15:05 +08:00
    l2tp被封了啊....
    我都测过了.
    你只要syslog在你连的时候一动不动那就是100%被封了.
    luo362722353
        3
    luo362722353  
       2015-01-19 18:21:06 +08:00 via iPhone   ❤️ 1
    先这样试试看,不确保你可以连
    server ipsec restart
    xl2tpd
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    希望可以帮到您

    @DearTanker
    DearTanker
        4
    DearTanker  
    OP
       2015-01-19 20:09:01 +08:00
    @wzxjohn
    @kxmp

    怎么看log,真心小白,别笑我。。


    @luo362722353

    好的,我试试。。
    evilyau
        5
    evilyau  
       2015-01-19 22:04:23 +08:00   ❤️ 1
    Github 有个 InstaVPN ,用过最好用的L2TP
    Phant0m
        6
    Phant0m  
       2015-01-19 22:18:02 +08:00 via iPad
    @evilyau 求链接
    RHFS
        7
    RHFS  
       2015-01-19 22:29:15 +08:00
    @evilyau 不会被干扰吗

    @Phant0m https://github.com/sockeye44/instavpn 随便搜一下都搜的到。。。
    DearTanker
        8
    DearTanker  
    OP
       2015-01-20 08:53:46 +08:00
    @RHFS 这个。。centos能装么?(´・_・`)
    DearTanker
        9
    DearTanker  
    OP
       2015-01-20 08:55:50 +08:00
    @luo362722353 惊,可以连上了,可是不能上网。。。
    RHFS
        10
    RHFS  
       2015-01-20 09:44:01 +08:00 via iPhone
    @DearTanker 貌似不能 昨晚折腾了一下 网络太卡就没搞了 系统要求是Ubuntu14 看了一下简介,感觉不错
    luo362722353
        11
    luo362722353  
       2015-01-20 09:53:53 +08:00 via iPhone
    @DearTanker
    怎么会呢…

    如果是eth0不出意外就是正常的啊
    执行
    xl2tpd
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    如果连不上…请ifconfig后贴数据给我看看…

    其次是

    配置文件/etc/sysctl.conf(修改内核转发参数)
    确定正确?
    kxmp
        12
    kxmp  
       2015-01-25 20:32:35 +08:00
    @DearTanker
    > tail -f /var/log/syslog
    然后开始连接.看看日志动了没.没动你就没必要去干别的事情了.
    DearTanker
        13
    DearTanker  
    OP
       2015-07-10 22:03:28 +08:00
    @kxmp 这几天继续折腾,还是不行。。

    tail: cannot open `/var/log/syslog' for reading: No such file or directory
    DearTanker
        14
    DearTanker  
    OP
       2015-07-10 22:46:26 +08:00
    @wzxjohn
    @kxmp
    @luo362722353

    Jul 10 22:44:47 vultr sshd[1396]: Server listening on 0.0.0.0 port 22.
    Jul 10 22:44:47 vultr sshd[1396]: Server listening on :: port 22.
    Jul 10 22:44:50 vultr sshd[1856]: reverse mapping checking getaddrinfo for 46.236.25.117.broad.xm.fj.dynamic.163data.com.cn [117.25.236.46] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 10 22:44:50 vultr sshd[1856]: Accepted password for root from 117.25.236.46 port 58434 ssh2
    Jul 10 22:44:50 vultr sshd[1856]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [RFC 3947] method set to=109
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    Jul 10 22:45:30 vultr pluto[1232]: packet from 120.32.228.110:500: received Vendor ID payload [Dead Peer Detection]
    Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: responding to Main Mode from unknown peer 120.32.228.110
    Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: STATE_MAIN_R1: sent MR1, expecting MI2
    Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
    Jul 10 22:45:30 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
    Jul 10 22:45:34 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
    Jul 10 22:45:34 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
    Jul 10 22:45:37 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
    Jul 10 22:45:37 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
    Jul 10 22:45:40 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
    Jul 10 22:45:40 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
    Jul 10 22:45:40 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
    Jul 10 22:45:40 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
    Jul 10 22:45:53 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
    Jul 10 22:45:53 vultr pluto[1232]: "L2TP-PSK-NAT"[1] 120.32.228.110 #1: sending notification INVALID_PAYLOAD_TYPE to 120.32.228.110:500
    kxmp
        15
    kxmp  
       2015-09-27 20:58:12 +08:00
    你这个是收到不明信息... 验证信息的数据包被弄坏了 所以你连不上
    litp
        16
    litp  
       2019-05-07 11:12:01 +08:00
    @DearTanker 哥们你的这个当年配置成功了么!我现在也遇到连接不上的问题
    litp
        17
    litp  
       2019-05-07 11:35:34 +08:00
    @DearTanker 找到问题了,居然是运营商有关系
    https://github.com/hwdsl2/setup-ipsec-vpn/issues/244
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5932 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 36ms · UTC 02:27 · PVG 10:27 · LAX 18:27 · JFK 21:27
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.