IPSec VPN客户端Linux

Question

我有一个IP地址为@public_A的SonicWall路由器，它后面是一个LAN192.168.2.0/24。另一方面，我有一台IP地址为@public_B的Linux Ubuntu机器

我的目标是实现一个用于Linux的VPN IPSec客户端，这样我就能够从我的Linux客户端机器向192.168.2.0/24LAN发送消息。

这个客户端已经存在于SonicWall开发的Windows机上，但不适用于Linux机。

根据互联网上许多帖子的建议，我决定配置一个OpenSwan隧道来连接这个局域网。

ipsec.conf：

conn sonicwall
        type=tunnel
        left=public_B
        leftid=@yyyyyyyyyyyyyyy
        leftxauthclient=yes
        right=public_A
        rightsubnet=192.168.2.0/24
        rightxauthserver=yes
        rightid=@xxxxxxxxxxxxxxxx
        keyingtries=0
        pfs=no
        aggrmode=yes
        auto=add
        auth=esp
        esp=aes256-sha1
        #phase2alg=aes256-sha1
        ike=aes256-sha1;modp1536
        authby=secret
        leftxauthusername=USER
        #xauth=yes
        keyexchange=ike

启动时的日志：

~# ipsec whack --name sonicwall --initiate
002 "sonicwall" #9: initiating Aggressive Mode #9, connection "sonicwall"
112 "sonicwall" #9: STATE_AGGR_I1: initiate
003 "sonicwall" #9: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
003 "sonicwall" #9: ignoring unknown Vendor ID payload [xxxxxxxxxxxxxxxxxx]
003 "sonicwall" #9: received Vendor ID payload [RFC 3947] method set to=109 
003 "sonicwall" #9: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #9: received Vendor ID payload [XAUTH]
002 "sonicwall" #9: Aggressive mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
003 "sonicwall" #9: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
002 "sonicwall" #9: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "sonicwall" #9: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
002 "sonicwall" #9: XAUTH: Answering XAUTH challenge with user='USER'
002 "sonicwall" #9: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "sonicwall" #9: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
003 "sonicwall" #9: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
003 "sonicwall" #9: received and ignored informational message
002 "sonicwall" #9: XAUTH: Successfully Authenticated
002 "sonicwall" #9: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "sonicwall" #9: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "sonicwall" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#9 msgid:489fb919 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sonicwall" #10: STATE_QUICK_I1: initiate
002 "sonicwall" #10: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sonicwall" #10: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xff65c149 <0x6de1b3e3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

注意:在我的路由表中没有添加任何路由。

我的隧道似乎功能齐全，但是:我不能向路由器后面的LAN发送任何消息。我不知道如何使用我刚刚设置的隧道，以便向LAN中的机器发送至少一个ping。我该怎么办？

你也可以给我一些建议来达到我的目标，即使不是通过使用OpenSwan

感谢您的阅读和帮助。

Answer 1

成功通过身份验证后，您是否有任何新的网络接口？检查ip addr，看看您是否有ppp0或类似的接口。

我不确定您的情况，因为您的身份验证方法不同于我在过去配置的方法(预共享密钥openswan + user/pass xl2tpd)，但是，如果有任何相似之处，运行ipsec auto --up ${connection_name}通常会使用用于身份验证的预共享密钥建立隧道，但不会打开接口，此时我必须告诉xl2tpd进行连接，它使用用户和密码进行身份验证，然后创建接口ppp0。

你对ipsec verify的输出是什么(在启动openswan服务之后)？