Openswan ipsec运输隧道不上

Question

在ClusterA和B上，我已经在Debian挤压上安装了"openswan“软件包。

ClusterA ip为172.16.0.107，B为172.16.0.108

当他们互相交锋时，它不会到达目的地。

/etc/ipsec.conf：

version 2.0     # conforms to second version of ipsec.conf specification

config setup
        protostack=netkey
        oe=off

conn L2TP-PSK-CLUSTER
        type=transport
        left=172.16.0.107
        right=172.16.0.108
        auto=start
        ike=aes128-sha1-modp2048
        authby=secret
        compress=yes

/etc/ipsec.secrets.秘密：

172.16.0.107 172.16.0.108 : PSK "L2TPKEY"
172.16.0.108 172.16.0.107 : PSK "L2TPKEY"

以下是两台机器上ipsec验证的结果：

root@cluster2:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.28/K2.6.32-5-amd64 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
root@cluster2:~#

这是ipsec自动状态输出的结束：

000 "cluster": 172.16.0.108<172.16.0.108>[+S=C]...172.16.0.107<172.16.0.107>[+S=C]; prospective erouted; eroute owner: #0
000 "cluster":     myip=unset; hisip=unset;
000 "cluster":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "cluster":   policy: PSK+ENCRYPT+COMPRESS+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "cluster":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "cluster":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #3: "cluster":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 298s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #2: "cluster":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 13s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: "cluster":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2991s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000

有趣的是，如果我在服务器上做ike扫描，会发生这样的情况：

似乎没有考虑到我的艾克设置

root@cluster1:~# ike-scan -M 172.16.0.108
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.0.108    Main Mode Handshake returned
    HDR=(CKY-R=641bffa66ba717b6)
    SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
    VID=4f45517b4f7f6e657a7b4351
    VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.008 seconds (118.19 hosts/sec).  1 returned handshake; 0 returned notify
root@cluster1:~#

我不知道这里发生了什么，根据这些例子，这是我能做的最简单的配置。

Answer 1

原来NETKEY不支持compress=yes。

去掉设置，它就能正常工作了。