openswan源碼ubantu下編譯、安裝、基本環境搭建

原創 2603898260 2020-06-22 17:39

openswan的編譯過程

文章目錄

1. 下載源碼:

對於openswan源碼,我們是從官網上下載的。這裏提供兩個不同的網站:

2. 在虛擬機上解壓後編譯:

我解壓後的源碼目錄爲:root@ubantu:/usr/src/openswan-2.6.51.5#

2.1 查看INSTALL文件

root@ubantu:/usr/src/openswan-2.6.51.5# cat INSTALL 

Please read the documentation in doc/ & docs/

Building userland: 

	make programs install

Building KLIPS kernel module on 2.4 (assuming your kernel source is /usr/src/linux-2.4)

	make KERNELSRC=/usr/src/linux-2.4 module minstall

Building KLIPS kernel module on 2.6

	make KERNELSRC=/lib/modules/`uname -r`/build module minstall
root@ubantu:/usr/src/openswan-2.6.51.5#

從這個文件可以看出直接運行make programs install命令即可。直接輸入該命令進行編譯:

root@ubantu:/usr/src/openswan-2.6.51.5# make programs install
OBJDIR: OBJ.linux.x86_64
(cd /usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 && OBJDIRTOP=/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 OBJDIR=/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 make programs )
make[1]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64'
make[2]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib/libopenswan'
CC id.c
In file included from /usr/src/openswan-2.6.51.5/include/certs.h:24:0,
                 from /usr/src/openswan-2.6.51.5/lib/libopenswan/id.c:42:
/usr/src/openswan-2.6.51.5/include/secrets.h:20:10: fatal error: gmp.h: No such file or directory
 #include <gmp.h>    /* GNU MP library */
          ^~~~~~~
compilation terminated.
/usr/src/openswan-2.6.51.5/lib/libopenswan/Makefile:175: recipe for target 'id.o' failed
make[3]: *** [id.o] Error 1
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib/libopenswan'
/usr/src/openswan-2.6.51.5/lib/Makefile:37: recipe for target 'programs' failed
make[2]: *** [programs] Error 1
make[2]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib'
Makefile:10: recipe for target 'programs' failed
make[1]: *** [programs] Error 1
make[1]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64'
Makefile:185: recipe for target 'programs' failed
make: *** [programs] Error 2
root@ubantu:/usr/src/openswan-2.6.51.5#

提示有錯誤:/usr/src/openswan-2.6.51.5/include/secrets.h:20:10: fatal error: gmp.h: No such file or directory

2.2 查看文件buildlin.sh文件

由於提示上述錯誤,且INSTALL文件中也沒有相關說明,因此我看了下其他的文件,發現在buildlin.sh中有相關的依賴。從這個名字上就能看出這個是Linux下的自動編譯腳本,因此我就嘗試運行了下:

root@ubantu:/usr/src/openswan-2.6.51.5# ./buildlin.sh 
You need to install libgmp-dev.
    apt-get install libgmp-dev
or  yum install gmp-dev

You need to install bison.
    apt-get install bison
or  yum install bison
You need to install flex.
    apt-get install flex
or  yum install flex
root@ubantu:/usr/src/openswan-2.6.51.5#

提示的結果是:缺少相應的庫,而第一個和我們上述的錯誤是相關的。因此一次安裝提示的幾個庫:

apt-get install libgmp-dev
apt-get install bison
apt-get install flex

安裝成功後,重新執行make programs install(這實際上是兩個命令make programsmake install,可以分開單獨執行),結果成功編譯安裝:

root@ubantu:/usr/src/openswan-2.6.51.5# make programs install
OBJDIR: OBJ.linux.x86_64
(cd /usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 && OBJDIRTOP=/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 OBJDIR=/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 make programs )
make[1]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64'
make[2]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib/libopenswan'
CC id.c
CC initaddr.c
CC initsaid.c
CC initsubnet.c
CC iprange.c
CC keyblobtoid.c
CC kernel_alg.c
CC lex.c
CC mpzfuncs.c
CC optionsfrom.c
CC oswconf.c
... ...
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/tncfg'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/klipsdebug'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/klipsdebug'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/pf_key'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/pf_key'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_updown.mast'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_updown.mast'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_startnetkey'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_startnetkey'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_updown.netkey'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_updown.netkey'
make[2]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs'
make[1]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64'
mkdir -p /usr/local/libexec/ipsec
if [ -n '' ]; then echo ' ' >/usr/local/lib/ipsec/vendor.txt; fi
root@ubantu:/usr/src/openswan-2.6.51.5#

3. 查看是否安裝成功:

3.1 查看版本信息:

root@ubantu:/usr/src/openswan-2.6.51.5/docs# ipsec --version
Linux Openswan U2.6.51.5/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.
root@ubantu:/usr/src/openswan-2.6.51.5/docs#

可以看出我安裝的是Linux Openswan U2.6.51.5/K版本

3.2 執行ipsec verify命令:

注意:下面可能只是我的虛擬環境配置導致的問題,不是沒有給人會遇到(如果是純淨的環境可能會遇到)

執行ipsec verify命令後提示有錯誤:命令找不到

root@ubantu:/etc/ipsec.d/examples# ipsec verify
/usr/local/sbin/ipsec: 148: exec: /usr/local/libexec/ipsec/verify: not found
root@ubantu:/etc/ipsec.d/examples#

然後我進入到此目錄,查看verify命令是否存在:

root@ubantu:/usr/local/libexec/ipsec# ls *verify*
verify  verify.old
root@ubantu:/usr/local/libexec/ipsec#

結果是存在此文件(命令),然後我查看了下是否有執行權限:

root@ubantu:/usr/local/libexec/ipsec# ll
total 24112
drwxr-xr-x 2 root root    4096 4月  30 09:03 ./
drwxr-xr-x 3 root root    4096 4月  30 08:10 ../
-rwxr-xr-x 1 root root 1473304 4月  30 09:03 addconn*
-rwxr-xr-x 1 root root 1473304 4月  30 09:02 addconn.old*
-rwxr-xr-x 1 root root    5122 4月  30 09:03 auto*
-rwxr-xr-x 1 root root    5122 4月  30 09:02 auto.old*
-rwxr-xr-x 1 root root   11297 4月  30 09:03 barf*
-rwxr-xr-x 1 root root   11297 4月  30 09:02 barf.old*
-rwxr-xr-x 1 root root  498600 4月  30 09:03 eroute*
-rwxr-xr-x 1 root root  498600 4月  30 09:02 eroute.old*
-rwxr-xr-x 1 root root  442432 4月  30 09:03 ikeping*
-rwxr-xr-x 1 root root  442432 4月  30 09:02 ikeping.old*
-rwxr-xr-x 1 root root    1028 4月  30 09:03 initnss*
-rwxr-xr-x 1 root root    1028 4月  30 09:02 initnss.old*
-rwxr-xr-x 1 root root  430320 4月  30 09:03 klipsdebug*
-rwxr-xr-x 1 root root  430320 4月  30 09:02 klipsdebug.old*
-rwxr-xr-x 1 root root    2783 4月  30 09:03 look*
-rwxr-xr-x 1 root root    2783 4月  30 09:02 look.old*
-rwxr-xr-x 1 root root    2480 4月  30 09:03 newhostkey*
-rwxr-xr-x 1 root root    2480 4月  30 09:02 newhostkey.old*
-rwxr-xr-x 1 root root  400136 4月  30 09:03 pf_key*
-rwxr-xr-x 1 root root  400136 4月  30 09:02 pf_key.old*
-rwxr-xr-x 1 root root 5405512 4月  30 09:03 pluto*
-rwxr-xr-x 1 root root 5405512 4月  30 09:02 pluto.old*
-rwxr-xr-x 1 root root   12349 4月  30 09:03 policy*
-rwxr-xr-x 1 root root   12349 4月  30 09:02 policy.old*
-rwxr-xr-x 1 root root   35784 4月  30 09:03 ranbits*
-rwxr-xr-x 1 root root   35784 4月  30 09:02 ranbits.old*
-rwxr-xr-x 1 root root  106800 4月  30 09:03 rsasigkey*
-rwxr-xr-x 1 root root  106800 4月  30 09:02 rsasigkey.old*
-rwxr-xr-x 1 root root     704 4月  30 09:03 secrets*
-rwxr-xr-x 1 root root     704 4月  30 09:02 secrets.old*
lrwxrwxrwx 1 root root      17 4月  30 09:03 setup -> /etc/init.d/ipsec*
-rwxr-xr-x 1 root root    1126 4月  30 09:03 showdefaults*
-rwxr-xr-x 1 root root    1126 4月  30 09:02 showdefaults.old*
-rwxr-xr-x 1 root root 1296672 4月  30 09:03 showhostkey*
-rwxr-xr-x 1 root root 1296672 4月  30 09:02 showhostkey.old*
-rwxr-xr-x 1 root root  670080 4月  30 09:03 spi*
-rwxr-xr-x 1 root root  464944 4月  30 09:03 spigrp*
-rwxr-xr-x 1 root root  464944 4月  30 09:02 spigrp.old*
-rwxr-xr-x 1 root root  670080 4月  30 09:02 spi.old*
-rwxr-xr-x 1 root root    1064 4月  30 09:03 status*
-rwxr-xr-x 1 root root    1064 4月  30 09:02 status.old*
-rwxr-xr-x 1 root root  426232 4月  30 09:03 tncfg*
-rwxr-xr-x 1 root root  426232 4月  30 09:02 tncfg.old*
-rwxr-xr-x 1 root root   16879 4月  30 09:03 verify*
-rwxr-xr-x 1 root root   16879 4月  30 09:02 verify.old*
-rwxr-xr-x 1 root root  579136 4月  30 09:03 whack*
-rwxr-xr-x 1 root root  579136 4月  30 09:02 whack.old*
root@ubantu:/usr/local/libexec/ipsec#

第48行顯示是有執行權限的,那麼是怎麼回事呢?

我又查看了下verify這個文件的類型:

root@ubantu:/usr/local/libexec/ipsec# file verify
verify: Python script, ASCII text executable
root@ubantu:/usr/local/libexec/ipsec#

結果顯示:verify是一個python腳本

然後我又看了先我的虛擬機是否有安裝python工具:通過輸入python命令或者直接輸入剛纔要執行的命令python verify都可以看到以下提示信息:

root@ubantu:/usr/local/libexec/ipsec# python

Command 'python' not found, but can be installed with:

apt install python3       
apt install python        
apt install python-minimal

You also have python3 installed, you can run 'python3' instead.

結果自然是沒有安裝python環境,於是乎我按提示安裝最小的python環境apt install python-minimal

root@ubantu:/usr/local/libexec/ipsec# apt install python-minimal
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.18.0-15 linux-headers-4.18.0-15-generic linux-image-4.18.0-15-generic linux-modules-4.18.0-15-generic
  linux-modules-extra-4.18.0-15-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libpython-stdlib python python2.7 python2.7-minimal
Suggested packages:
  python-doc python-tk python2.7-doc binfmt-support
The following NEW packages will be installed:
  libpython-stdlib python python-minimal python2.7 python2.7-minimal
0 upgraded, 5 newly installed, 0 to remove and 265 not upgraded.
Need to get 1,717 kB of archives.
After this operation, 4,990 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://cn.archive.ubuntu.com/ubuntu bionic-updates/main amd64 python2.7-minimal amd64 2.7.17-1~18.04ubuntu1 [1,294 kB]
Get:2 http://cn.archive.ubuntu.com/ubuntu bionic/main amd64 python-minimal amd64 2.7.15~rc1-1 [28.1 kB]
Get:3 http://cn.archive.ubuntu.com/ubuntu bionic-updates/main amd64 python2.7 amd64 2.7.17-1~18.04ubuntu1 [248 kB]
Get:4 http://cn.archive.ubuntu.com/ubuntu bionic/main amd64 libpython-stdlib amd64 2.7.15~rc1-1 [7,620 B]                                       
Get:5 http://cn.archive.ubuntu.com/ubuntu bionic/main amd64 python amd64 2.7.15~rc1-1 [140 kB]                                                  
Fetched 1,717 kB in 6s (278 kB/s)                                                                                                               
Selecting previously unselected package python2.7-minimal.
(Reading database ... 208792 files and directories currently installed.)
Preparing to unpack .../python2.7-minimal_2.7.17-1~18.04ubuntu1_amd64.deb ...
Unpacking python2.7-minimal (2.7.17-1~18.04ubuntu1) ...
Selecting previously unselected package python-minimal.
Preparing to unpack .../python-minimal_2.7.15~rc1-1_amd64.deb ...
Unpacking python-minimal (2.7.15~rc1-1) ...
Selecting previously unselected package python2.7.
Preparing to unpack .../python2.7_2.7.17-1~18.04ubuntu1_amd64.deb ...
Unpacking python2.7 (2.7.17-1~18.04ubuntu1) ...
Selecting previously unselected package libpython-stdlib:amd64.
Preparing to unpack .../libpython-stdlib_2.7.15~rc1-1_amd64.deb ...
Unpacking libpython-stdlib:amd64 (2.7.15~rc1-1) ...
Setting up python2.7-minimal (2.7.17-1~18.04ubuntu1) ...
Linking and byte-compiling packages for runtime python2.7...
Setting up python-minimal (2.7.15~rc1-1) ...
Selecting previously unselected package python.
(Reading database ... 208849 files and directories currently installed.)
Preparing to unpack .../python_2.7.15~rc1-1_amd64.deb ...
Unpacking python (2.7.15~rc1-1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for desktop-file-utils (0.23-1ubuntu3.18.04.2) ...
Setting up python2.7 (2.7.17-1~18.04ubuntu1) ...
Setting up libpython-stdlib:amd64 (2.7.15~rc1-1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for gnome-menus (3.13.3-11ubuntu1.1) ...
Setting up python (2.7.15~rc1-1) ...
root@ubantu:/usr/local/libexec/ipsec#

成功安裝上python後,重新執行ipsec verify,結果如下:

root@ubantu:/usr/local/libexec/ipsec# ipsec verify
/usr/local/libexec/ipsec/verify 
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                   	[OK]
Openswan U2.6.51.5/K5.3.0-46-generic (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects            	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                         	[OK]
Hardware random device check                      	[N/A]
Checking rp_filter                                	[ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter            	[ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter        	[ENABLED]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE on tcp 500               	[NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto listening for IKE/NAT-T on tcp 4500        	[NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)     	[NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]

ipsec verify: encountered errors
root@ubantu:/usr/local/libexec/ipsec#

算是解決了ipsec verify無法顯示的問題。

3.3 啓動IPSec服務:

通過命令/etc/init.d/ipsec start命令來啓動IPSec服務(爲啥我的服務打印了這麼多信息我還不清楚,原來大的環境記得沒這麼多內容,但是應該不是出錯的原因):

root@ubantu:/usr/local/libexec/ipsec# /etc/init.d/ipsec start
export IPSECconfreadstatus=''
export IPSECklipsdebug=''
export IPSECplutodebug=''
export IPSECplutostderrlogtime='no'
export IPSECplutorestartoncrash='yes'
export IPSECdumpdir='/var/run/pluto/'
export IPSECplutowait='no'
export IPSECoe='no'
export IPSECfragicmp='yes'
export IPSEChidetos='yes'
export IPSECuniqueids='yes'
export IPSECnocrsend='no'
export IPSECstrictcrlpolicy='no'
export IPSECforce_busy='no'
export IPSECvirtual_private='%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10'
export IPSECnat_traversal='yes'
export IPSECdisable_port_floating='no'
export IPSECforce_keepalive='no'
export IPSECprotostack='auto'
export IPSECnhelpers='-1'
export IPSECsecctx_attr_value='32001'
# obsolete option 'IPSECforwardcontrol' ignored
# obsolete option 'IPSECrp_filter' ignored
# obsolete option 'IPSECplutofork' ignored
<27>Apr 30 10:09:19 ipsec_setup: /usr/local/lib/ipsec/_realsetup start
<27>Apr 30 10:09:19 ipsec_setup: Starting Openswan IPsec 2.6.51.5...
<27>Apr 30 10:09:19 ipsec_setup: /usr/local/lib/ipsec/_startklips --info /var/run/pluto/ipsec.info --debug  --omtu  --fragicmp  --hidetos  --log daemon.error %defaultroute
<27>Apr 30 10:09:19 ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
<27>Apr 30 10:09:20 ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
<27>Apr 30 10:09:20 ipsec_setup: /usr/local/lib/ipsec/_startnetkey 
<27>Apr 30 10:09:20 ipsec_setup: MANUALSTART_confreadstatus=
<27>Apr 30 10:09:20 ipsec_setup: MANUALSTART_confreadnames=""
<27>Apr 30 10:09:20 ipsec_setup: /usr/local/lib/ipsec/_plutorun --debug  --uniqueids yes --force_busy  --nocrsend  --strictcrlpolicy  --nat_traversal  --keep_alive  --protostack auto --force_keepalive  --disable_port_floating no --virtual_private  --listen  --crlcheckinterval 0 --ocspuri  --nhelpers  --secctx_attr_value  --dump  --opts  --stderrlog  --wait no --plutostderrlogtime no --pre  --post  --log daemon.error --pid /var/run/pluto/pluto.pid
root@ubantu:/usr/local/libexec/ipsec#

然後重新通過ipsec verify查看啓動情況:

root@ubantu:/usr/local/libexec/ipsec# ipsec verify
/usr/local/libexec/ipsec/verify 
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                   	[OK]
Openswan U2.6.51.5/K5.3.0-46-generic (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[NOT DISABLED]
  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
         ICMP default/accept_redirects            	[NOT DISABLED]
  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                         	[OK]
Hardware random device check                      	[N/A]
Checking rp_filter                                	[ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter            	[ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter        	[ENABLED]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE on tcp 500               	[NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500        	[DISABLED]
 Pluto listening for IKE/NAT-T on tcp 4500        	[NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)     	[NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]

ipsec verify: encountered errors
root@ubantu:/usr/local/libexec/ipsec#

該啓動的基本成功啓動。

3.4 修改配置文件:

3.4 修改配置文件:

由於使用ipsec verify命令查詢模塊信息時會提示Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!類似的信息,因此需要修改配置禁用ICMP的重定向功能。我根據網上的資料,整理了一個shell腳本。直接運行腳本即可:

#########################################################################
# File Name: openswan_redirects.sh
# Author: Toney Sun
# mail: [email protected]
# Created Time: 2020年05月01日 星期五 10時33分15秒
#########################################################################
#!/bin/bash

for each in /proc/sys/net/ipv4/conf/*
do
	echo ${each##*/}
    #echo 0 > $each/send_redirects
    #echo 0 > $each/accept_redirects
    echo "net.ipv4.conf.${each##*/}.send_redirects=0" >> /etc/sysctl.conf
    echo "net.ipv4.conf.${each##*/}.accept_redirects=0" >> /etc/sysctl.conf
done
sysctl -p

3.5 重新啓動ipsec功能:

再次輸入命令重啓ipsec功能:/etc/init.d/ipsec restart

root@ubantu:/etc/ipsec.d# 
root@ubantu:/etc/ipsec.d# /etc/init.d/ipsec restart
<27>May  1 14:43:01 ipsec_setup: Stopping Openswan IPsec...
<27>May  1 14:43:02 ipsec_setup: Starting Openswan IPsec U2.6.51.5/K5.3.0-51-generic...
root@ubantu:/etc/ipsec.d#

注意:我在3.3時,啓動ipsec服務,打印了很多內容,這裏確實是有問題的,可能是配置文件有錯誤導致的。我花費了一個上午的時間也沒有找到是什麼原因。後來更換了一個配置文件(自己寫的ipsec隧道連接信息)就好了:(😦。我想說的是正常的啓動只有上述兩行打印信息。。。

3.6 添加自己的隧道環境配置

這裏我添加上自己的配置信息,這是個最基本的隧道協商配置,可以協商成功:

  • /etc/ipsec.conf

    這個文件是openswan安裝後的一個配置文件,可以在這個文件裏添加隧道配置信息,但是我不推薦,因爲我想盡可能的保留它的原有信息。只添加了最後一行,引入自己的配置文件(ipsec_vpn.conf)

    # /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Do not set debug options to debug configuration issues!
	# plutodebug / klipsdebug = "all", "none" or a combination from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
	# eg:
	# plutodebug="control parsing"
	# Again: only enable plutodebug or klipsdebug when asked by a developer
	#
	# enable to get logs per-peer
	# plutoopts="--perpeerlog"
	#
	# Enable core dumps (might require system changes, like ulimit -C)
	# This is required for abrtd to work properly
	# Note: incorrect SElinux policies might prevent pluto writing the core
	dumpdir=/var/run/pluto/
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	# It seems that T-Mobile in the US and Rogers/Fido in Canada are
	# using 25/8 as "private" address space on their 3G network.
	# This range has not been announced via BGP (at least upto 2010-12-21)
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
	# OE is now off by default. Uncomment and change to on, to enable.
	oe=off
	# which IPsec stack to use. auto will try netkey, then klips then mast
	#protostack=auto
	protostack=netkey
	# Use this to log to a file, or disable logging on embedded systems (like openwrt)
	plutostderrlog=/var/log/pluto.log

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#		# Left security gateway, subnet behind it, nexthop toward right.
#		left=10.0.0.1
#		leftsubnet=172.16.0.0/24
#		leftnexthop=10.22.33.44
#		# Right security gateway, subnet behind it, nexthop toward left.
#		right=10.12.12.1
#		rightsubnet=192.168.0.0/24
#		rightnexthop=10.101.102.103
#		# To authorize this connection, but not actually start it, 
#		# at startup, uncomment this.
#		#auto=add
include /etc/ipsec.d/ipsec_vpn.conf

  • /etc/ipsec.d/ipsec_vpn.conf

這個文件完全是自己的(當然是參考給的demo)隧道配置信息:

conn test

        auto=start
        pfs=no                  # PFS(Perfect Forward Secrecy)
        compress=no             # IP Compression
        type=tunnel     
        keyingtries=0
        disablearrivalcheck=no

        ## phase 1 ##
        ike=aes128-sha1;modp1024  # 第一階段參數
        ikelifetime=86400s        # 第一階段的生存時間
        keyexchange=ike
        ## phase 2 ##
        phase2alg=aes128-sha1     # 第二階段參數
        salifetime=3600s          # 第二階段參數
        phase2=esp

        left=192.168.1.3
        leftid=@left
        leftsubnet=10.28.1.0/24
        leftsourceip=192.168.1.3
        leftnexthop=%defaultroute

        right=192.168.1.13
        rightid=@right
        rightsubnet=10.28.2.0/24
        rightsourceip=192.168.1.13
        rightnexthop=%defaultroute
       
	# rsakey AQPGLAfkE
	leftrsasigkey=0sAQPGLAfkEfGISg4FfXZqRe47LMX5sGyG+0ec1b5FWDriEpy4tiOvjusVzx2eyP3PTM+J9uKW93GxRugxpqa82O/aegGpnUpWGHBnEBBIvjpiMawrv3RhtCYeXodMKKqI6jhdEYzU69AYHkbPI3jOtk8TVYhaoSEkDRoBkbUzasAXOCrxL6a61G8C8XwOaW0qz+yEaoYwh/Nhc0fz1li/vQWofwXuR7ZQ5FlfDUY+JCgqbIhpmUfA9mRtawqIupYxQO3j55lhX4yUT9mBcRl9dlUNZnNEXL3hvoIABm/O+xMTwM695JBF0lVM5MJ/zizy7TsbHFJlNEPuGMI/An4FseHK0pQwe4BUZ08A8izIiI9ZT4Lp
	# rsakey AQOzIeXfR
	rightrsasigkey=0sAQOzIeXfRPL5ODGw97Y6wwotc9LExdihgdfxprYLKukKSpe3oH9G6smILqqkU+8INImuHwpL7mDPqKxDWb/YiYxRgRciXAMkuhq8c/IjcVIbK9EXSmWyPkC1Rn5+cD+2FDUd85FtQWMlEObwLJDC0UxqN5ZoFr7sR0Kur9LqZFS1FlD72E/x3RckY1R/LiR27R83Zv2EXEi1lhYf/ZstKPsGuzlEAzSnyV6jRz9Urz/SFrnyL8vGapiq5p6q+PkBEqsw97Wp8taj8tzK+lH1oxMB4+ArUKhGNk/w+tKPgKrLI8AR2nh2892P6cN0dta83t67k8Mf0ZrOCpxWLcZUnjLkFBvs9fJca3ONXH2RA+jMjn1l

隧道兩端可以使用同一個配置文件(已經區分開了左右的配置)。

隧道協商過程抓包如下:
在這裏插入圖片描述

使用命令行查看狀態信息如下:

root@ubantu:/home# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface ens33/ens33 2409:8a00:18eb:2b00:69e6:ab5c:116a:da03 (AF_INET6)
000 interface ens33/ens33 2409:8a00:18eb:2b00:cdca:7d9:32ac:4d08 (AF_INET6)
000 interface lo/lo ::1 (AF_INET6)
000 interface lo/lo 127.0.0.1 (AF_INET)
000 interface lo/lo 127.0.0.1 (AF_INET)
000 interface ens33/ens33 192.168.1.3 (AF_INET)
000 interface ens33/ens33 192.168.1.3 (AF_INET)
000 using secrets file: /etc/ipsec.secrets
000 %myid = (none)
000 debug none
000  
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets: 
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 
000          private address space in internal use, it should be excluded!
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,3072} attrs={0,2,2048} 
000  
000 "test": 10.28.1.0/24===192.168.1.3[@left]---192.168.1.1...192.168.1.1---192.168.1.13[@right]===10.28.2.0/24; erouted; eroute owner: #4
000 "test":     myip=192.168.1.3; hisip=192.168.1.13;
000 "test":   keys: 1:8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022 2:none...
000 "test":        ....1:AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D 2:none 
000 "test":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
000 "test":   policy: RSASIG+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: ens33; kind=CK_PERMANENT
000 "test":   newest ISAKMP SA: #1; newest IPsec SA: #4; eroute owner: #4;
000 "test":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "test":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "test":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "test":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "test":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "test":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>
000  
000 #3: "test":500 IKEv1.0 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3207s; isakmp#2; idle; import:not set
000 #3: "test" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #2: "test":500 IKEv1.0 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 86007s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #4: "test":500 IKEv1.0 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2940s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #4: "test" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #1: "test":500 IKEv1.0 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85579s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000  
root@ubantu:/home#

從80行開始便是隧道協商信息。

日誌信息如下:

root@ubantu:/var/log# cat pluto.log 
Plutorun started on Fri May 1 15:06:45 CST 2020
adjusting ipsec.d to /etc/ipsec.d
Labelled IPsec not enabled; value 32001 ignored.
Starting Pluto (Openswan Version 2.6.51.5; Vendor ID OSW~|tYiWYsW) pid:25601
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   NAT-Traversal support  [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=25603 (fd:7)
Using Linux XFRM/NETKEY IPsec interface code on 5.3.0-51-generic
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
using /dev/urandom as source of random entropy
loaded key: 8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022
loaded key: AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D
use keyid: 1:8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022 / 2:<>
use keyid: 1:AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D / 2:<>
adding connection: "test"
listening for IKE messages
adding interface ens33/ens33 192.168.1.3:500 (AF_INET)
adding interface ens33/ens33 192.168.1.3:4500
adding interface lo/lo 127.0.0.1:500 (AF_INET)
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500 (AF_INET6)
adding interface ens33/ens33 2409:8a00:18eb:2b00:cdca:7d9:32ac:4d08:500 (AF_INET6)
adding interface ens33/ens33 2409:8a00:18eb:2b00:69e6:ab5c:116a:da03:500 (AF_INET6)
loading secrets from "/etc/ipsec.secrets"
loaded private key for keyid: PPK_RSA:AQPGLAfkE/8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022
| creating SPD to 192.168.1.3->spi=[email protected] proto=61
| creating SPD to 192.168.1.3->spi=[email protected] proto=61
"test" #1: initiating Main Mode
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
pending Quick Mode with 192.168.1.13 "test" took too long -- replacing phase 1
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
packet from 192.168.1.13:500: received Vendor ID payload [Openswan (this version) 2.6.51.5 ]
packet from 192.168.1.13:500: received Vendor ID payload [Dead Peer Detection]
packet from 192.168.1.13:500: received Vendor ID payload [RFC 3947] method set to=115 
packet from 192.168.1.13:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
packet from 192.168.1.13:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
packet from 192.168.1.13:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
packet from 192.168.1.13:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
"test" #2: responding to Main Mode
"test" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"test" #2: STATE_MAIN_R1: sent MR1, expecting MI2
"test" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
"test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"test" #2: STATE_MAIN_R2: sent MR2, expecting MI3
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/crypt_start_dh.c:160: encryptor 'aes' expects keylen 16/128, SA #2 INITIATOR keylen is 20
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/crypt_start_dh.c:160: encryptor 'aes' expects keylen 16/128, SA #2 RESPONDER keylen is 0
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/ikev1_main.c:1206: encryptor 'aes' expects keylen 16/128, SA #2 INITIATOR keylen is 20
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/ikev1_main.c:1206: encryptor 'aes' expects keylen 16/128, SA #2 RESPONDER keylen is 0
"test" #2: Main mode peer ID is ID_FQDN: '@right'
"test" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"test" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG oursig= theirsig=AQOzIeXfR cipher=aes_128 prf=oakley_sha group=modp1024}
"test" #2: the peer proposed: 10.28.1.0/24:0/0 -> 10.28.2.0/24:0/0
"test" #3: responding to Quick Mode proposal {msgid:d7a7bc25}
"test" #3:     us: 10.28.1.0/24===192.168.1.3[@left]---192.168.1.1
"test" #3:   them: 192.168.1.1---192.168.1.13[@right]===10.28.2.0/24
| creating SPD to 192.168.1.13->spi=[email protected] proto=4
"test" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"test" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
| creating SPD to 192.168.1.3->spi=[email protected] proto=4
"test" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"test" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4476710a <0xaaa03819 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
"test" #1: received Vendor ID payload [Openswan (this version) 2.6.51.5 ]
"test" #1: received Vendor ID payload [Dead Peer Detection]
"test" #1: received Vendor ID payload [RFC 3947] method set to=115 
"test" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
"test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/crypt_start_dh.c:160: encryptor 'aes' expects keylen 16/128, SA #1 INITIATOR keylen is 20
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/crypt_start_dh.c:160: encryptor 'aes' expects keylen 16/128, SA #1 RESPONDER keylen is 0
"test" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
"test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"test" #1: received Vendor ID payload [CAN-IKEv2]
"test" #1: Main mode peer ID is ID_FQDN: '@right'
"test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG oursig= theirsig=AQOzIeXfR cipher=aes_128 prf=oakley_sha group=modp1024}
"test" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:e65ec697 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
| creating SPD to 192.168.1.3->spi=[email protected] proto=4
"test" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"test" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5863f7d3 <0xf2d719f9 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
root@ubantu:/var/log#

至此,openswan纔是真的編譯、安裝、環境搭建完畢。

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

IKEv2協議幾個問題調試過程以及關鍵知識點總結整理

文章目錄@[toc]1. IKEv2基本原理2. IKEv2功能遇到的問題2.1 問題一:==隧道協商速度慢,多條隧道協商時經常協商不起來==①初步分析定位②函數調用關係③問題原因2.2 問題二和三:==與華爲設備對接IKEv2時

2603898260 2020-07-08 10:32:36

百度智能雲可編程網關技術升級,爲AI原生雲打造10T級高速智能雲網絡

隨着數字化轉型和智能化升級的加速,更多的企業級應用開始基於多雲、混合雲、邊緣雲等新模式構建,比如自動駕駛、車路協同、物聯網、電商、視頻、遊戲等。這些應用對網絡提出了更高的要求,尤其是對雲網關產生了重大挑戰: 面對動輒 T 級別的帶

百度開發者中心 2021-12-27 21:29:40

深入 HTTP/3(一)|從 QUIC 鏈接的建立與關閉看協議的演進

文|曾柯(花名:毅絲 ) 螞蟻集團高級工程師 負責螞蟻集團的接入層建設工作 主要方向爲高性能安全網絡協議的設計及優化 本文 10279 字 閱讀 18 分鐘 PART. 1 引言 作爲系列文章的第一篇,引言部分就先稍微繁瑣一點,讓大家對這

原創 2021-12-25 21:46:42

軟路由OpenWrt(LEDE)2020.4.6編譯 UnPnP+NAS+多撥+網盤+DNS優化

近期更新:2020.04.06編譯-基於OpenWrt R2020.3.19版本,源碼截止2020.04.06。   2020.04.06更新記錄: 以軟件包形式提供ServerChan(微信推送)

osc_feymneeg 2021-12-25 21:43:37

【x64軟路由】OpenWrt(LEDE) 20200329編譯 反追蹤 抗污染 加速 PSW 無縫集成 UPnP NAS

固件說明 基於Lede OpenWrt R2020.3.19版本(源碼更新截止20200329)Lienol Feed及若干自行維護的軟件包 結合家庭x86軟路由場景需要定製

osc_omyprm56 2021-12-25 21:20:49

智能網聯汽車信息安全測試解決方案

概述        爲滿足日益嚴格的國內外法規和標準要求,應對愈發嚴峻的信息安全風險,智能網聯汽車通常集成越來越多的信息安全檢測和防禦措施。而相關的安全措施集成到部件和整車之後,能否發揮有效的防護效果,需要通過嚴格的信息安全測試進行驗證和確

原創 2021-12-25 21:12:38

CCNP(ISCW)實驗:配置Cisco IOS *** Server Client

掌握easy ***的配置掌握cisco *** client的配置 預配置R1(config)#int e0/0R1(config-if)#ip add 192.168.0.1 255.255.255.0R1(config-if)#no

osc_p4wgjz7p 2021-01-31 09:12:26

CCNP(ISCW)實驗:用命令行配置GRE OVER IPSEC ***

第一步:配置基本路由:見圖第二步:配置tunnelR1(config)#interface tunnel 1R1(config-if)#ip add 10.0.0.1 255.255.255.252R1(config-if)#tu so

osc_cgllnrkd 2021-01-30 11:01:39

CCNP(ISCW)實驗:用SDM配置GRE OVER IPSEC ***

實驗過程: GRE OVER IPSEC ***:可以用在公司於公司之間的安全連接,在***的隧道內可以支持傳遞動態路由協議的更新報文等。 第一步:配置各路由器使它們各自直連能通和能用SDM登錄 要注意的問題是,配置http server

osc_2ch77h9m 2021-01-30 10:38:15

CCNP(ISCW)實驗:配置Windows進行IP SEC通信

實驗過程: 第一步:在運行中輸入mmc第二步:在彈出的控制檯中選擇“文件”--- 添加/刪除管理單元。第三步:在彈出的添加/刪除管理單元選擇“添加”第四步:添加獨立單元中選擇“ip安全策略管理”第五步:選擇“本地計算機”在點擊完成第六步:

osc_2ch77h9m 2021-01-30 10:38:14

在Linux上配置WireGuard VPN服務

什麼是 WireGuard ? 其官方宣稱是快速、現代以及安全的VPN隧道(Fast, Modern, Secure VPN Tunnel)。 WireGuard使用了最先進的加密技術,相比 IPSec 更簡單更精簡,而且擁有幾乎超越 Op

原創 2021-01-30 10:35:42

zabbix 基於網段登錄白名單告警

思路: 服務端定義一個地址池,主機獲得入參提供的地址池後判斷後返回結果給服務器 step1 測試數據 agent 調試 /usr/local/zabbix-agent/etc/zabbix_agentd.conf.d/ip_securit

原創 2021-01-30 10:27:31

網絡工程師面試題目整理

請寫出 568A 與 568B 的線序:568B 橙白 橙 綠白 藍 藍白 綠 棕白 棕568A 綠白 綠 橙白 藍 藍白 橙 棕白 棕路由管理距離的作用?rip ,ospf、 igrp, 內部eigrp, 外部eigrp,外部bgp

osc_kpudfkjk 2021-01-30 10:25:09

EDA 架構方案 說明書

防火牆作爲本架構信息安全的第一要點,主要功能是將桌面終端和研發網隔離開,限制桌面終端訪問研發網的權限,保證研發數據保持在研發區中流轉,不外泄。其他主要的要素如下: 攔截來自外網的病毒、掃描和******; 遠程安全辦公:SSL***

osc_c05lkk3u 2021-01-30 10:01:12

5G工業路由器

星縱智能UR75是一款精緻小巧、性能強大的5G工業路由器。強大的硬件設計結合豐富的軟件特性使UR75能勝任各式各樣的物聯網/M2M應用。高速5G網絡提供穩定可靠的連接能力,爲您創造一個永不掉線的網絡環境。UR75-5G工業路由器內置4核高

osc_p23q7y3z 2021-01-30 10:00:42