OpenS/Wan xl2tpd ipsec
Господа, прошу помощи понять и разобраться, почему висит чек на IP forward. Вообще задача стоит настроить клиентам защищенное подключение. Сервак за натом. Клиенты винды.
Проблема в этом:
vpn#ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.7.10-gentoo (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
vpn# cat /etc/sysctl.conf | grep forwa
# Disables packet forwarding
net.ipv4.ip_forward = 1
vpn# cat /etc/sysctl.conf | grep filter
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
Конифги:
ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug="all"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16
oe=off
protostack=netkey
plutostderrlog=/var/log/plutodebug.log
#interfaces="%defaultroute"
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=10
dpdtimeout=90
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=A.A.A.A
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
conn passthrough-for-non-l2tp
type=passthrough
left=A.A.A.A
leftnexthop=B.B.B.B
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route
kernel
+ zcat /proc/config.gz + egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM' CONFIG_IPC_NS=y CONFIG_XFRM=y CONFIG_XFRM_ALGO=y CONFIG_XFRM_USER=y # CONFIG_XFRM_SUB_POLICY is not set # CONFIG_XFRM_MIGRATE is not set # CONFIG_XFRM_STATISTICS is not set # CONFIG_NET_KEY is not set CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y # CONFIG_IP_FIB_TRIE_STATS is not set CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y CONFIG_IP_PNP_BOOTP=y CONFIG_IP_PNP_RARP=y CONFIG_IP_MROUTE=y # CONFIG_IP_MROUTE_MULTIPLE_TABLES is not set CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set # CONFIG_INET_XFRM_TUNNEL is not set CONFIG_INET_TUNNEL=y CONFIG_INET_XFRM_MODE_TRANSPORT=y CONFIG_INET_XFRM_MODE_TUNNEL=y # CONFIG_INET_XFRM_MODE_BEET is not set CONFIG_INET_LRO=y # CONFIG_INET_DIAG is not set CONFIG_IPV6=y # CONFIG_IPV6_PRIVACY is not set # CONFIG_IPV6_ROUTER_PREF is not set # CONFIG_IPV6_OPTIMISTIC_DAD is not set CONFIG_INET6_AH=y CONFIG_INET6_ESP=y # CONFIG_INET6_IPCOMP is not set # CONFIG_IPV6_MIP6 is not set # CONFIG_INET6_XFRM_TUNNEL is not set # CONFIG_INET6_TUNNEL is not set CONFIG_INET6_XFRM_MODE_TRANSPORT=y CONFIG_INET6_XFRM_MODE_TUNNEL=y CONFIG_INET6_XFRM_MODE_BEET=y # CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set CONFIG_IPV6_SIT=y # CONFIG_IPV6_SIT_6RD is not set CONFIG_IPV6_NDISC_NODETYPE=y # CONFIG_IPV6_TUNNEL is not set # CONFIG_IPV6_GRE is not set # CONFIG_IPV6_MULTIPLE_TABLES is not set # CONFIG_IPV6_MROUTE is not set # CONFIG_IP_SET is not set # CONFIG_IP_VS is not set CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_RAW=y CONFIG_IP6_NF_IPTABLES=y CONFIG_IP6_NF_MATCH_IPV6HEADER=y CONFIG_IP6_NF_FILTER=y CONFIG_IP6_NF_TARGET_REJECT=y CONFIG_IP6_NF_MANGLE=y # CONFIG_IP6_NF_RAW is not set # CONFIG_IP_DCCP is not set # CONFIG_IP_SCTP is not set # CONFIG_IPX is not set # CONFIG_IP1000 is not set # CONFIG_IPMI_HANDLER is not set CONFIG_HW_RANDOM=y # CONFIG_HW_RANDOM_TIMERIOMEM is not set CONFIG_HW_RANDOM_INTEL=y CONFIG_HW_RANDOM_AMD=y CONFIG_HW_RANDOM_GEODE=y CONFIG_HW_RANDOM_VIA=y # CONFIG_IPWIRELESS is not set # CONFIG_SECURITY_NETWORK_XFRM is not set # CONFIG_CRYPTO_DEV_PADLOCK is not set # CONFIG_CRYPTO_DEV_GEODE is not set # CONFIG_CRYPTO_DEV_HIFN_795X is not set
iptables
vpn# iptables -t nat -vnL Chain PREROUTING (policy ACCEPT 18419 packets, 1596K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 709 packets, 54430 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1971 packets, 145K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1971 145K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
lsmod
vpn# lsmod Module Size Used by ah4 4197 0 esp4 5181 0 xfrm4_tunnel 1334 0 ipcomp 1537 0 xfrm_ipcomp 2901 1 ipcomp af_key 23218 0 ipt_MASQUERADE 1287 1 iptable_nat 2099 1 nf_nat_ipv4 2937 1 iptable_nat nf_nat 10744 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
- Для комментирования войдите или зарегистрируйтесь
Временно решил так: //
Временно решил так: == "0")
// /usr/libexec/ipsec/verify
printfun "Two or more interfaces found, checking IP forwarding";
open("cat", "/proc/sys/net/ipv4/ip_forward");
if(
{
$reterr = 1;
errchk "";
}
Я так и не понял в чем проблема, то ли парсится не так, то ли софт какой нужен.