strongswan IPsec VPN server已经配置好
求助如何让ubuntu server每次启动时自动启动vpn server
求助:如何设置ubutu server v15 启动时运行strongswan ipsec
-
gkc
- 帖子: 4
- 注册时间: 2016-07-30 16:49
- 系统: win7
-
vickycq
- 帖子: 4507
- 注册时间: 2011-03-20 13:12
- 系统: Debian
- 来自: 山东省寿光县
- 联系:
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
1. 说明安装 strongswan 的方式,strongswan 版本
2. 执行以下命令将结果全部复制贴上来
2. 执行以下命令将结果全部复制贴上来
代码: 全选
cat /etc/issue
find /etc | grep 'strongswan.conf'
find /lib/systemd | grep 'strongswan.service'
sudo ls -l /proc/1/exe /sbin/init
sudo systemctl status strongswan.service
Debian 中文论坛 - forums.debiancn.org
欢迎所有 Debian GNU/Linux 用户
欢迎所有 Debian GNU/Linux 用户
-
gkc
- 帖子: 4
- 注册时间: 2016-07-30 16:49
- 系统: win7
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
vickycq 写了:1. 说明安装 strongswan 的方式,strongswan 版本
2. 执行以下命令将结果全部复制贴上来代码: 全选
cat /etc/issue find /etc | grep 'strongswan.conf' find /lib/systemd | grep 'strongswan.service' sudo ls -l /proc/1/exe /sbin/init sudo systemctl status strongswan.service
strongswan 是源文件编译安装的,版本5.3.0
以下是执行输出
代码: 全选
Ubuntu 15.10 \n \l
/etc/init/strongswan.conf
/etc/strongswan.conf
lrwxrwxrwx 1 root root 0 Jul 28 10:07 /proc/1/exe -> /lib/systemd/systemd
lrwxrwxrwx 1 root root 20 Jan 27 2016 /sbin/init -> /lib/systemd/systemd
鈼?strongswan.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
-
gkc
- 帖子: 4
- 注册时间: 2016-07-30 16:49
- 系统: win7
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
源文件编译安装,版本v5.3.0 ,系统重启后现在只会用sudo ipsec start 来启动,希望能设置为自动启动vickycq 写了:1. 说明安装 strongswan 的方式,strongswan 版本
2. 执行以下命令将结果全部复制贴上来代码: 全选
cat /etc/issue find /etc | grep 'strongswan.conf' find /lib/systemd | grep 'strongswan.service' sudo ls -l /proc/1/exe /sbin/init sudo systemctl status strongswan.service
输出
代码: 全选
Ubuntu 15.10 \n \l
/etc/init/strongswan.conf
/etc/strongswan.conf
lrwxrwxrwx 1 root root 0 Jul 28 10:07 /proc/1/exe -> /lib/systemd/systemd
lrwxrwxrwx 1 root root 20 Jan 27 2016 /sbin/init -> /lib/systemd/systemd
鈼?strongswan.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
-
vickycq
- 帖子: 4507
- 注册时间: 2011-03-20 13:12
- 系统: Debian
- 来自: 山东省寿光县
- 联系:
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
说明提供了用于 upstart 的服务配置文件gkc 写了:/etc/init/strongswan.conf
说明您的 15.10 未使用 upstart,使用 systemdgkc 写了:Ubuntu 15.10 \n \l
lrwxrwxrwx 1 root root 0 Jul 28 10:07 /proc/1/exe -> /lib/systemd/systemd
说明没有提供用于 systemd 的服务配置文件gkc 写了: strongswan.service Loaded: not-found (Reason: No such file or directory)
可自行撰写用于 systemd 的服务配置文件 /lib/systemd/system/strongswan.servicegkc 写了:源文件编译安装,版本v5.3.0 ,系统重启后现在只会用sudo ipsec start 来启动,希望能设置为自动启动
撰写过程中,可参考 Ubuntu 软件源中 strongswan-starter 附带的 strongswan.service
例 创建 /lib/systemd/system/strongswan.service 加入以下内容
代码: 全选
[Unit]
Description=strongSwan IPsec services
Wants=network-online.target
After=network-online.target
[Service]
Type=forking
Restart=on-failure
ExecStartPre=/bin/mkdir -p /var/lock/subsys
Environment="PIDFILE=/var/run/charon.pid"
ExecStart=/usr/sbin/ipsec start
ExecStop=/usr/sbin/ipsec stop
ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid
[Install]
WantedBy=multi-user.target保存后,执行以下命令令其开机自启
代码: 全选
sudo systemctl enable strongswan.service
P.S.
1. 从官网下载的 strongswan-5.5.0.tar.bz2 实际上包含用于 systemd 的服务配置文件。
2. Ubuntu 15.10 提供 strongswan 5.1.2, Ubuntu 16.04 提供 strongswan 5.3.5
Debian 中文论坛 - forums.debiancn.org
欢迎所有 Debian GNU/Linux 用户
欢迎所有 Debian GNU/Linux 用户
-
gkc
- 帖子: 4
- 注册时间: 2016-07-30 16:49
- 系统: win7
-
victorchao
- 帖子: 4
- 注册时间: 2020-02-19 10:58
- 系统: ubuntu16.04
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
你好,我遇到了类似的问题,请教一下,
在ubuntu执行以上命令输出如下:
1、Ubuntu 16.04.5 LTS \n \l
2、/etc/strongswan.conf
3、/lib/systemd/system/strongswan.service
4、lrwxrwxrwx 1 root root 0 2月 11 10:20 /proc/1/exe -> /lib/systemd/systemd
lrwxrwxrwx 1 root root 20 2月 5 22:14 /sbin/init -> /lib/systemd/systemd
5、strongswan.service - strongSwan IPsec services
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since 三 2020-02-19 10:19:04 CST; 36min ago
Process: 2870 ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid (code=exited, status=0/SUCCESS)
Process: 2862 ExecStop=/usr/sbin/ipsec stop (code=exited, status=0/SUCCESS)
Process: 2878 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS)
Process: 2874 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS)
Main PID: 2904 (starter)
Tasks: 18
Memory: 8.9M
CPU: 99ms
CGroup: /system.slice/strongswan.service
├─2904 /usr/lib/ipsec/starter --daemon charon
└─2905 /usr/lib/ipsec/charon --use-syslog
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[CFG] eap-simaka-sql database URI missing
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[CFG] loaded 0 RADIUS server configurations
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[CFG] no threshold configured for systime-fix, disabled
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[CFG] coupling file path unspecified
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revoc
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[LIB] dropped capabilities, running as uid 0, gid 0
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[JOB] spawning 16 worker threads
2月 19 10:19:04 gitlabserver-PowerEdge-R730 ipsec_starter[2904]: charon (2905) started after 40 ms
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 07[CFG] received stroke: add connection 'myvpn'
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 07[CFG] added configuration 'myvpn'
现在的问题是,当我重启strongswan服务的时候,出现如下信息:
service strongswan restart
Failed to add /run/systemd/ask-password to directory watch: No space left on device
请问是什么原因?
在ubuntu执行以上命令输出如下:
1、Ubuntu 16.04.5 LTS \n \l
2、/etc/strongswan.conf
3、/lib/systemd/system/strongswan.service
4、lrwxrwxrwx 1 root root 0 2月 11 10:20 /proc/1/exe -> /lib/systemd/systemd
lrwxrwxrwx 1 root root 20 2月 5 22:14 /sbin/init -> /lib/systemd/systemd
5、strongswan.service - strongSwan IPsec services
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since 三 2020-02-19 10:19:04 CST; 36min ago
Process: 2870 ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid (code=exited, status=0/SUCCESS)
Process: 2862 ExecStop=/usr/sbin/ipsec stop (code=exited, status=0/SUCCESS)
Process: 2878 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS)
Process: 2874 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS)
Main PID: 2904 (starter)
Tasks: 18
Memory: 8.9M
CPU: 99ms
CGroup: /system.slice/strongswan.service
├─2904 /usr/lib/ipsec/starter --daemon charon
└─2905 /usr/lib/ipsec/charon --use-syslog
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[CFG] eap-simaka-sql database URI missing
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[CFG] loaded 0 RADIUS server configurations
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[CFG] no threshold configured for systime-fix, disabled
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[CFG] coupling file path unspecified
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revoc
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[LIB] dropped capabilities, running as uid 0, gid 0
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 00[JOB] spawning 16 worker threads
2月 19 10:19:04 gitlabserver-PowerEdge-R730 ipsec_starter[2904]: charon (2905) started after 40 ms
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 07[CFG] received stroke: add connection 'myvpn'
2月 19 10:19:04 gitlabserver-PowerEdge-R730 charon[2905]: 07[CFG] added configuration 'myvpn'
现在的问题是,当我重启strongswan服务的时候,出现如下信息:
service strongswan restart
Failed to add /run/systemd/ask-password to directory watch: No space left on device
请问是什么原因?
-
oneleaf
- 论坛管理员
- 帖子: 10441
- 注册时间: 2005-03-27 0:06
- 系统: Ubuntu 12.04
-
victorchao
- 帖子: 4
- 注册时间: 2020-02-19 10:58
- 系统: ubuntu16.04
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
硬盘有空间,重新enable然后start了strongswan和xl2tpd服务,现在状态已经正常,如下:
1、service xl2tpd status
● xl2tpd.service - LSB: layer 2 tunelling protocol daemon
Loaded: loaded (/etc/init.d/xl2tpd; bad; vendor preset: enabled)
Active: active (running) since 三 2020-02-19 13:23:37 CST; 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 7645 ExecStop=/etc/init.d/xl2tpd stop (code=exited, status=0/SUCCESS)
Process: 7652 ExecStart=/etc/init.d/xl2tpd start (code=exited, status=0/SUCCESS)
Tasks: 1
Memory: 1.5M
CPU: 12ms
CGroup: /system.slice/xl2tpd.service
└─7667 /usr/sbin/xl2tpd
2月 19 13:23:37 gitlabserver-PowerEdge-R730 systemd[1]: Starting LSB: layer 2 tunelling protocol daemon...
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7652]: Starting xl2tpd: xl2tpd.
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: xl2tpd version xl2tpd-1.3.6 started on gitlabserver-PowerEdge-R730 PID:7667
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
2月 19 13:23:37 gitlabserver-PowerEdge-R730 systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Forked by Scott Balmos and David Stipp, (C) 2001
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Inherited by Jeff McAdams, (C) 2002
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Forked again by Xelerance (www.xelerance.com) (C) 2006
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Listening on IP address 0.0.0.0, port 1701
2、service strongswan status
● strongswan.service - strongSwan IPsec services
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since 三 2020-02-19 13:23:27 CST; 25s ago
Process: 7427 ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid (code=exited, status=0/SUCCESS)
Process: 7418 ExecStop=/usr/sbin/ipsec stop (code=exited, status=0/SUCCESS)
Process: 7436 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS)
Process: 7431 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS)
Main PID: 7462 (starter)
Tasks: 18
Memory: 8.0M
CPU: 66ms
CGroup: /system.slice/strongswan.service
├─7462 /usr/lib/ipsec/starter --daemon charon
└─7463 /usr/lib/ipsec/charon --use-syslog
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[CFG] eap-simaka-sql database URI missing
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[CFG] loaded 0 RADIUS server configurations
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[CFG] no threshold configured for systime-fix, disabled
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[CFG] coupling file path unspecified
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revoc
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[LIB] dropped capabilities, running as uid 0, gid 0
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[JOB] spawning 16 worker threads
2月 19 13:23:27 gitlabserver-PowerEdge-R730 ipsec_starter[7462]: charon (7463) started after 40 ms
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 06[CFG] received stroke: add connection 'myvpn'
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 06[CFG] added configuration 'myvpn'
现在是这样的情况,在server端一键脚本部署了ipsec/l2tp环境,‘myvpn’是client端自定义的连接名,在strongswan和xl2tpd服务运行正常的情况下,当执行ipsec up myvpn命令 时,出现以下报错:
ipsec up myvpn
/usr/local/sbin/ipsec: unknown IPsec command "up" ("ipsec --help" for list),
我ipsec version查看版本信息输出是Linux Libreswan 3.29 (netkey) on 4.15.0-88-generic(在其它机子上输出为strongswan是连接正常,我初步估计问题就是这个软件吧)
请问如何将libreswan 替换为strongswan?
1、service xl2tpd status
● xl2tpd.service - LSB: layer 2 tunelling protocol daemon
Loaded: loaded (/etc/init.d/xl2tpd; bad; vendor preset: enabled)
Active: active (running) since 三 2020-02-19 13:23:37 CST; 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 7645 ExecStop=/etc/init.d/xl2tpd stop (code=exited, status=0/SUCCESS)
Process: 7652 ExecStart=/etc/init.d/xl2tpd start (code=exited, status=0/SUCCESS)
Tasks: 1
Memory: 1.5M
CPU: 12ms
CGroup: /system.slice/xl2tpd.service
└─7667 /usr/sbin/xl2tpd
2月 19 13:23:37 gitlabserver-PowerEdge-R730 systemd[1]: Starting LSB: layer 2 tunelling protocol daemon...
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7652]: Starting xl2tpd: xl2tpd.
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: xl2tpd version xl2tpd-1.3.6 started on gitlabserver-PowerEdge-R730 PID:7667
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
2月 19 13:23:37 gitlabserver-PowerEdge-R730 systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Forked by Scott Balmos and David Stipp, (C) 2001
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Inherited by Jeff McAdams, (C) 2002
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Forked again by Xelerance (www.xelerance.com) (C) 2006
2月 19 13:23:37 gitlabserver-PowerEdge-R730 xl2tpd[7667]: Listening on IP address 0.0.0.0, port 1701
2、service strongswan status
● strongswan.service - strongSwan IPsec services
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since 三 2020-02-19 13:23:27 CST; 25s ago
Process: 7427 ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid (code=exited, status=0/SUCCESS)
Process: 7418 ExecStop=/usr/sbin/ipsec stop (code=exited, status=0/SUCCESS)
Process: 7436 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS)
Process: 7431 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS)
Main PID: 7462 (starter)
Tasks: 18
Memory: 8.0M
CPU: 66ms
CGroup: /system.slice/strongswan.service
├─7462 /usr/lib/ipsec/starter --daemon charon
└─7463 /usr/lib/ipsec/charon --use-syslog
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[CFG] eap-simaka-sql database URI missing
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[CFG] loaded 0 RADIUS server configurations
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[CFG] no threshold configured for systime-fix, disabled
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[CFG] coupling file path unspecified
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revoc
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[LIB] dropped capabilities, running as uid 0, gid 0
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 00[JOB] spawning 16 worker threads
2月 19 13:23:27 gitlabserver-PowerEdge-R730 ipsec_starter[7462]: charon (7463) started after 40 ms
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 06[CFG] received stroke: add connection 'myvpn'
2月 19 13:23:27 gitlabserver-PowerEdge-R730 charon[7463]: 06[CFG] added configuration 'myvpn'
现在是这样的情况,在server端一键脚本部署了ipsec/l2tp环境,‘myvpn’是client端自定义的连接名,在strongswan和xl2tpd服务运行正常的情况下,当执行ipsec up myvpn命令 时,出现以下报错:
ipsec up myvpn
/usr/local/sbin/ipsec: unknown IPsec command "up" ("ipsec --help" for list),
我ipsec version查看版本信息输出是Linux Libreswan 3.29 (netkey) on 4.15.0-88-generic(在其它机子上输出为strongswan是连接正常,我初步估计问题就是这个软件吧)
请问如何将libreswan 替换为strongswan?
-
astolia
- 论坛版主
- 帖子: 6444
- 注册时间: 2008-09-18 13:11
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
你为什么不直接用libreswan的ipsec命令语法?ipsec auto --up myvpnvictorchao 写了: ↑2020-02-19 13:36 现在是这样的情况,在server端一键脚本部署了ipsec/l2tp环境,‘myvpn’是client端自定义的连接名,在strongswan和xl2tpd服务运行正常的情况下,当执行ipsec up myvpn命令 时,出现以下报错:
ipsec up ipsec auto { --up | --down
/usr/local/sbin/ipsec: unknown IPsec command "up" ("ipsec --help" for list),
我ipsec version查看版本信息输出是Linux Libreswan 3.29 (netkey) on 4.15.0-88-generic(在其它机子上输出为strongswan是连接正常,我初步估计问题就是这个软件吧)
请问如何将libreswan 替换为strongswan?
-
victorchao
- 帖子: 4
- 注册时间: 2020-02-19 10:58
- 系统: ubuntu16.04
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
astolia 写了: ↑2020-02-19 14:03你为什么不直接用libreswan的ipsec命令语法?ipsec auto --up myvpnvictorchao 写了: ↑2020-02-19 13:36 现在是这样的情况,在server端一键脚本部署了ipsec/l2tp环境,‘myvpn’是client端自定义的连接名,在strongswan和xl2tpd服务运行正常的情况下,当执行ipsec up myvpn命令 时,出现以下报错:
ipsec up ipsec auto { --up | --down
/usr/local/sbin/ipsec: unknown IPsec command "up" ("ipsec --help" for list),
我ipsec version查看版本信息输出是Linux Libreswan 3.29 (netkey) on 4.15.0-88-generic(在其它机子上输出为strongswan是连接正常,我初步估计问题就是这个软件吧)
请问如何将libreswan 替换为strongswan?
ipsec auto --up myvpn后输出:024 need --listen before --initiate
此时输入ipsec verfiy输出报了三个错误:
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.29 (netkey) on 4.15.0-88-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
ERROR: /etc/ipsec.conf: 18: keyword keyexchange, invalid value: ikev1
同时ipsec status 输出:
ipsec status
000 using kernel interface: netkey
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=3.29, pluto_vendorid=OE-Libreswan-3.29
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 Total IPsec connections: loaded 0, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
请问是libreswan依赖没有完全安装还是其他原因呢?
-
victorchao
- 帖子: 4
- 注册时间: 2020-02-19 10:58
- 系统: ubuntu16.04
Re: 求助:如何设置ubutu server v15 启动时运行strongswan ipsec
victorchao 写了: ↑2020-02-19 15:22astolia 写了: ↑2020-02-19 14:03你为什么不直接用libreswan的ipsec命令语法?ipsec auto --up myvpnvictorchao 写了: ↑2020-02-19 13:36 现在是这样的情况,在server端一键脚本部署了ipsec/l2tp环境,‘myvpn’是client端自定义的连接名,在strongswan和xl2tpd服务运行正常的情况下,当执行ipsec up myvpn命令 时,出现以下报错:
ipsec up ipsec auto { --up | --down
/usr/local/sbin/ipsec: unknown IPsec command "up" ("ipsec --help" for list),
我ipsec version查看版本信息输出是Linux Libreswan 3.29 (netkey) on 4.15.0-88-generic(在其它机子上输出为strongswan是连接正常,我初步估计问题就是这个软件吧)
请问如何将libreswan 替换为strongswan?
ipsec auto --up myvpn后输出:024 need --listen before --initiate
此时输入ipsec verfiy输出报了三个错误:
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.29 (netkey) on 4.15.0-88-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
ERROR: /etc/ipsec.conf: 18: keyword keyexchange, invalid value: ikev1
同时ipsec status 输出:
ipsec status
000 using kernel interface: netkey
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=3.29, pluto_vendorid=OE-Libreswan-3.29
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 Total IPsec connections: loaded 0, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
请问是libreswan依赖没有完全安装还是其他原因呢?
重新配置了下,ipsec verify的输出已经正常:
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.29 (netkey) on 4.15.0-88-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
当输入ipsec auto --up myvpn时,输出如下:
000 initiating all conns with alias='myvpn'
021 no connection named "myvpn"
意思是没有找到名称为myvpn的连接,我的/etc/ipsec.conf文件如下:
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ike
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn myvpn
keyexchange=ike
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=我的公网ip
跪求大神帮分析下原因。
