Linode CentOS / Debian 部署 ipsec+l2tpd 简要笔记

162 Responses to Linode CentOS / Debian 部署 ipsec+l2tpd 简要笔记

1. Black-Xstar says:

   June 19, 2010 at 1:55 pm

   我用2.2.26版本的rpm安装，一点问题都没有。
   顺便问下，cisco ipsec怎么弄呢？就是iphone vpn里面那个ipsec。

   Reply
   • 歪歪儿 says:

     June 26, 2010 at 2:22 am

     这儿有cisco ipsec的教程。 http://www.alpha2beta.com/vpn/vpn-on-nokia-s60-2-openswan-and-vpn-policy.html

     Reply
2. gkp says:

   June 19, 2010 at 9:46 pm

   @Black-Xstar
   估计2.2.26版本的rpm打了补丁？ipsec那个我没搞过，不过估计不会太复杂

   Reply

3. Pingback: 使用 MySQL 进行 PPP 验证 | gkp's post

4. sqsowen says:

   August 19, 2010 at 9:45 am

   根据你的xl2tpd.conf文件修改，启动的时候第一句就不认识了：
   Error: Option [global] is not known in this context
   FATAL: Option [global] is not known in this context
   我看到缺省的.conf文件，跟你写的很不一样，纠结阿！

   Reply
   • gkp says:

     August 19, 2010 at 2:28 pm

     不会吧。。。你确认是安装的xl2tpd么？我现在两台服务器都是这个格式的配置文件呀？

     Reply
     • sqsowen says:

       August 19, 2010 at 4:13 pm

       我用的不是xl2tpd,是l2tp,呵呵！区别有点大呢！

       Reply
       • gkp says:

         August 20, 2010 at 12:29 am

         那难怪了。。。

         Reply
5. sqsowen says:

   August 20, 2010 at 10:48 am

   还有阿！ipsec启动不了，出错了：
   /usr/libexec/ipsec/addconn: /home/gaolei/trunk/build_dir/linux-x86_generic/openswan-2.6.25/lib/libipsecconf/confread.c: 244: load_setup: Assertion `kw->keyword.keydef->validity & kv_config’ failed.
   Aborted
   Failed to parse config setup portion of ipsec.conf

   Reply
   • gkp says:

     August 21, 2010 at 1:50 pm

     看一下ipsec.conf的格式是不是没复制对？需要有缩进的

     Reply
6. 老T says:

   August 26, 2010 at 10:44 pm

   Pluto listening for NAT-T on udp 4500 [FAILED]
   这个如何解决呢？

   Reply
   • gkp says:

     August 27, 2010 at 12:26 am

     ipsec verify 的结果？系统里面装 lsof 了么？

     Reply
     • 老T says:

       August 27, 2010 at 10:31 am

       刚开始的时候就装了~

       Reply
       • Jeff Wang says:

         October 6, 2010 at 3:53 pm

         这个我也遇到过 后面我是在vi /etc/ipsec.conf配置文件前面加了个 version 2.0 没想到就ok了

         Reply
         • wanjie says:

           October 13, 2010 at 4:53 pm

           晕死，这2天折腾挂了，刚刚升级到2.6.29.也遇到了 luto listening for NAT-T on udp 4500 [FAILED]， 这个version 2.0字段很强悍啊。怎么发现的。
         • gkp says:

           October 14, 2010 at 1:01 am

           我倒。。我看了一下，我服务器上第一行确实是version 2.0，我之前复制到 blog 的时候少复制了一行，让大家走弯路了。。。Orz
7. 老T says:

   August 27, 2010 at 12:28 pm

   我是centos 5.5 32bit

   Reply
8. sqsowen says:

   August 31, 2010 at 11:45 am

   我把ipsec关了，只启动l2tp，VPN也是可以连的，那ipsec是做什么用的呢？

   Reply
   • gkp says:

     August 31, 2010 at 3:29 pm

     http://zh.wikipedia.org/zh/IPsec

     Reply
9. ym says:

   August 31, 2010 at 1:02 pm

   hi.
   “修改包转发设置

   for each in /proc/sys/net/ipv4/conf/*
   do
   echo 0 > $each/accept_redirects
   echo 0 > $each/send_redirects
   done”

   在哪里修改？修改哪个文件？

   Reply
   • gkp says:

     August 31, 2010 at 3:31 pm

     这个不是修改文件，而是直接执行的

     Reply
10. myw says:

    September 7, 2010 at 2:52 pm

    hi：知道为什么电脑上可以连通，iphone4上确不能连通么？

    Reply
    • gkp says:

      September 7, 2010 at 6:15 pm

      我也在 iPhone4 上用，没问题，看看服务器端日至吧

      Reply

11. Pingback: links for 2010-09-08 « Caiwangqin’s delicious bog

12. Jeff says:

    October 3, 2010 at 7:43 pm

    奇怪了，我都安装好了 也正常启动 不过却出现了错误789 L2TP连接尝试失败
    下面是服务器那边的 /var/log/secure （CentOS） 日志文件
    Oct 3 11:38:47 vps pluto[2706]: | payload malformed after IV
    Oct 3 11:38:47 vps pluto[2706]: | ee 28 cd 61 7f 01 d5 ab ad 1e 83 d1 f8 1c 4f 1e
    Oct 3 11:38:47 vps pluto[2706]: | 32 4f 54 0c
    Oct 3 11:38:47 vps pluto[2706]: “L2TP-PSK-NAT”[5] 218.66.245.44 #7: sending notification PAYLOAD_MALFORMED to 218.66.245.44:500
    Oct 3 11:39:04 vps pluto[2706]: “L2TP-PSK-NAT”[5] 218.66.245.44 #6: max number of retransmissions (2) reached STATE_MAIN_R1
    Oct 3 11:39:06 vps pluto[2706]: “L2TP-PSK-NAT”[5] 218.66.245.44 #7: max number of retransmissions (2) reached STATE_MAIN_R2
    Oct 3 11:39:06 vps pluto[2706]: “L2TP-PSK-NAT”[5] 218.66.245.44: deleting connection “L2TP-PSK-NAT” instance with peer 218.66.245.44 {isakmp=#0/ipsec=#0}

    这是xl2tp状态
    [root@vps xl2tpd-1.2.4]#xl2tpd -D
    xl2tpd[2787]: Enabling IPsec SAref processing for L2TP transport mode SAs
    xl2tpd[2787]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
    xl2tpd[2787]: init_network: Unable to bind socket: Address already in use. Terminating.

    Reply
    • gkp says:

      October 3, 2010 at 11:31 pm

      xl2tpd[2787]: init_network: Unable to bind socket: Address already in use. Terminating.

      xl2tpd 根本没起来呀，地址被占用了，是不是已经起了一个xl2tpd了？

      Reply
      • Jeff says:

        October 6, 2010 at 3:36 pm

        ipsec verify 的结果 全部OK了，可是连接到服务器的结果的日志好像是提示没找到psk密钥，该数据包处理不了，然后就一直卡在那边，最后提示错误 789
        Oct 6 07:30:35 vps pluto[8384]: packet from 218.85.108.61:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
        Oct 6 07:30:35 vps pluto[8384]: packet from 218.85.108.61:500: received Vendor ID payload [RFC 3947] method set to=109
        Oct 6 07:30:35 vps pluto[8384]: packet from 218.85.108.61:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
        Oct 6 07:30:35 vps pluto[8384]: packet from 218.85.108.61:500: ignoring Vendor ID payload [FRAGMENTATION]
        Oct 6 07:30:35 vps pluto[8384]: packet from 218.85.108.61:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
        Oct 6 07:30:35 vps pluto[8384]: packet from 218.85.108.61:500: ignoring Vendor ID payload [Vid-Initial-Contact]
        Oct 6 07:30:35 vps pluto[8384]: packet from 218.85.108.61:500: ignoring Vendor ID payload [IKE CGA version 1]
        Oct 6 07:30:35 vps pluto[8384]: packet from 218.85.108.61:500: initial Main Mode message received on 204.74.215.132:500 but no connection has been authorized with policy=PSK

        Reply
        • gkp says:

          October 7, 2010 at 1:57 am

          怪了，/etc/ipsec.secrets 确认没问题？

          Reply
          • Jeff Wang says:

            October 7, 2010 at 8:47 pm

            崩溃了，好像是密钥的问题，现在又提示密钥不配置，我用得是QuickWeb的xen vps
13. Jeff Wang says:

    October 6, 2010 at 3:41 pm

    我后面继续安装xl2pd
    最后去等xl2tpd -D的结果

    xl2tpd[9501]: Enabling IPsec SAref processing for L2TP transport mode SAs
    xl2tpd[9501]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
    xl2tpd[9501]: setsockopt recvref[22]: Protocol not available
    xl2tpd[9501]: This binary does not support kernel L2TP.
    xl2tpd[9501]: xl2tpd version xl2tpd-1.2.4 started on vps.server.com PID:9501
    xl2tpd[9501]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    xl2tpd[9501]: Forked by Scott Balmos and David Stipp, (C) 2001
    xl2tpd[9501]: Inherited by Jeff McAdams, (C) 2002
    xl2tpd[9501]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    xl2tpd[9501]: Listening on IP address 0.0.0.0, port 1701

    Reply
    • gkp says:

      October 7, 2010 at 1:57 am

      这个就没问题了，开始在 1701端口监听了

      Reply
      • azone says:

        October 16, 2012 at 9:53 am

        我的输出和他的类似，但是连接的时候收不到任何信息是真么回事？当然也连接不上。。。参考了各种博客都不行~
        我的系统是：
        Ubuntu Server 12.04 x86_64
        xl2tpd 1.3.1+dfsg-1
        pppd 2.4.5-5ubuntu1
        openswan 1:2.6.38-1~precise1

        Reply
14. wanjie says:

    October 8, 2010 at 2:34 pm

    呵呵，参考安装了，看/var/log/secure日志是正常了，但是手机仍然被弹，奇怪了。难道是手机wm系统的原因

    Reply
    • gkp says:

      October 9, 2010 at 1:49 am

      看看失败时服务器段的日至，一般都能找到线索

      Reply
15. gkp says:

    October 9, 2010 at 1:52 am

    @Jeff Wang
    密钥什么问题？那个文件按照我的格式写应该没有问题的。

    Reply
16. Jeff Wang says:

    October 9, 2010 at 1:20 pm

    哈哈 我终于安装成功了 在这里我要感谢下Dan跟GFW,没有它们就没有我这次学习的机会。
    下面分享下我安装的心得
    第一部分
    1)
    yum install make gcc gmp-devel bison flex gawk iptables lsof perl //跟据自己vps的特点安装编译用的包
    2)
    编辑/etc/sysctl.conf
    将下面两项：
    net.ipv4.ip_forward = 0
    net.ipv4.conf.default.rp_filter = 1
    改为：
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 0
    最后
    好了 运行下sysctl -p
    3)
    下载源代码并编译安装
    cd /usr/src
    wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
    tar zxvf openswan-2.6.24.tar.gz
    cd openswan-2.6.24
    make programs install
    4)
    修改包转发设置
    iptables –table nat –append POSTROUTING –jump MASQUERADE
    for each in /proc/sys/net/ipv4/conf/*
    do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
    done
    5）
    重启OpenSWan
    /etc/init.d/ipsec restart
    验证OpenSWan是否正确安装
    ipsec –version
    如正确安装显示如下
    Linux Openswan U2.4.7/K2.6.9-42.EL (netkey)
    See `ipsec –copyright’ for copyright information.
    验证OpenSWan是否正常运行
    ipsec verify
    备注：如果全部ok，进行下一步，如果不ok 一般问题正常都是OpenSWan安装不正确，或者编译用的包没安装全，这方面要自己去找
    6)
    按上面的教程 修改ipsec.secrets
    按上面的教程 修改ipsec.conf
    7）
    再重启验证一次
    /etc/init.d/ipsec restart
    ipsec verify
    如只有出现以下两行Failed，别的全部OK
    Pluto listening for NAT-T on udp 4500 [Failed]
    Two or more interfaces found, checking IP forwarding [Failed]
    我的原因是文件编辑不正常 解决方法在文本末尾多敲了两个回车，之所以这样解决是因为我采用排除法，所以最后才来修改ipsec.secrets跟ipsec.conf文件。大家可以参考下
    测试连接后的日志：
    /var/log/secure （CentOS）
    Oct 6 22:55:50 vps pluto[8852]: “L2TP-PSK-NAT”[4] 218.85.108.61 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x4a70500f $each/accept_redirects
    echo 0 > $each/send_redirects
    done
    5)
    最后启动
    xl2tpd -D 进行测试

    差不多就这样了 我测试得是QuickWeb Xen VPS

    Reply
    • Jeff Wang says:

      October 9, 2010 at 9:47 pm

      写得有点勿忘，有些地方可能不是很详细，最后感谢下gkp老大的热心回答

      Reply
17. Jeff Wang says:

    October 10, 2010 at 11:27 pm

    求救！！！又有问题了 同一台服务器为什么L2tp拨号上去速度总是比pptp慢上很多，有时候连网页都打不开，一直在缓存中，大家有遇到过吗？

    Reply
    • gkp says:

      October 11, 2010 at 2:12 am

      改改 MTU?

      Reply
      • 老T says:

        October 12, 2010 at 8:12 pm

        改这个有什么用?

        Reply
        • gkp says:

          October 13, 2010 at 1:13 am

          MTU过大时候会把网络冲断

          Reply
    • ky says:

      May 17, 2013 at 4:06 pm

      我也是，不知道问题出在哪，用另一个L2TP连接完全没问题，用上面的方法自己加了个vpn速度灰常慢有时候连网页都打不开然后就断掉了，12M和4M的网，搞不明白，你是怎么解决的

      Reply
18. 老T says:

    October 12, 2010 at 12:59 pm

    又回来折腾L2tp,现在发现个问题,貌似什么都搞好了,就是提示错误678，远程计算机没有反应!

    Reply
19. ipt4 says:

    October 13, 2010 at 1:39 am

    连接不成功，一直出现这种问题，求解，verify正常
    Oct 12 17:33:47 localhost pluto[3040]: “L2TP-PSK-NAT”[2] [my IP] #1: the peer proposed: [server IP]/32:17/1701 -> 192.168.1.150/32:17/51023
    Oct 12 17:33:47 localhost pluto[3040]: “L2TP-PSK-NAT”[2] [my IP] #11: ERROR: netlink_get_spi for esp.0@[server IP] failed with errno 22: Invalid argument
    Oct 12 17:33:47 localhost pluto[3040]: “L2TP-PSK-NAT”[2] [my IP] #11: responding to Quick Mode proposal {msgid:9d82bcdc}
    Oct 12 17:33:47 localhost pluto[3040]: “L2TP-PSK-NAT”[2] [my IP] #11: us: [server IP][+S=C]:17/1701
    Oct 12 17:33:47 localhost pluto[3040]: “L2TP-PSK-NAT”[2] [my IP] #11: them: [my IP][192.168.1.150,+S=C]:17/51023===192.168.1.150/32
    Oct 12 17:33:47 localhost pluto[3040]: “L2TP-PSK-NAT”[2] [my IP] #11: ERROR: netlink response for Add SA esp.8b535f5@[my IP] included errno 22: Invalid argument
    Oct 12 17:33:47 localhost pluto[3040]: | failed to install outgoing SA: 0
    Oct 12 17:33:50 localhost pluto[3040]: “L2TP-PSK-NAT”[2] [my IP] #1: received Delete SA payload: deleting ISAKMP State #1
    Oct 12 17:33:50 localhost pluto[3040]: “L2TP-PSK-NAT”[2] [my IP]: deleting connection “L2TP-PSK-NAT” instance with peer [my IP] {isakmp=#0/ipsec=#0}
    Oct 12 17:33:50 localhost pluto[3040]: packet from [my IP]:9229: received and ignored informational message
    Oct 12 17:33:50 localhost pluto[3040]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to [my IP] port 9229, complainant [my IP]: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

    Reply
    • gkp says:

      October 13, 2010 at 10:42 am

      errr，参数错误？
      系统软件包都升级到最新的了吗？

      Reply
      • ipt4 says:

        October 13, 2010 at 2:30 pm

        嗯，都是最新的。

        Reply
        • gkp says:

          October 14, 2010 at 1:02 am

          在 ipsec.conf 最上面加上一行version 2.0试试看？我之前复制配置文件时候少复制了一行 囧

          Reply
          • ipt4 says:

            October 14, 2010 at 11:33 am

            一直有的:(
            很郁闷哎
          • gkp says:

            October 14, 2010 at 5:57 pm

            内核啥版本？真没见过这种奇怪问题。。。
          • ipt4 says:

            October 15, 2010 at 2:19 pm

            ipsec_setup: Starting Openswan IPsec U2.6.29/K2.6.26-2-xen-amd64…

            Openswan试过.24-29全部都是这种错误
          • gkp says:

            October 15, 2010 at 3:30 pm

            我强烈怀疑是内核问题。。。
20. yar999 says:

    October 18, 2010 at 3:02 pm

    openswan配置好了，通过/var/log/secure查看，怎么走到
    Oct 18 05:54:12 centos pluto[2878]: adding interface lo/lo 127.0.0.1:500
    Oct 18 05:54:12 centos pluto[2878]: adding interface lo/lo 127.0.0.1:4500
    Oct 18 05:54:12 centos pluto[2878]: adding interface lo/lo ::1:500
    Oct 18 05:54:12 centos pluto[2878]: loading secrets from “/etc/ipsec.secrets”

    显示加载secrets文件然后就不动了

    新建的l2tp连接不用输入或者随便输入一个欲共享密钥也可以连接，连接之后并没有ipsec加密的选项。

    很郁闷啊

    Reply
    • gkp says:

      October 18, 2010 at 10:00 pm

      现在客户端可以连接对吧？
      配置文件中有这行吗？ authby=secret

      Reply
      • yar999 says:

        October 20, 2010 at 1:33 am

        有的，ipsec.conf内容如下

        version 2.0
        config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey

        conn l2tp-psk
        authby=secret
        pfs=no
        auto=add
        rekey=no
        type=transport
        left=192.168.1.66
        leftid=@server
        leftnexthop=192.168.1.1
        leftprotoport=17/1701
        right=%any
        rightid=@client
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no

        Reply
        • gkp says:

          October 21, 2010 at 2:51 pm

          内网配置？如果left没错的话看起来没啥问题呀。。。

          Reply
21. yar999 says:

    October 22, 2010 at 1:05 pm

    问题解决了，修改了下注册表，开启ipsec加密就可以了，晕死了。
    在搜索引擎中搜索 xp 配置l2tpd客户端，然后出来的结果全部是让你修改个注册表，新建个键值为1，这样做恰恰就把xp默认的支持ipsec加密其关闭了.

    http://www.jacco2.dds.nl/networking/win2000xp-openswan.html

    In case you previously used the Linsys IPsec Tool (lsipsectool) or Marcus Müller’s IPSEC.EXE tool or some other third-party IPsec client, be advised that these clients disable the “automatic L2TP/IPsec policy” in Windows. This policy sets up the proper IPsec rules when you “dial-up” an L2TP/IPsec VPN connection from Network Connections. To (re)enable the automatic L2TP/IPsec policy you need to remove the registry key HKLM\System\CurrentControlSet\Services\Rasman\Parameters\ProhibitIpSec or change the value of this key to 0. The L2TP/IPsec policy will then be enabled after you reboot Windows. Without the automatic L2TP/IPsec policy the VPN client will try to set up a pure L2TP connection, which is not protected by IPsec encryption. Microsoft Knowledge Base article Q310109 describes how the policy is disabled, but you need to do the reverse, i.e. enable it.

    Reply
    • gkp says:

      October 22, 2010 at 5:46 pm

      汗死，还有这种事情。。。

      Reply
    • zeng says:

      August 4, 2011 at 5:25 pm

      太感谢了 这个问题搞了我一个星期 要不是看到你的回复 搞不定了

      Reply
      • zeng says:

        August 4, 2011 at 5:29 pm

        可是还有个问题 现在ipsec/l2tp都搞定了 也加密了
        但是如果我把注册表IPSEC值改成1的话还是能够不用共享密钥能连接呀 怎么能在服务器上给强制使用共享密钥加密呢

        Reply
22. 潇洒哥 says:

    October 25, 2010 at 9:33 am

    但是我写了密钥之后好像就无法链接了，奇怪啊！iphone一定要用密钥

    Reply
23. kevin says:

    November 16, 2010 at 5:40 pm

    查看ipsec时 发现NAT MASQUERADEing 是 N/A状态 查看iptables 转发规则已经添加，不解。gkp能否解答下？
    ipsec verify
    Checking your system to see if IPsec got installed and started correctly:
    Checking NAT and MASQUERADEing [N/A]

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all — 192.168.0.0/24 0.0.0.0/0
    MASQUERADE all — 10.8.0.0/24 0.0.0.0/0
    MASQUERADE all — 0.0.0.0/0 0.0.0.0/0

    debug模式下
    xl2tpd[31239]: setsockopt recvref[22]: Protocol not available
    xl2tpd[31239]: This binary does not support kernel L2TP.
    这个是啥意思？ 内核不支持？

    [root@ip-10-161-82-36 software]# xl2tpd -D
    xl2tpd[31239]: setsockopt recvref[22]: Protocol not available
    xl2tpd[31239]: This binary does not support kernel L2TP.
    xl2tpd[31239]: xl2tpd version xl2tpd-1.2.4 started on ip-10-161-82-36 PID:31239
    xl2tpd[31239]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    xl2tpd[31239]: Forked by Scott Balmos and David Stipp, (C) 2001
    xl2tpd[31239]: Inherited by Jeff McAdams, (C) 2002
    xl2tpd[31239]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    xl2tpd[31239]: Listening on IP address 0.0.0.0, port 1701

    Reply
    • gkp says:

      November 17, 2010 at 7:03 pm

      xl2tpd[31239]: Listening on IP address 0.0.0.0, port 1701
      这表示 xl2tpd 已经起来了，应该可以了。

      Reply
      • kevin says:

        November 18, 2010 at 3:42 pm

        多谢gkp，监听端口是有启动，貌似ipsec不可用。
        ipsec verify
        Checking your system to see if IPsec got installed and started correctly:
        Checking NAT and MASQUERADEing [N/A] 提示NAT和地址伪装 N/A
        iptables -nL -t nat
        Chain POSTROUTING (policy ACCEPT)
        target prot opt source destination
        MASQUERADE all — 192.168.0.0/24 0.0.0.0/0
        MASQUERADE all — 10.8.0.0/24 0.0.0.0/0
        MASQUERADE all — 0.0.0.0/0 0.0.0.0/0

        Reply
24. kevin says:

    November 18, 2010 at 2:36 pm

    Re:gkp 这个监听是起来了没错，但是ipsec verify显示不正常 ipsec服务不能正常使用。
    这个很无解。 多谢解答。
    ipsec verify
    Checking your system to see if IPsec got installed and started correctly:
    Checking NAT and MASQUERADEing [N/A]

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all — 192.168.0.0/24 0.0.0.0/0
    MASQUERADE all — 10.8.0.0/24 0.0.0.0/0
    MASQUERADE all — 0.0.0.0/0 0.0.0.0/0

    Reply
    • gkp says:

      November 21, 2010 at 1:36 am

      对，那个监听是 l2tp，和 ipsec 是两回事，把 ipsec verify 完整输出贴出来看看？

      Reply
      • kevin says:

        November 25, 2010 at 4:31 pm

        [root@vpn]# ipsec verify
        Checking your system to see if IPsec got installed and started correctly:
        Version check and ipsec on-path [OK]
        Linux Openswan U2.6.24/K2.6.21.7-2.fc8xen (netkey)
        Checking for IPsec support in kernel [OK]
        Testing against enforced SElinux mode [OK]
        NETKEY detected, testing for disabled ICMP send_redirects [OK]
        NETKEY detected, testing for disabled ICMP accept_redirects [OK]
        Checking for RSA private key (/etc/ipsec.secrets) [OK]
        Checking that pluto is running [OK]
        Pluto listening for IKE on udp 500 [OK]
        Pluto listening for NAT-T on udp 4500 [OK]
        Two or more interfaces found, checking IP forwarding [OK]
        Checking NAT and MASQUERADEing [N/A]
        Checking for ‘ip’ command [OK]
        Checking for ‘iptables’ command [OK]
        Opportunistic Encryption Support [DISABLED]

        Reply
        • gkp says:

          November 25, 2010 at 6:09 pm

          net.ipv4.ip_forward = 1
          这个设置了？

          Reply
          • kevin says:

            December 6, 2010 at 3:02 pm

            设置了，另外服务器内核我升级了 现在版本是centos 5.5
          • gkp says:

            December 9, 2010 at 9:40 pm

            如果设置后sysctl也执行了的话，那还真不清楚是什么问题了。。。：（

25. Pingback: Tweets that mention Linode CentOS / Debian 部署 ipsec+l2tpd 简要笔记 | gkp's post -- Topsy.com

26. Rwatermoon says:

    January 9, 2011 at 4:50 pm

    root@panshan:~# xl2tpd -D
    xl2tpd[880]: Enabling IPsec SAref processing for L2TP transport mode SAs
    xl2tpd[880]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
    xl2tpd[880]: init_network: Unable to bind socket: Address already in use. Terminating.

    xl2tpd没法启动啊，ipsec verify全部ok，我是新手，希望博主能帮忙看下

    Reply
    • gkp says:

      January 9, 2011 at 5:24 pm

      提示是端口已经被占用，应该是xl2tpd已经启动了吧？

      Reply
      • Rwatermoon says:

        January 9, 2011 at 7:15 pm

        – -! 我试着重启xl2tpd /etc/init.d/xl2tpd restart
        结果：/etc/init.d/xl2tpd: No such file or directory，我安装的有问题吗？我是一步跟着文章走的。
        连了下，看了下日志……更加迷茫了，都不知道问题在哪，好像少文件啊
        Jan 9 06:08:44 panshan pluto[5881]: “L2TP-PSK-NAT”[1] 180.109.156.151 #1: next payload type of ISAKMP Identification Payload has an unknown value: 120
        Jan 9 06:08:44 panshan pluto[5881]: “L2TP-PSK-NAT”[1] 180.109.156.151 #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
        Jan 9 06:08:44 panshan pluto[5881]: | payload malformed after IV
        Jan 9 06:08:44 panshan pluto[5881]: | 0b 85 95 c5 3a 2c 56 4a 1f 3b bb b6 b9 a2 48 1f
        Jan 9 06:08:44 panshan pluto[5881]: | ed 32 83 71
        Jan 9 06:08:44 panshan pluto[5881]: “L2TP-PSK-NAT”[1] 180.109.156.151 #1: sending notification PAYLOAD_MALFORMED to 180.109.156.151:10981
        Jan 9 06:08:47 panshan getty[5940]: /dev/hvc0: No such file or directory
        Jan 9 06:08:57 panshan getty[5941]: /dev/hvc0: No such file or directory
        Jan 9 06:09:00 panshan pluto[5881]: “L2TP-PSK-NAT”[1] 180.109.156.151 #1: next payload type of ISAKMP Identification Payload has an unknown value: 120
        Jan 9 06:09:00 panshan pluto[5881]: “L2TP-PSK-NAT”[1] 180.109.156.151 #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
        Jan 9 06:09:00 panshan pluto[5881]: | payload malformed after IV
        Jan 9 06:09:00 panshan pluto[5881]: | 0b 85 95 c5 3a 2c 56 4a 1f 3b bb b6 b9 a2 48 1f
        Jan 9 06:09:00 panshan pluto[5881]: | ed 32 83 71
        Jan 9 06:09:00 panshan pluto[5881]: “L2TP-PSK-NAT”[1] 180.109.156.151 #1: sending notification PAYLOAD_MALFORMED to 180.109.156.151:10981
        Jan 9 06:09:07 panshan getty[5942]: /dev/hvc0: No such file or directory

        Reply
27. Zhu says:

    January 9, 2011 at 11:50 pm

    多谢你的文章。拖你的福我也从iphone连接到 CentOS上去了。

    Reply
28. Henry says:

    January 13, 2011 at 2:36 pm

    iOS4上连接总是在Authenticating这部出错。。。

    在server上可以看到call established with XX.XXX.XX.XXX了
    出错信息如下
    xl2tpd[27310]: Call established with 112.64.188.113, Local: 44854, Remote: 8743, Serial: 1
    xl2tpd[27310]: result_code_avp: result code out of range (768 0 14). Ignoring.
    xl2tpd[27310]: control_finish: Peer tried to disconnect without specifying result code.
    xl2tpd[27310]: result_code_avp: result code out of range (256 0 14). Ignoring.
    xl2tpd[27310]: control_finish: Peer tried to disconnect without specifying result code.
    xl2tpd[27310]: check_control: Received out of order control packet on tunnel 8 (got 4, expected 6)
    xl2tpd[27310]: handle_packet: bad control packet!
    xl2tpd[27310]: child_handler : pppd exited for call 8743 with code 16
    xl2tpd[27310]: call_close: Call 44854 to 112.64.188.113 disconnected
    xl2tpd[27310]: check_control: Received out of order control packet on tunnel 8 (got 4, expected 6)
    xl2tpd[27310]: handle_packet: bad control packet!
    xl2tpd[27310]: check_control: Received out of order control packet on tunnel 8 (got 4, expected 6)
    xl2tpd[27310]: handle_packet: bad control packet!
    xl2tpd[27310]: Maximum retries exceeded for tunnel 44545. Closing.
    xl2tpd[27310]: check_control: Received out of order control packet on tunnel 8 (got 4, expected 6)
    xl2tpd[27310]: handle_packet: bad control packet!
    xl2tpd[27310]: Terminating pppd: sending TERM signal to pid 27319
    xl2tpd[27310]: pppd 27319 successfully terminated
    xl2tpd[27310]: Connection 8 closed to 112.64.188.113, port 54741 (Timeout)
    xl2tpd[27310]: get_call: can’t find call 44854 in tunnel 44545
    (ref=0/0)xl2tpd[27310]: check_control: Received out of order control packet on tunnel 8 (got 4, expected 6)
    xl2tpd[27310]: Unable to deliver closing message for tunnel 44545. Destroying anyway.

    该不会是版本兼容问题吧

    Reply
29. Haolvyuan says:

    January 13, 2011 at 4:08 pm

    感谢楼主的文章，VPN基本配置好了，但是还是有点小问题
    每次要在var/run下建立xl2tpd这个文件夹（重启这个文件夹就没了），然后每次ip tables也得重设。
    PC连接没问题，但是iphone不能连接，看了下日志
    Jan 12 07:27:13 panshan sshd[2127]: Accepted password for root from 117.89.169.26 port 15179 ssh2
    Jan 12 07:27:13 panshan sshd[2127]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory
    Jan 12 07:27:13 panshan sshd[2127]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jan 12 07:27:13 panshan sshd[2127]: subsystem request for sftp
    Jan 12 07:27:13 panshan sshd[2141]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory
    这是什么问题呢 ，可以看到iPad端连接成功验证用户名密码后然后断开的了，显示无法与PPP服务器连接，求教

    Reply
30. zhangzhonglin says:

    March 17, 2011 at 10:22 am

    如果支持内核
    xl2tpd[1819]: setsockopt recvref[22]: Protocol not available
    xl2tpd[1819]: Using l2tp kernel support.
    xl2tpd[1819]: xl2tpd version xl2tpd-1.2.6 started on fwdev PID:1819
    xl2tpd[1819]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    xl2tpd[1819]: Forked by Scott Balmos and David Stipp, (C) 2001
    xl2tpd[1819]: Inherited by Jeff McAdams, (C) 2002
    xl2tpd[1819]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    xl2tpd[1819]: Listening on IP address 1.0.2.101, port 1701

    Reply
31. zhangzhonglin says:

    March 17, 2011 at 10:25 am

    支持内核
    已经协商成功了，控制消息已经可以成功发送，当数据消息不可以, 是哪里不对吗

    Reply
    • gkp says:

      May 30, 2011 at 5:28 pm

      试试看修改 MTU

      Reply
32. jianghao says:

    March 18, 2011 at 11:40 am

    内容

    YOUR.SERVER.IP.ADDRESS %any: PSK “YourSharedSecret”

    这分别表示什么意思啊 !

    Reply
33. jianghao says:

    March 18, 2011 at 12:04 pm

    [root@Oracle ~]# /etc/init.d/ipsec start
    ipsec_setup: Starting Openswan IPsec U2.6.24/K2.6.18-164.el5xen…
    ipsec_setup: no default routes detected
    [root@Oracle ~]#

    这是怎么回事啊？

    Reply
    • gkp says:

      May 30, 2011 at 5:28 pm

      没有设置默认路由？

      Reply
34. wang.hy8166 says:

    April 4, 2011 at 4:50 pm

    错误792:L2TP 连接尝试失败，因为安全协商超时

    我是在内网机器192.168.83.219上搭建的l2tp ipsec服务器
    然后我的路由器192.168.83.1接入的联通公网，公网ip是124.160.29.102

    然后我现在vpn拨号，在客户端win2003建立l2tp ipsec连接124.160.29.102时提示”错误 792： L2TP 连接尝试失败，因为安全协商超时”

    tail -f /var/log/secure
    Apr 4 16:26:49 192 pluto[27028]: packet from 192.168.83.1:500: ignoring Vendor ID payload [Vid-Initial-Contact]
    Apr 4 16:26:49 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1 #15: responding to Main Mode from unknown peer 192.168.83.1
    Apr 4 16:26:49 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1 #15: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Apr 4 16:26:49 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1 #15: STATE_MAIN_R1: sent MR1, expecting MI2
    Apr 4 16:26:49 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1 #15: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
    Apr 4 16:26:49 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1 #15: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    Apr 4 16:26:49 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1 #15: STATE_MAIN_R2: sent MR2, expecting MI3
    Apr 4 16:27:42 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1 #14: max number of retransmissions (2) reached STATE_MAIN_R2
    Apr 4 16:27:59 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1 #15: max number of retransmissions (2) reached STATE_MAIN_R2
    Apr 4 16:27:59 192 pluto[27028]: “L2TP-PSK-NAT”[10] 192.168.83.1: deleting connection “L2TP-PSK-NAT” instance with peer 192.168.83.1 {isakmp=#0/ipsec=#0}

    xl2tpd -D
    没有任何提示

    tail -f /var/log/messages
    没有任何提示

    Reply
    • gkp says:

      April 8, 2011 at 12:57 am

      好像xp有个bug，2003不知道是否一样？搜一下 xp l2tp vpn能找到，改注册表好像得。

      Reply
35. moody says:

    April 23, 2011 at 11:01 pm

    xl2tpd的链接失效了。
    我从 ftp://ftp.xelerance.com/xl2tpd/xl2tpd-1.2.8.tar.gz 下载的，测试下来可以和Openswan 2.6.24一起工作。

    Reply
36. billie says:

    May 30, 2011 at 3:02 pm

    照这你的技术资料做了一遍，ipsec verify没问题，但是xl2tp -D时出错
    xl2tpd[14124]:Enabling IPsec SAref processing for L2TP transport mode SAS
    xl2tpd[14124]:IPsec SAref does not work with L2TP kernel mode yet,enabling for ceuserspace=yes
    xl2tpd[14124]:init_network:Unable to bind socket: Address already in use.Terminating.
    原来用openswan2.6.20+xl2tp1.1.12时出现的是最后一句：网络初始化：不能绑定套接字，地址已经被使用。
    使用 tail -f /var/log/messages
    得到信息如下：
    xl2tpd[14561]:Listening on IP address 0.0.0.0,port 1701
    xl2tpd[14561]:death_handler:Fatal signal 15 received
    xl2tpd[14586]:Enablig IPsec SAref processing for L2TP transport mode SAs
    xl2tpd[14586]:This binary does not support kernel L2TP
    xl2tpd[145 87]:xl2tpd version xl2tpd-1.1.12 started on localhost.localdomain PID:14587 (备注：我这里有疑问，原来用的是1.1.12版本，不知道如何卸载，直接在xl2tpd-1.2.4中make install了，但现在看来没有覆盖，我该如何处理，需要kill 14587后再一次 make install吗？)
    /*作者信息和发布网站的一些内容就省略了*/
    xl2tpd[14587]:Listening on IP address 0.0.0.0,port 1701
    最后winXP客户端报同样的错误792，请问我该如何排障？

    Reply
    • gkp says:

      May 30, 2011 at 5:31 pm

      找找原来的xl2tpd安装到哪里了，手工把bin删了应该就行了

      Reply
37. billie says:

    May 30, 2011 at 3:15 pm

    在修改了/etc/xl2tpd/xl2tpd.conf

    [global]
    listen-addr = 192.168.1.249
    port = 1701
    auth file = /etc/ppp/chap-secrets
    ;requires openswan-3.1 or higher
    ;ipsec saref = yes （看上面的注释，openswan3.1及以上版本才需要打开这个参数，所以我注释掉了）
    最后tail -f /var/log/messages得到的信息，最后一行显示
    xl2tpd[14717]:Listening on IP address 192.168.1.249,port 1701这能说明xl2tpd在监听端口了吗？但前面仍然显示二进制模式不支持内核 L2TP

    Reply
38. billie says:

    May 30, 2011 at 4:29 pm

    先谢谢，照你的资料我的VPN拨通了，但是提示信息仍然是上面那些内容。您若有空讲解一下。我想知道
    1：xl2tpd[14124]:init_network:Unable to bind socket: Address already in use.Terminating.
    2：xl2tpd[145 87]:xl2tpd version xl2tpd-1.1.12 started on localhost.localdomain PID:14587 (备注：我这里有疑问，原来用的是1.1.12版本，不知道如何卸载，直接在xl2tpd-1.2.4中make install了，但现在看来没有覆盖，我该如何处理，需要kill 14587后再一次 make install吗？)
    如何处理，谢谢~~

    Reply

39. Pingback: Linode VPS上搭建L2TP/IPSec服务 | 网摘

40. liva says:

    July 9, 2011 at 4:16 am

    按照您的方法配置后，基本都正常，就是PSK不正常，无论是否输入PSK都可以连接上去，我发现日志中有错误信息
    Jul 8 15:31:31 s2 pluto[17238]: Using Linux 2.6 IPsec interface code on 2.6.32-305-ec2 (experimental code)
    Jul 8 15:31:31 s2 pluto[17239]: using /dev/urandom as source of random entropy
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): Activating : Ok (ret=0)
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_add(): ERROR: Algorithm already exists
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): Activating : FAILED (ret=-17)
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_add(): ERROR: Algorithm already exists
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): Activating : FAILED (ret=-17)
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_add(): ERROR: Algorithm already exists
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): Activating : FAILED (ret=-17)
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_add(): ERROR: Algorithm already exists
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): Activating : FAILED (ret=-17)
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_add(): ERROR: Algorithm already exists
    Jul 8 15:31:32 s2 pluto[17238]: ike_alg_register_enc(): Activating : FAILED (ret=-17)

    Reply
41. moper says:

    July 17, 2011 at 11:12 am

    来转转~~~

    Reply
42. zeng says:

    August 4, 2011 at 8:44 pm

    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp –dport 1701 -j ACCEPT
    -A INPUT -p udp -m udp –sport 1701 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
    -A INPUT -p udp -m udp –dport 17 -j ACCEPT
    -A INPUT -p udp -m udp –sport 17 -j ACCEPT
    -A INPUT -p udp -m udp –sport 17 -j ACCEPT
    -A INPUT -p udp -m udp –dport 17 -j ACCEPT
    -A INPUT -p udp -m udp –dport 500 -j ACCEPT
    -A INPUT -p udp -m udp –sport 500 -j ACCEPT
    -A INPUT -p udp -m udp –dport 4500 -j ACCEPT
    -A INPUT -p udp -m udp –sport 4500 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 4500 -j ACCEPT
    -A INPUT -p tcp -m tcp –sport 4500 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 500 -j ACCEPT
    -A INPUT -p tcp -m tcp –sport 500 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 1701 -j ACCEPT
    -A INPUT -p tcp -m tcp –sport 1701 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 500 -j ACCEPT
    -A INPUT -p tcp -m tcp –sport 500 -j ACCEPT
    -A INPUT -p udp -m udp –dport 50 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 50 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 51 -j ACCEPT
    -A INPUT -p udp -m udp –dport 51 -j ACCEPT
    -A INPUT -p udp -m udp –dport 47 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 47 -j ACCEPT
    -A INPUT -p udp -m udp –sport 51 -j ACCEPT
    -A INPUT -p tcp -m tcp –sport 51 -j ACCEPT
    -A INPUT -p udp -m udp –sport 50 -j ACCEPT
    -A INPUT -p tcp -m tcp –sport 50 -j ACCEPT
    -A INPUT -p udp -m udp –sport 47 -j ACCEPT
    -A INPUT -p tcp -m tcp –sport 47 -j ACCEPT
    -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    COMMIT
    # Completed on Thu Aug 4 20:39:48 2011
    # Generated by iptables-save v1.4.7 on Thu Aug 4 20:39:48 2011
    *nat
    :PREROUTING ACCEPT [2:66]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -j MASQUERADE
    -A POSTROUTING -j MASQUERADE
    COMMIT
    # Completed on Thu Aug 4 20:39:48 2011

    额的神 这个鬼东西要开什么端口才能用 我都开成这样了 还是不行 把INPUT设成ACCEPT是可以的 到底要开多少端口？

    Reply
    • zeng says:

      August 4, 2011 at 8:54 pm

      好了 搞定了 蛋疼
      iptables -A INPUT -p gre -j ACCEPT
      iptables -A INPUT -p ah -j ACCEPT
      iptables -A INPUT -p esp -j ACCEPT
      原来是这样

      Reply

43. Pingback: vpn之ipsec/l2tp - linux - vpn - ipses/l2tp - facebook_twitter_youtube_vimeo

44. Pingback: 使用 MySQL 进行 PPP 验证[zt] | 漂泊如风

45. Pingback: Tony的杂物仓库 » Strongswan+L2TP配置

46. Pingback: Tony的杂物仓库 » Strongswan+L2TP配置

47. Pingback: Tony的杂物仓库 » 架设L2TP/IPSec + MySQL + FreeRADIUS认证VPN

48. eggerr says:

    November 2, 2011 at 4:35 pm

    非常棒，谢谢您的分享。

    有一处大概需要更新，文中给出的xl2tpd下载地址已经不可用，我在他们的Mirror FTP上找到了旧版本的下载，也许节省后来者的一些时间。

    ftp://ftp.xelerance.com/xl2tpd/xl2tpd-1.2.4.tar.gz

    Reply

49. Pingback: 翻墙 | PPTP/L2TP+FreeRADIUS+MySQL搭建VPN认证和流量控制 | 中国数字时代

50. Pingback: PPTP/L2TP+FreeRADIUS+MySQL搭建VPN认证和流量控制 « 细节的力量

51. tjs says:

    December 2, 2011 at 3:46 pm

    楼主啊，太谢谢了。…………搞了好多天快两个星期了吧，终于连上了。唉，太激动了。谢谢。您最关键的一句：xl2tpd -D，帮我找到了错误。太谢谢了

    Reply
52. Roro Qiu says:

    December 5, 2011 at 10:40 pm

    你好，我的XEN VPS，用的是centos 5.7，装了个CSF防火墙之后VPN就只能连接上去，然后所有的网页都打不开了，我确定是开了UDP 500，4500，1701端口了，请问这个要怎么解决？感谢！

    Reply

53. Pingback: 在VPS上搭建L2TP/IPSec VPN | killedman

54. 嘻嘻哈 says:

    February 15, 2012 at 2:49 pm

    Two or more interfaces found, checking IP forwarding [Failed]
    绞尽脑汁，还是没办法。。

    Reply
    • gkp says:

      February 15, 2012 at 3:02 pm

      检查ip转发设置？多于一个网卡可能需要指定一个。

      Reply
55. Super says:

    February 23, 2012 at 9:02 pm

    求解，一步步严格按步骤来的

    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path [OK]
    Linux Openswan U2.6.24/K(no kernel code presently loaded)
    Checking for IPsec support in kernel [FAILED]
    Checking for RSA private key (/etc/ipsec.secrets) [OK]
    Checking that pluto is running [FAILED]
    whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)
    Two or more interfaces found, checking IP forwarding [FAILED]
    whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)
    Checking NAT and MASQUERADEing
    Checking for ‘ip’ command [OK]
    Checking for ‘iptables’ command [OK]
    Opportunistic Encryption Support [DISABLED]

    Reply
56. 七月 says:

    February 23, 2012 at 11:32 pm

    运行ipsec verify命令后，提示如下：

    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path [OK]
    Linux Openswan U2.6.24/K2.6.32.12-linode25 (netkey)
    Checking for IPsec support in kernel [FAILED]
    NETKEY detected, testing for disabled ICMP send_redirects [OK]
    NETKEY detected, testing for disabled ICMP accept_redirects [OK]
    Checking for RSA private key (/etc/ipsec.secrets) [OK]
    Checking that pluto is running [FAILED]
    Pluto listening for IKE on udp 500 [OK]
    Pluto listening for NAT-T on udp 4500 [OK]
    Two or more interfaces found, checking IP forwarding [FAILED]
    Checking NAT and MASQUERADEing [OK]
    Checking for ‘ip’ command [OK]
    Checking for ‘iptables’ command [OK]
    Opportunistic Encryption Support [DISABLED]

    这个是什么原因?

    Reply
57. gkp says:

    February 24, 2012 at 4:28 pm

    楼上两位貌似都是内核里面没有 IPsec 的支持。。。

    Reply
58. oyzzj3s says:

    February 26, 2012 at 6:44 am

    linux 爱好者

    Reply
59. oyzzj3s says:

    February 26, 2012 at 6:46 am

    感觉您很热情有问题想请教您

    Reply
60. oyzzj3s says:

    February 26, 2012 at 6:56 am

    gkp 大哥您好，因为centos 6 中搭建L2TPVPN 无意中浏览到您的网站，里面有很多的很多的朋友在跟你请教问题，您也很热情，非常感谢，我现在，在centos 6中搭建好了 L2TP VPN可就是连接不上去报错 789 下面我把我的配置截图给你看：
    vim /etc/ipsec.conf
    config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

    conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

    conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=61.187.98.31
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    vim /etc/ipsec.secrecs
    include /etc/ipsec.d/*.secrets
    61.187.98.31 %any: PSK “key”

    vim /etc/xl2tpd/xl2tpd.conf
    [global]
    ipsec saref = yes

    listen-addr = 61.187.98.31
    [lns default]
    ip range = 192.168.10.2-192.168.10.254
    local ip = 192.168.10.1
    refuse chap = yes
    refuse pap = yes
    require authentication = yes
    ppp debug = yes
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes

    Reply
    • mihello says:

      May 17, 2013 at 9:45 am

      我也遇到798
      参考：
      http://woshiyu001.blog.51cto.com/672735/836809
      http://www.360doc.com/content/11/0328/16/6551060_105359550.shtml

      Reply
61. oyzzj3s says:

    February 26, 2012 at 7:00 am

    [root@localhost ~]# ipsec verify
    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path [OK]
    Linux Openswan U2.6.24/K2.6.32-220.4.2.el6.i686 (netkey)
    Checking for IPsec support in kernel [OK]
    NETKEY detected, testing for disabled ICMP send_redirects [OK]
    NETKEY detected, testing for disabled ICMP accept_redirects [OK]
    Checking for RSA private key (/etc/ipsec.secrets) [OK]
    Checking that pluto is running [OK]
    Pluto listening for IKE on udp 500 [OK]
    Pluto listening for NAT-T on udp 4500 [OK]
    Checking for ‘ip’ command [OK]
    Checking for ‘iptables’ command [OK]
    Opportunistic Encryption Support [DISABLED]
    [root@localhost ~]# xl2tpd -D
    xl2tpd[9634]: Enabling IPsec SAref processing for L2TP transport mode SAs
    xl2tpd[9634]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
    xl2tpd[9634]: parse_config: line 3: Unknown field ‘liten-addr’
    xl2tpd[9634]: init: Unable to load config file
    [root@localhost ~]# vim /etc/xl2tpd/xl2tpd.conf
    [root@localhost ~]# xl2tpd -D
    xl2tpd[9637]: Enabling IPsec SAref processing for L2TP transport mode SAs
    xl2tpd[9637]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
    xl2tpd[9637]: setsockopt recvref[22]: Protocol not available
    xl2tpd[9637]: This binary does not support kernel L2TP.
    xl2tpd[9637]: xl2tpd version xl2tpd-1.2.4 started on localhost.localdomain PID:9637
    xl2tpd[9637]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    xl2tpd[9637]: Forked by Scott Balmos and David Stipp, (C) 2001
    xl2tpd[9637]: Inherited by Jeff McAdams, (C) 2002
    xl2tpd[9637]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    xl2tpd[9637]: Listening on IP address 61.187.98.31, port 1701
    cat /var/log/secure
    Feb 26 14:59:22 localhost pluto[9801]: adding interface lo/lo 192.168.10.1:500
    Feb 26 14:59:22 localhost pluto[9801]: adding interface lo/lo 192.168.10.1:4500
    Feb 26 14:59:22 localhost pluto[9801]: adding interface lo/lo 127.0.0.1:500
    Feb 26 14:59:22 localhost pluto[9801]: adding interface lo/lo 127.0.0.1:4500
    Feb 26 14:59:22 localhost pluto[9801]: adding interface lo/lo ::1:500
    Feb 26 14:59:22 localhost pluto[9801]: loading secrets from “/etc/ipsec.secrets”
    Feb 26 14:59:22 localhost pluto[9801]: no secrets filename matched “/etc/ipsec.d/*.secrets”

    Reply
    • gkp says:

      February 26, 2012 at 10:04 am

      客户端是xp么？试试看修改注册表，在
      HKEY_Local_Machine\System\CurrentControl Set\Services\RasMan\Parameters
      增加一个类型为reg_dword的主键ProhibitIpSec，设置为1，重启试试看

      Reply
62. oyzzj3s says:

    February 26, 2012 at 3:40 pm

    我的客户端用的WIN7这个修改注册表的方法我也TEST了，我叫朋友用手机连也连不上，关键是 /var/log/secure Feb 26 14:59:22 localhost pluto[9801]: no secrets filename matched “/etc/ipsec.d/*.secrets” 出这个是什么意思呢，说KEY不匹配

    Reply
    • gkp says:

      February 26, 2012 at 3:53 pm

      试试看
      sudo ln -s /etc/ipsec.secrets /etc/ipsec.d/ipsec.secrets

      Reply
63. oyzzj3s says:

    February 26, 2012 at 4:24 pm

    貌似真的还是不行，从昨天晚上12点搞到早上7点，还真没搞出来，要不GKP大哥您登录我服务器上去看看？

    Reply
    • gkp says:

      February 27, 2012 at 5:23 am

      如果你不着急就行。。。我明天要出差。。

      Reply
64. oyzzj3s says:

    February 27, 2012 at 10:14 am

    嗯好的，可能您不方便公示您的QQ我告诉您我的吧，您有时间加1下非常感谢

    Reply
    • gkp says:

      February 27, 2012 at 11:23 am

      email 给我信息吧，gokeeper 在 gmail 的邮箱，另外留言下面有一个reply可以回复，最好不要每次都开一个新留言

      Reply
      • oyzzj3s says:

        February 28, 2012 at 12:47 am

        GOK大哥我已经把username and password 发您邮箱了，麻烦您抽空上去看看。

        Reply
      • oyzzj3s says:

        March 1, 2012 at 10:45 pm

        哥您看了下莫？知道什么问题吗？

        Reply
      • oyzzj3s says:

        March 3, 2012 at 7:58 pm

        哥,我看了1下，您好像上去看了吧，呵呵这个问题是不是比较蛋疼

        Reply
65. pgvpn says:

    March 19, 2012 at 1:52 am

    我遇到一个棘手的问题
    安装很顺利，连接也很成功，速度也不错
    但是
    连接上之后很快就会打不开页面了，网速边的很慢
    而且连接几次之后再运行ipsec verify检查就会发现pluto出错已经是failed状态
    重启ipsec服务后又正常，然后很快又不行，如此反复。

    Reply
    • gkp says:

      March 20, 2012 at 11:15 pm

      这个确实奇怪，换个 openswan 版本试试看？

      Reply
66. Roland says:

    April 22, 2012 at 3:53 pm

    xl2tpd+openswan如何支持NAT后多client同时访问问题。
    现在貌似已经解决了openswan的这部分，但xl2tpd有如下报错：
    xl2tpd[13705]: Can not find tunnel 45571 (refhim=0)
    xl2tpd[13705]: network_thread: unable to find call or tunnel to handle packet. call = 26242, tunnel = 45571 Dumping.
    期待回复。

    Reply
    • Daniel says:

      July 10, 2015 at 12:25 pm

      我也遇到了这个问题，请问后来是怎么解决的

      Reply
67. hiroko says:

    April 30, 2012 at 10:37 pm

    Apr 30 10:24:47 173 pptpd[3617]: CTRL: Starting call (launching pppd, opening GRE)
    Apr 30 10:24:47 173 pppd[3618]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
    Apr 30 10:24:47 173 pppd[3618]: pppd 2.4.4 started by root, uid 0
    Apr 30 10:24:47 173 pppd[3618]: Using interface ppp0
    Apr 30 10:24:47 173 pppd[3618]: Connect: ppp0 /dev/pts/1
    Apr 30 10:24:50 173 pptpd[3617]: GRE: read(fd=7,buffer=80515e0,len=8260) from network failed: status = -1 error = Protocol not available
    Apr 30 10:24:50 173 pptpd[3617]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
    Apr 30 10:24:50 173 pppd[3618]: Modem hangup
    Apr 30 10:24:50 173 pppd[3618]: Connection terminated.
    Apr 30 10:24:50 173 pppd[3618]: Exit.
    Apr 30 10:24:50 173 pptpd[3617]: CTRL: Client 118.248.161.105 control connection finished

    在连接PPTP的时候提示619错误
    使用L2TP方式正常

    Reply
68. hlcfan says:

    May 30, 2012 at 9:22 am

    你好，我昨晚已经弄好了。
    但是有一个问题，我用iPad连上后，只能上我vps上的网站，不能访问别的网站。我不知道为什么，求解决！谢谢！

    Reply
69. Sonic says:

    June 12, 2012 at 5:42 pm

    非常需要您的帮助。已经给您发邮件了。望能回复！谢谢。

    Reply
    • Sonic says:

      June 29, 2012 at 4:44 pm

      终于还是自己搞定了。我怎么觉得站长在iptables设置那一步有点问题？

      把我自己折腾的过程发了出来。跟大家共享：
      http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php

      Reply
70. Sonic says:

    June 12, 2012 at 7:47 pm

    给您发email了。现向您描述一下我现在的问题状况:
    我在/etc/ipsec.secrets里, 设置了密码
    114.243.xx.xx %any : PSK “xxxxxx”

    在win7的client里.如果l2tp设置里,使用这个密钥验证, 就会出现789错误
    同时，在/var/log/secure里,会有这样的记录：
    initial Main Mode message received on but no connection has been authorized with policy=PSK

    如果win7里，选择默认的用证书验证。那么可以连接vpn。但是这时候我的win7就无法访问internet了。任何网站都打不开。我的本意是要通过vpn server连接internet。

    望能指教！谢谢！

    Reply
    • Sonic says:

      June 12, 2012 at 8:13 pm

      看有的地方说，不打开iptables就无法访问公网。我打开iptables后，把500，4500，1701口都按udp协议打开了。但这时还是无法链接VPN。无奈把eth0设为可信。这样能够链接VPN，但仍然无法访问公网。

      Reply
      • Sonic says:

        June 12, 2012 at 8:30 pm

        发现win7联机后，得到了正确的IP地址，但得不到网关。请问这个要怎么设才能获取到？查了好多地方都没查到。。。

        Reply
      • Sonic says:

        June 29, 2012 at 1:14 pm

        可惜没能得到站长帮助。又痛苦得折腾了好久。最后终于搞定了。问题出在iptables的nat规则上。

        Reply
71. xifeng says:

    July 3, 2012 at 5:29 pm

    Jul 3 17:10:20 ubuntu-server pluto[7073]: packet from 192.168.0.179:500: received Vendor ID payload [RFC 3947] method set to=115
    Jul 3 17:10:20 ubuntu-server pluto[7073]: packet from 192.168.0.179:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
    Jul 3 17:10:20 ubuntu-server pluto[7073]: packet from 192.168.0.179:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
    Jul 3 17:10:20 ubuntu-server pluto[7073]: packet from 192.168.0.179:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    Jul 3 17:10:20 ubuntu-server pluto[7073]: packet from 192.168.0.179:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    Jul 3 17:10:20 ubuntu-server pluto[7073]: packet from 192.168.0.179:500: received Vendor ID payload [Dead Peer Detection]
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[1] 192.168.0.179 #1: responding to Main Mode from unknown peer 192.168.0.179
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[1] 192.168.0.179 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[1] 192.168.0.179 #1: STATE_MAIN_R1: sent MR1, expecting MI2
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[1] 192.168.0.179 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[1] 192.168.0.179 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[1] 192.168.0.179 #1: STATE_MAIN_R2: sent MR2, expecting MI3
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[1] 192.168.0.179 #1: Main mode peer ID is ID_IPV4_ADDR: ‘192.168.8.108’
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[1] 192.168.0.179 #1: switched from “L2TP-PSK-NAT” to “L2TP-PSK-NAT”
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: deleting connection “L2TP-PSK-NAT” instance with peer 192.168.0.179 {isakmp=#0/ipsec=#0}
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: new NAT mapping for #1, was 192.168.0.179:500, now 192.168.0.179:4500
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: Dead Peer Detection (RFC 3706): enabled
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
    Jul 3 17:10:20 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: received and ignored informational message
    Jul 3 17:10:21 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:21 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:21 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:21 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:21 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:24 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:24 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:24 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:24 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:24 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:27 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:27 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:27 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:27 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:27 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:30 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:30 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:30 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:30 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:30 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:33 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:33 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:33 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:33 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:33 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:36 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:36 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:36 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:36 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:36 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:39 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:39 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:39 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:39 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:39 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:42 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:42 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:42 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:42 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:42 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:45 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:45 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:45 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:45 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:45 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:48 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:48 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:48 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:48 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:48 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:52 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:52 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:52 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:52 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:52 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:55 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:55 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:55 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:55 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:55 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:10:58 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:10:58 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:10:58 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:10:58 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:10:58 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:11:01 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:11:01 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:11:01 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:11:01 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:11:01 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:11:04 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:11:04 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:11:04 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:11:04 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:11:04 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:11:07 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:11:07 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:11:07 ubuntu-server pluto[7073]: | payload malformed after IV
    Jul 3 17:11:07 ubuntu-server pluto[7073]: | 5c db 35 61 1e 7f 38 3a b9 e8 56 04 45 97 fe c3
    Jul 3 17:11:07 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: sending notification PAYLOAD_MALFORMED to 192.168.0.179:4500
    Jul 3 17:11:10 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Jul 3 17:11:10 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: malformed payload in packet
    Jul 3 17:11:10 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179 #1: too many (17) malformed payloads. Deleting state
    Jul 3 17:11:10 ubuntu-server pluto[7073]: “L2TP-PSK-NAT”[2] 192.168.0.179: deleting connection “L2TP-PSK-NAT” instance with peer 192.168.0.179 {isakmp=#0/ipsec=#0}

    Reply
72. Fredpata says:

    July 15, 2012 at 2:50 am

    我的ipsec verify中没有Two or more interfaces found, checking IP forwarding和Checking NAT and MASQUERADEing
    Checking for RSA private key (/etc/ipsec.secrets)
    这三项- -这是什么状况

    Reply
73. RichBei says:

    August 2, 2012 at 7:14 pm

    在反复验证了输入和设置，但是看Linode上的日志总是报错。请博主帮忙分析下我是什么原因？谢谢。下面的IP应该是本地电信的网关地址。

    $ “L2TP-PSK-NAT”[2] 182.151.203.19 #2: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory

    $ ERROR: asynchronous network error report on eth0 (sport=4500) for message to 182.151.203.19 port 27343,

    complainant 182.151.203.19: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

    Reply

74. Pingback: 在CentOS 6下配置 L2TP IPsec VPN服务器的六步 - 博客 - 伯乐在线

75. Pingback: 在CentOS 6下配置 L2TP IPsec VPN服务器的六步 | 吃杂烩

76. Pingback: Debian/Ubuntu L2TP/IPSec VPN 安装笔记 | BBC's Blog

77. fish says:

    October 24, 2012 at 3:56 pm

    如何在debian vps下，配置不带ipsec的l2tp vpn呢？博主可以亲自配一次不带ipsec的l2tp vpn吗？我试过多次，均失败了.

    我在centos vps下，用http://www.kwx.gd/CentOSApp/L2TP-VPN.html的一键安装包安装了l2tp,不过他这个l2tp是不带ipsec的。我在安卓手机上，可以用他这个l2tp vpn without ipsec来翻墙。

    (我在安卓手机上，连接不上带ipsec的l2tp vpn，虽然在pc上没问题。所以估计是运营商屏蔽了带ipsec的l2tp vpn，而未屏蔽不带ipsec的l2tp vpn)

    Reply
78. 黑木 says:

    October 28, 2012 at 8:21 pm

    成功搞定，特此留言感谢博主分享经验

    Reply

79. Pingback: PPTP/L2TP + FreeRADIUS + MySQL 安装与配置 | Neo’s Note

80. Pingback: Long Time No See ^_^ » VPS上基于Debian搭建和配置L2TP/IPsec VPN

81. Pingback: 【转】六步搞定centos 6下l2tp + ipsec VPN服务器配置 - 光子影音工作室，光影工作室 - 专注于家庭影音系统的设计、安装，提供个性化咨询方案。

82. Pingback: 乔大海个人网站 » CentOS Linux VPS安装L2TP/IPSec VPN

83. Pingback: 架设L2TP/IPSec + MySQL + FreeRADIUS认证VPN | 奋斗在美利坚

84. Pingback: 在Amazon EC2(Ubuntu)上搭建L2TP-IPsec VPN | Tian's blog

85. 子痕 says:

    September 6, 2013 at 10:27 pm

    我装的openswan-2.6.39.tar.gz，貌似找不到文件 /etc/init.d/ipsec

    Reply

86. Pingback: CentOS 安装 L2TP/Ipsec VPN 方法锦集 | 子痕的博客

87. Pingback: Debian/Ubuntu 安装 L2TP/IPSec方式 VPN - Rolay's Blog

88. Pingback: Linode L2TP VPN 搭建 « Worldpillar

89. Pingback: 在Ubuntu上配置L2TP/IPsec VPN | ASPIRE

90. Pingback: [转载]VPS上Debian 6.0配置pure IPsec实现ios/win/android多平台VPN客户端的访问 – 一秒钟的梦

91. 求助 says:

    September 1, 2014 at 6:33 pm

    博主配置成功后连接不到1分钟就自动断开，请教博主怎么回事啊？？

    Sep 1 10:26:00 localhost xl2tpd[4807]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
    Sep 1 10:26:14 localhost pppd[4820]: pppd 2.4.5 started by root, uid 0
    Sep 1 10:26:14 localhost pppd[4820]: Using interface ppp0
    Sep 1 10:26:14 localhost pppd[4820]: Connect: ppp0 /dev/pts/7
    Sep 1 10:26:14 localhost NetworkManager[1944]: (ppp0): new Generic device (driver: ‘unknown’ ifindex: 37)
    Sep 1 10:26:14 localhost NetworkManager[1944]: (ppp0): exported as /org/freedesktop/NetworkManager/Devices/36
    Sep 1 10:26:15 localhost pppd[4820]: Couldn’t set pass-filter in kernel: Invalid argument
    Sep 1 10:26:15 localhost pppd[4820]: Unsupported protocol ‘Compression Control Protocol’ (0x80fd) received
    Sep 1 10:26:15 localhost pppd[4820]: Cannot determine ethernet address for proxy ARP
    Sep 1 10:26:15 localhost pppd[4820]: local IP address 10.5.1.2
    Sep 1 10:26:15 localhost pppd[4820]: remote IP address 10.5.1.10
    Sep 1 10:27:12 localhost pppd[4820]: Modem hangup
    Sep 1 10:27:12 localhost pppd[4820]: Connect time 1.0 minutes.
    Sep 1 10:27:12 localhost pppd[4820]: Sent 1300022 bytes, received 109862 bytes.
    Sep 1 10:27:12 localhost pppd[4820]: Connection terminated.
    Sep 1 10:27:12 localhost avahi-daemon[1530]: Withdrawing workstation service for ppp0.
    Sep 1 10:27:12 localhost pppd[4820]: Terminating on signal 15
    Sep 1 10:27:12 localhost pppd[4820]: Exit.

    Reply

92. Pingback: 在DigitalOcean上 一键搭建WindowsPhone可用的L2TP的VPN | quericy Eden*

93. Pingback: PS CentOS下IPSec L2TP VPN的安装 – 大刚博客

94. Pingback: [转载]VPS上Debian 6.0配置pure IPsec实现ios/win/android多平台VPN客户端的访问 | 一秒钟的梦

95. Pingback: 艰难的架设了 VPN – 人到中年