我试图通过IPSec隧道连接到Asterisk的SIP中继线,似乎它没有路由正常......因为我来自OpenVPN我以为IPSec启用了一些接口并放置了流量通过。
我会在这里列出我的IP-s为X,Y,Z ......
我的IPSec配置是:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
interfaces="%defaultroute"
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
conn sTest01
type=tunnel
connaddrfamily=ipv4
left=XXX.XXX.XXX.XXX
leftnexthop=%defaultroute
leftsourceip=XXX.XXX.XXX.XXX
right=YYY.YYY.YYY.YYY
rightid=YYY.YYY.YYY.YYY
rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32
#rightsubnet=0.0.0.0/0
pfs=no
keyingtries=4
rekeymargin=15m
authby=secret
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1;modp1536
lifetime=28800s
auto=start
conn sTest02
type=tunnel
connaddrfamily=ipv4
left=XXX.XXX.XXX.XXX
leftnexthop=%defaultroute
leftsourceip=XXX.XXX.XXX.XXX
right=YYY.YYY.YYY.YYY
rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32
#rightsubnet=0.0.0.0/0
pfs=no
keyingtries=4
rekeymargin=15m
authby=secret
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1;modp1536
lifetime=28800s
auto=start
我的路由表:
root@lix ~ # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
1 Trunk XXX.XXX.XXX.XXX 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
2 Trunk XXX.XXX.XXX.XXX 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
84.XXX.XXX.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
ipsec验证
root@lix ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.12.28+ (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
当我在日志中重启ipsec时,我看不到任何异常。
日志:
Feb 9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:35 lix ipsec_setup: Stopping Openswan IPsec...
Feb 9 16:22:39 lix kernel: [ 1066.612566] NET: Unregistered protocol family 15
Feb 9 16:22:39 lix ipsec_setup: ...Openswan IPsec stopped
Feb 9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:39 lix kernel: [ 1066.965557] NET: Registered protocol family 15
Feb 9 16:22:39 lix ipsec_setup: Starting Openswan IPsec U2.6.37/K3.12.28+...
Feb 9 16:22:40 lix ipsec_setup: Using NETKEY(XFRM) stack
Feb 9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_setup: ...Openswan IPsec started
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix pluto: adjusting ipsec.d to /etc/ipsec.d
Feb 9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest01"
Feb 9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest02"
Feb 9 16:22:42 lix ipsec__plutorun: 104 "sTest01" #1: STATE_MAIN_I1: initiate
捶
root@lix ~ # ipsec whack --name sTest01 --initiate
002 "sTest01" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:ea6824a9 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest01" #4: STATE_QUICK_I1: initiate
002 "sTest01" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest01" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x2caadd64 <0x69b0a0e0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
root@lix ~ # ipsec whack --name sTest02 --initiate
002 "sTest02" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:956ccc0e proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest02" #5: STATE_QUICK_I1: initiate
002 "sTest02" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest02" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6e58c948 <0x7177b9ed xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Asterisk CLI:
lix*CLI> sip show peers
Name/username Host Dyn Forcerport ACL Port Status
peer 80.XX.XXX.149 N 5060 UNREACHABLE
如果有人请求帮助,如果有人需要,我可以发布其他信息,
感谢
答案 0 :(得分:0)
完成隧道设置后,您需要重新启动星号。
您已将localnet或externip设置为您的vpn地址。
对不起,没办法帮助你,因为你有太多的信息。