openswan NAT-T ika sa無法協商
openswan NAT-T ika sa無法協商
兩端都是linux RHEL5.2 2.6.19內核,安裝openswan 2.6.22(26sec),Road Warrior連接方式,如果兩端都是公網ip那麼ike sa和ipsec sa都能協商成功連接正常,如果laptop在NAT后,那麼就會報sent MI3, expecting MR3,一直sent MI3, expecting MR3
"testvpn" #31: initiating Main Mode to replace #30
"testvpn" #31: received Vendor ID payload
"testvpn" #31: received Vendor ID payload
"testvpn" #31: received Vendor ID payload method set to=109
"testvpn" #31: enabling possible NAT-traversal with method 4
"testvpn" #31: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"testvpn" #31: STATE_MAIN_I2: sent MI2, expecting MR2
"testvpn" #31: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
"testvpn" #31: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"testvpn" #31: STATE_MAIN_I3: sent MI3, expecting MR3
"testvpn" #31: discarding duplicate packet; already STATE_MAIN_I3
《解決方案》
好像罈子里的大牛討論openvpn的比較多,openswan或freeswan的很少哦,我覺得就傳輸的效率來講openswan要優於openvpn。
《解決方案》
回復 #1 ljily000 的帖子
一般是xl2tpd
《解決方案》
回復 #3 kns1024wh 的帖子
多謝kns1024wh 頂貼!
xl2tpd是l2tp吧,l2tp好像要依賴於pppd吧,而且這個穿越NAT好像是有問題的,linux內核打了補丁可以支持,一般普通的路由器好像不支持。
openswan的nat穿越是依賴於udp的,但是我不知道我錯在哪裡了。
ipsec.conf里 nat_traversal=yes
