1# xiangtianwen 发表于 2008-10-27 10:42

openswan ipsec vpn

平台 RHEL5.2
openswan-2.6.14-1.el5_2.1.i386.rpm与openswan-doc-2.6.14-1.el5_2.1.i386.rpm


         (192.168.10.1/24)eth1------eth0------***********----------eth0------eth1(192.168.20.1/24)
                                                      219.133.122.60                        219.133.122.61


                                           left :RA                                                    right:RB


两台机器的外网网关为219.133.122.33


RA 的/etc/ipsec.conf 配置如下:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        interfaces="ipsec0=eth0"

#conn    %default
#        authby=rsasig
#        compress=yes
#include /etc/ipsec.d/*.conf
conn net-to-net
     left=219.133.122.60
     leftsubnet=192.168.10.0/24
     leftid=@RA
     leftnexthop=219.133.122.33
     right=219.133.122.61
     rightsubnet=192.168.20.0/24
     rightid=@RB
     rightnexthop=219.133.122.33
     auto=add
        # rsakey AQNwW24lN
       leftrsasigkey=0sAQNwW24lN7pVyRsTI1JQ0cx3ROBUIkZEYLjPLkj8ExdkGFHxaSTljh9kyiXRLpUgYNG3RP+2wzTWND1jkodLcEDF7/kjTmbTaPdIFTWwZsS0teY8xpIEQWNU+wLprlIltcE27fVdBIuT7Daxl+QpltiE+hU3sYL8zci3yQ4IjqQlpIwpsAigEQyC8fP/VU6mwggYJMldhn13LKcAkeEJrtUC5HlUgqvE6av9j+dvslbff4CmC4e1zMQyFmUMBZdwJ69Xb68SjCPYgPKEFXG8J+HoFLx5QeFxZEGVnjm+c0YiTD1WUY9kNPQ95i9Ri/FzZMCJR86f7T4VEi8qDf6/GpLt+sFvH0fgWcNOec0joeiiIWjh
        # rsakey AQOA5kj4t
       rightrsasigkey=0sAQOA5kj4tIh0w8u8ECJ8SmPc/ITs3cyjRtm8k27B1JMq+E1TF6iYHvlHIxsiDPCt0Rx8Pv9HTaIyOGYjBBrVC9fAvsOosTnC1aMw+OEd3oznZ96o+iyv9MT66VnUX48hIqsQEGn9p4j9+9sYnzIyv1e/gN1NneZJUuy293+41OfZojnHd7hN1DkLVyZnV0JXc0Fcv+126hptNU4uRERja4fKNb7cW2pmmMMR6p28/75WpM9/YJuIsgQ9MlghHFABhuMvdTeO7p+nasoMlFKVooOWtSbR64S8aPe78TZa+ZnloMO/NcmQymnN6ek52lsChf5Uoq9/70YOsFDt5dnYxbFXX61KYhElJd5KP29FWAHzcApD



RB 的/etc/ipsec.conf 的配置如下:

ipsec_setup: Starting Openswan IPsec U2.6.14/K2.6.18-92.el5...
ipsec_setup:
ipsec_setup:
[root@RA etc]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
     protostack=netkey
     nat_traversal=yes
     interfaces="ipsec0=eth0"

#conn %default
#     authby=rsasig
#     compress=yes

#include /etc/ipsec.d/*.conf
conn net-to-net
     left=219.133.122.60
     leftsubnet=192.168.10.0/24
     leftid=@RA
     leftnexthop=219.133.122.33
     right=219.133.122.61
     rightsubnet=192.168.20.0/24
     rightid=@RB
     rightnexthop=219.133.122.33
     auto=add
    leftrsasigkey=0sAQNwW24lN7pVyRsTI1JQ0cx3ROBUIkZEYLjPLkj8ExdkGFHxaSTljh9kyiXRLpUgYNG3RP+2wzTWND1jkodLcEDF7/kjTmbTaPdIFTWwZsS0teY8xpIEQWNU+wLprlIltcE27fVdBIuT7Daxl+QpltiE+hU3sYL8zci3yQ4IjqQlpIwpsAigEQyC8fP/VU6mwggYJMldhn13LKcAkeEJrtUC5HlUgqvE6av9j+dvslbff4CmC4e1zMQyFmUMBZdwJ69Xb68SjCPYgPKEFXG8J+HoFLx5QeFxZEGVnjm+c0YiTD1WUY9kNPQ95i9Ri/FzZMCJR86f7T4VEi8qDf6/GpLt+sFvH0fgWcNOec0joeiiIWjh
    rightrsasigkey=0sAQOA5kj4tIh0w8u8ECJ8SmPc/ITs3cyjRtm8k27B1JMq+E1TF6iYHvlHIxsiDPCt0Rx8Pv9HTaIyOGYjBBrVC9fAvsOosTnC1aMw+OEd3oznZ96o+iyv9MT66VnUX48hIqsQEGn9p4j9+9sYnzIyv1e/gN1NneZJUuy293+41OfZojnHd7hN1DkLVyZnV0JXc0Fcv+126hptNU4uRERja4fKNb7cW2pmmMMR6p28/75WpM9/YJuIsgQ9MlghHFABhuMvdTeO7p+nasoMlFKVooOWtSbR64S8aPe78TZa+ZnloMO/NcmQymnN6ek52lsChf5Uoq9/70YOsFDt5dnYxbFXX61KYhElJd5KP29FWAHzcApD



两台机器均执行
[root@RB etc]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.14/K2.6.18-92.el5...
ipsec_setup:
ipsec_setup:

在RB上执行:

[root@RB etc]# ipsec auto --up net-to-net
104 "net-to-net" #1: STATE_MAIN_I1: initiate
003 "net-to-net" #1: received Vendor ID payload [Openswan (this version) 2.6.14 ]
003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
003 "net-to-net" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "net-to-net" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "net-to-net" #1: received Vendor ID payload [CAN-IKEv2]
004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "net-to-net" #2: STATE_QUICK_I1: initiate
004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA establishedtunnel mode {ESP=>0x74fd141e <0x22314f32 xfrm=AES_128-HMAC_SHA1NATOA=none NATD=none DPD=none}
[root@RB etc]#

在其中一台运行:
[root@RB etc]# ipsec setup --status
IPsec running  - pluto pid: 4186
pluto pid 4186
No tunnels up
[root@RB etc]#


为什么啊,怎么就是起不来啊
望各位高手指点啊!!!!!!!!!!!!!!!!!
高手指点啊!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!