Ubuntu10.4 use openswan to set up an ipsec-based RSA authentication environment to set up troubleshooting records

Source: Internet
Author: User
Attach sudomount-tvboxsfdown/mnt/share the shared file mode to sudomount-tvboxsfdown/mnt/share the virtualbox of the oracle used by the virtual machine. Therefore, the file system is vboxsf, and the virtual machine is installed with the enhanced function down....
Attached to the virtual machine to load shared files sudo mount-t vboxsf down/mnt/share, where the virtual machine uses the oracle virtualbox. Therefore, the file system is vboxsf, and the virtual machine installation enhancement function down is the device in the virtual machine. -- assign a data space to find a directory on win. the data space is named down/mnt/share and mounted to the/mnt/share directory. 1. Checking that pluto is running [FAILED] whack: is Pluto running? Connect () for "/var/run/pluto. ctl "failed (111 Connection refused) if the above problem occurs, you can try sudo service ipsec restart to restart the service and solve it. NETKEY detected, testing for disabled ICMP send_redirects [FAILED] NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] can create a file dis. sh in the/home/xjp directory and then in rc. add/home/xjp/dis in local. sh system executes dis every time it is started. sh content, dis. sh contains the following content :#! /Bin/bash # Disable send redirects echo 0>/proc/sys/net/ipv4/conf/all/send_redirects echo 0>/proc/sys/net/ipv4/conf/default /send_redirects echo 0>/proc/sys/net/ipv4/conf/eth0/send_redirects echo 0>/proc/sys/net/ipv4/conf/eth1/send_redirects echo 0>/ proc/sys/net/ipv4/conf/lo/send_redirects # Disable accept redirects www.2cto.com echo 0>/proc/sys/net/ipv4/conf/all/accept_redirects echo 0 >/Proc/sys/net/ipv4/conf/default/accept_redirects echo 0>/proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0>/proc/sys/ net/ipv4/conf/eth1/accept_redirects echo 0>/proc/sys/net/ipv4/conf/lo/accept_redirects 3. modify kernel parameters, firewall vi/etc/sysctl. conf: net. ipv4.ip _ forward = 0 net. ipv4.conf. default. rp_filter = 1 to: net. ipv4.ip _ forward = 1 net. ipv4.conf. default. rp_filter = 0 run the following command to make the settings take effect: sysctl-p 4. you can add the nat settings to/etc/rc. local to enable automatic execution of the following commands on the LServer to set NAT: www.2cto.com iptables-t nat-a postrouting-o eth0-s 10.10.10.0/24-d 10.10.20.0/24-j MASQUERADE: iptables-t nat-a postrouting-o eth0-s 10.10.20.0/24-d 10.10.10.0/24-j MASQUERADE other operations can be found on google search, attached to the online troubleshooting manual 3.1 IPsec VPN failure exclude basic ideas when an IPsec VPN problem occurs, the most direct manifestation is that the remote internal network cannot be accessed through the IPsec VPN. According to the specific situation, the IPsec tunnel cannot be established, the IPsec tunnel is established, but the remote internal network cannot be accessed, and the IPsec tunnel is disconnected when the connection is interrupted. It is faster to detect the problem through the debug information of IPsec, but you need to be familiar with the debug information. This section describes the general detection methods for the above three cases. 1. unable to establish an IPsec VPN tunnel detection method: Use show cry ike proposal And sh cry ipsec proposal Command to check whether the policies of ike and ipsec are the same. Use sh cry policy Check whether the data streams at both ends match. 2. IPsec tunnel creation but cannot access the remote internal network detection method: sh ip esp to check whether in and out data exists; check whether the access list is deny protected data streams. 3. IPsec tunnel disconnection detection method: check whether a physical line is disconnected at a time and whether a network conflict exists. 3.2 troubleshooting of common IPsec VPN faults 1: possible causes and solutions for failure to establish an IPsec VPN tunnel 1. the two VPN devices cannot communicate with each other. ping the other end from one VPN device to check whether the ping is successful. If the connection fails, check the network connection first. 2. both ends of the VPN can be pinged, but they cannot receive IKE negotiation packets www.2cto.com 1. check whether the VPN is configured with an ACL or whether the front-end has a firewall. if IKE negotiation packets are disabled, open the UDP500/4500 port on the ACL or firewall. 2. check whether the intranet port of the initiator VPN is UP. in particular, the 3005C-104 uses the SW interface as the intranet Port. if the LAN port is not connected to the PC, the SW Port cannot be UP, which will cause the ping extension to fail to connect to the peer end. 3. VPN certificates at both ends adopt the certificate authentication method, but there is no certificate or the certificate is invalid; pre-shared key authentication is not configured with a password 1. view the ike tunnel status through show cry IKE sa without any information; 2. open debug cry ike normal, prompting % IKE-ERR: can't initiate, no available authentication material (cert/psk); 3. sh crypto ca certificates to check whether the certificate is valid. 4. IKE and IPsec policies on both ends are inconsistent. if the active mode is used, check that the IKE status is stopped in STATE_MAIN_I1 and the active mode is used. if The IKE status is stopped in STATE_AGGR_I1, the policies may be inconsistent between the two ends, use show cry ike proposal and show cry ipsec proposal to check whether the policies at both ends are the same. 2. open debug cry ike normal, and the message ignoring notification payload and type NO_PROPOSAL_CHOSEN is displayed. 5. the VPN device on both ends is configured with the ID not an IP address as the identity, but a domain name or other, but the IKE negotiation uses the master mode 1. check that the ike key has configured identity, but the tunnel configuration has configured set mode main; 2. check whether the IKE status stops in STATE_MAIN_I1. 6. peer VPN device configuration error ID or no configuration ID 1. check that the ike key has configured identity, but no ID is configured in the tunnel configuration; 2. check whether the IKE status stops in STATE_AGGR_I1; www.2cto.com 3.% IKE-ERR: Aggressive Mode packet from container 0.0.2: 500 has invalid error. 7. the two VPN devices do not support NAT traversal. if the master mode is used and the IKE status is stopped in STATE_MAIN_I2, it indicates that VPN may not support NAT traversal. VPN is supported by default. generally, VPN is not supported by other manufacturers. 8. the pre-shared keys of the two VPN devices are inconsistent. if the master mode is used, check that the IKE status is stopped in the STATE_MAIN_I3 status. This indicates that the pre-shared VPN keys on both ends may be different. 2. use show run cry key to check whether the keys at both ends are the same. 9. the protected data streams at both ends do not match. check that the IKE status is stopped in the STATE_QUICK_I1 status. This indicates that the VPN pre-shared keys on both ends may be different. 2. show cry ipsec sa to check that there is no ipsec tunnel; 3. error in log: % IKE-ERR: cannot respond to IPsec SA request for instance-65666: 30.0.0.0/0 = 255.0.0.2 (255.0.0.2 )... ike0.0.1 (255.0.0.1) === 192.168.0.0/16:0/0 & note: The first phase of IKE adopts the active mode, because the active mode performs IKE negotiation and transmits the load related to SA, Key Exchange and authentication at the same time, General IKE errors will cause the status of ike sa to be STATE_AGGR_I1. Therefore, the above judgment on IKE's first-stage problems is basically based on the master mode. Www.2cto.com fault 2: VPN tunnel connection, failure to handle possible causes of business judgment methods and solutions 1. business data goes through NAT instead of a VPN tunnel. the device is configured with NAT translation, and the access list does not set the business data deny of the VPN. you can view the access list to determine the access data. 2. you can view the output data through show cry ipsec sa or show ip esp. modify the access list to reject NAT translation of VPN data. 2. no route pointing to the peer VPN gateway or the gateway is set incorrectly. ping the server on the VPN device at the center to check whether the server can be pinged. 2. the first step can be pinged. you can view the output data through show cry ipsec sa or show ip esp on the client VPN device, but the input data has not increased, the VPN device on the central end has input data, but no output; 3. set the lower-end CIDR block route corresponding to the server to point to the intranet port of the central IPsec VPN device. 3. line PMTU causes large data packets to be discarded. some business software (such as some financial software or applications that need to download a large amount of data) can have a login interface, but the user name and password have not been responded; 2. the client can use the default ping packet to ping the server, but the ping packet fails. 3. you can modify the MTU of the server NIC = line PMTU. Fault 3: How to determine the possible causes of intermittent disconnection during VPN and solution 1. the public network connection is unstable. ping the test to detect physical line problems. 2. use a PC to connect to the public network to test whether the connection will be disconnected. 3. for dynamic dialing, you can change idle-timeout to 0. 2. an IPsec SA at both ends cannot be synchronized due to a line failure. check whether DPD is disabled on both VPN devices; www.2cto.com 2. use show cry ipsec sa to check whether the SPI at both ends is different. 3. manually clear the tunnel at both ends to re-establish or set DPD to solve the non-synchronization problem. 3. duplicate branch VPN Configuration 1. when a tunnel is disconnected, the connection is normal when there is only one lower end, but when the second or a specific lower end is connected, when only one IPsec tunnel can be correctly established or the connection is interrupted; 2. when the central VPN device checks that a branch cannot establish a VPN tunnel, there is a related IPsec data stream; 3. you can change the CIDR block on the VPN of a branch office or use the active mode to configure an invalid ID. The above information is for reference only from the column dainiao01
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.