openswan源码ubantu下编译、安装、基本环境搭建

openswan的编译过程

文章目录

      • openswan的编译过程
      • 1. 下载源码:
      • 2. 在虚拟机上解压后编译:
        • 2.1 查看INSTALL文件
        • 2.2 查看文件buildlin.sh文件
      • 3. 查看是否安装成功:
        • 3.1 查看版本信息:
        • 3.2 执行ipsec verify命令:
        • 3.3 启动IPSec服务:
        • 3.4 修改配置文件:
        • 3.4 修改配置文件:
        • 3.5 重新启动ipsec功能:
        • 3.6 添加自己的隧道环境配置

1. 下载源码:

对于openswan源码,我们是从官网上下载的。这里提供两个不同的网站:

  • 专门下载openswan源码的网站

    ​ openswan官网1源码下载

  • openswan官网页面

    ​ openswan官网2源码下载

2. 在虚拟机上解压后编译:

我解压后的源码目录为:root@ubantu:/usr/src/openswan-2.6.51.5#

2.1 查看INSTALL文件

root@ubantu:/usr/src/openswan-2.6.51.5# cat INSTALL 

Please read the documentation in doc/ & docs/

Building userland: 

	make programs install

Building KLIPS kernel module on 2.4 (assuming your kernel source is /usr/src/linux-2.4)

	make KERNELSRC=/usr/src/linux-2.4 module minstall

Building KLIPS kernel module on 2.6

	make KERNELSRC=/lib/modules/`uname -r`/build module minstall
root@ubantu:/usr/src/openswan-2.6.51.5#

从这个文件可以看出直接运行make programs install命令即可。直接输入该命令进行编译:

root@ubantu:/usr/src/openswan-2.6.51.5# make programs install
OBJDIR: OBJ.linux.x86_64
(cd /usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 && OBJDIRTOP=/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 OBJDIR=/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 make programs )
make[1]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64'
make[2]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib/libopenswan'
CC id.c
In file included from /usr/src/openswan-2.6.51.5/include/certs.h:24:0,
                 from /usr/src/openswan-2.6.51.5/lib/libopenswan/id.c:42:
/usr/src/openswan-2.6.51.5/include/secrets.h:20:10: fatal error: gmp.h: No such file or directory
 #include     /* GNU MP library */
          ^~~~~~~
compilation terminated.
/usr/src/openswan-2.6.51.5/lib/libopenswan/Makefile:175: recipe for target 'id.o' failed
make[3]: *** [id.o] Error 1
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib/libopenswan'
/usr/src/openswan-2.6.51.5/lib/Makefile:37: recipe for target 'programs' failed
make[2]: *** [programs] Error 1
make[2]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib'
Makefile:10: recipe for target 'programs' failed
make[1]: *** [programs] Error 1
make[1]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64'
Makefile:185: recipe for target 'programs' failed
make: *** [programs] Error 2
root@ubantu:/usr/src/openswan-2.6.51.5#

提示有错误:/usr/src/openswan-2.6.51.5/include/secrets.h:20:10: fatal error: gmp.h: No such file or directory

2.2 查看文件buildlin.sh文件

由于提示上述错误,且INSTALL文件中也没有相关说明,因此我看了下其他的文件,发现在buildlin.sh中有相关的依赖。从这个名字上就能看出这个是Linux下的自动编译脚本,因此我就尝试运行了下:

root@ubantu:/usr/src/openswan-2.6.51.5# ./buildlin.sh 
You need to install libgmp-dev.
    apt-get install libgmp-dev
or  yum install gmp-dev

You need to install bison.
    apt-get install bison
or  yum install bison
You need to install flex.
    apt-get install flex
or  yum install flex
root@ubantu:/usr/src/openswan-2.6.51.5# 

提示的结果是:缺少相应的库,而第一个和我们上述的错误是相关的。因此一次安装提示的几个库:

apt-get install libgmp-dev
apt-get install bison
apt-get install flex

安装成功后,重新执行make programs install(这实际上是两个命令make programsmake install,可以分开单独执行),结果成功编译安装:

root@ubantu:/usr/src/openswan-2.6.51.5# make programs install
OBJDIR: OBJ.linux.x86_64
(cd /usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 && OBJDIRTOP=/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 OBJDIR=/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64 make programs )
make[1]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64'
make[2]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/lib/libopenswan'
CC id.c
CC initaddr.c
CC initsaid.c
CC initsubnet.c
CC iprange.c
CC keyblobtoid.c
CC kernel_alg.c
CC lex.c
CC mpzfuncs.c
CC optionsfrom.c
CC oswconf.c
... ...
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/tncfg'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/klipsdebug'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/klipsdebug'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/pf_key'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/pf_key'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_updown.mast'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_updown.mast'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_startnetkey'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_startnetkey'
make[3]: Entering directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_updown.netkey'
make[3]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs/_updown.netkey'
make[2]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64/programs'
make[1]: Leaving directory '/usr/src/openswan-2.6.51.5/OBJ.linux.x86_64'
mkdir -p /usr/local/libexec/ipsec
if [ -n '' ]; then echo ' ' >/usr/local/lib/ipsec/vendor.txt; fi
root@ubantu:/usr/src/openswan-2.6.51.5#

3. 查看是否安装成功:

3.1 查看版本信息:

root@ubantu:/usr/src/openswan-2.6.51.5/docs# ipsec --version
Linux Openswan U2.6.51.5/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.
root@ubantu:/usr/src/openswan-2.6.51.5/docs# 

可以看出我安装的是Linux Openswan U2.6.51.5/K版本

3.2 执行ipsec verify命令:


注意:下面可能只是我的虚拟环境配置导致的问题,不是没有给人会遇到(如果是纯净的环境可能会遇到)


执行ipsec verify命令后提示有错误:命令找不到

root@ubantu:/etc/ipsec.d/examples# ipsec verify
/usr/local/sbin/ipsec: 148: exec: /usr/local/libexec/ipsec/verify: not found
root@ubantu:/etc/ipsec.d/examples# 

然后我进入到此目录,查看verify命令是否存在:

root@ubantu:/usr/local/libexec/ipsec# ls *verify*
verify  verify.old
root@ubantu:/usr/local/libexec/ipsec# 

结果是存在此文件(命令),然后我查看了下是否有执行权限:

root@ubantu:/usr/local/libexec/ipsec# ll
total 24112
drwxr-xr-x 2 root root    4096 4月  30 09:03 ./
drwxr-xr-x 3 root root    4096 4月  30 08:10 ../
-rwxr-xr-x 1 root root 1473304 4月  30 09:03 addconn*
-rwxr-xr-x 1 root root 1473304 4月  30 09:02 addconn.old*
-rwxr-xr-x 1 root root    5122 4月  30 09:03 auto*
-rwxr-xr-x 1 root root    5122 4月  30 09:02 auto.old*
-rwxr-xr-x 1 root root   11297 4月  30 09:03 barf*
-rwxr-xr-x 1 root root   11297 4月  30 09:02 barf.old*
-rwxr-xr-x 1 root root  498600 4月  30 09:03 eroute*
-rwxr-xr-x 1 root root  498600 4月  30 09:02 eroute.old*
-rwxr-xr-x 1 root root  442432 4月  30 09:03 ikeping*
-rwxr-xr-x 1 root root  442432 4月  30 09:02 ikeping.old*
-rwxr-xr-x 1 root root    1028 4月  30 09:03 initnss*
-rwxr-xr-x 1 root root    1028 4月  30 09:02 initnss.old*
-rwxr-xr-x 1 root root  430320 4月  30 09:03 klipsdebug*
-rwxr-xr-x 1 root root  430320 4月  30 09:02 klipsdebug.old*
-rwxr-xr-x 1 root root    2783 4月  30 09:03 look*
-rwxr-xr-x 1 root root    2783 4月  30 09:02 look.old*
-rwxr-xr-x 1 root root    2480 4月  30 09:03 newhostkey*
-rwxr-xr-x 1 root root    2480 4月  30 09:02 newhostkey.old*
-rwxr-xr-x 1 root root  400136 4月  30 09:03 pf_key*
-rwxr-xr-x 1 root root  400136 4月  30 09:02 pf_key.old*
-rwxr-xr-x 1 root root 5405512 4月  30 09:03 pluto*
-rwxr-xr-x 1 root root 5405512 4月  30 09:02 pluto.old*
-rwxr-xr-x 1 root root   12349 4月  30 09:03 policy*
-rwxr-xr-x 1 root root   12349 4月  30 09:02 policy.old*
-rwxr-xr-x 1 root root   35784 4月  30 09:03 ranbits*
-rwxr-xr-x 1 root root   35784 4月  30 09:02 ranbits.old*
-rwxr-xr-x 1 root root  106800 4月  30 09:03 rsasigkey*
-rwxr-xr-x 1 root root  106800 4月  30 09:02 rsasigkey.old*
-rwxr-xr-x 1 root root     704 4月  30 09:03 secrets*
-rwxr-xr-x 1 root root     704 4月  30 09:02 secrets.old*
lrwxrwxrwx 1 root root      17 4月  30 09:03 setup -> /etc/init.d/ipsec*
-rwxr-xr-x 1 root root    1126 4月  30 09:03 showdefaults*
-rwxr-xr-x 1 root root    1126 4月  30 09:02 showdefaults.old*
-rwxr-xr-x 1 root root 1296672 4月  30 09:03 showhostkey*
-rwxr-xr-x 1 root root 1296672 4月  30 09:02 showhostkey.old*
-rwxr-xr-x 1 root root  670080 4月  30 09:03 spi*
-rwxr-xr-x 1 root root  464944 4月  30 09:03 spigrp*
-rwxr-xr-x 1 root root  464944 4月  30 09:02 spigrp.old*
-rwxr-xr-x 1 root root  670080 4月  30 09:02 spi.old*
-rwxr-xr-x 1 root root    1064 4月  30 09:03 status*
-rwxr-xr-x 1 root root    1064 4月  30 09:02 status.old*
-rwxr-xr-x 1 root root  426232 4月  30 09:03 tncfg*
-rwxr-xr-x 1 root root  426232 4月  30 09:02 tncfg.old*
-rwxr-xr-x 1 root root   16879 4月  30 09:03 verify*
-rwxr-xr-x 1 root root   16879 4月  30 09:02 verify.old*
-rwxr-xr-x 1 root root  579136 4月  30 09:03 whack*
-rwxr-xr-x 1 root root  579136 4月  30 09:02 whack.old*
root@ubantu:/usr/local/libexec/ipsec# 

第48行显示是有执行权限的,那么是怎么回事呢?

我又查看了下verify这个文件的类型:

root@ubantu:/usr/local/libexec/ipsec# file verify
verify: Python script, ASCII text executable
root@ubantu:/usr/local/libexec/ipsec# 

结果显示:verify是一个python脚本

然后我又看了先我的虚拟机是否有安装python工具:通过输入python命令或者直接输入刚才要执行的命令python verify都可以看到以下提示信息:

root@ubantu:/usr/local/libexec/ipsec# python

Command 'python' not found, but can be installed with:

apt install python3       
apt install python        
apt install python-minimal

You also have python3 installed, you can run 'python3' instead.

结果自然是没有安装python环境,于是乎我按提示安装最小的python环境apt install python-minimal

root@ubantu:/usr/local/libexec/ipsec# apt install python-minimal
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.18.0-15 linux-headers-4.18.0-15-generic linux-image-4.18.0-15-generic linux-modules-4.18.0-15-generic
  linux-modules-extra-4.18.0-15-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libpython-stdlib python python2.7 python2.7-minimal
Suggested packages:
  python-doc python-tk python2.7-doc binfmt-support
The following NEW packages will be installed:
  libpython-stdlib python python-minimal python2.7 python2.7-minimal
0 upgraded, 5 newly installed, 0 to remove and 265 not upgraded.
Need to get 1,717 kB of archives.
After this operation, 4,990 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://cn.archive.ubuntu.com/ubuntu bionic-updates/main amd64 python2.7-minimal amd64 2.7.17-1~18.04ubuntu1 [1,294 kB]
Get:2 http://cn.archive.ubuntu.com/ubuntu bionic/main amd64 python-minimal amd64 2.7.15~rc1-1 [28.1 kB]
Get:3 http://cn.archive.ubuntu.com/ubuntu bionic-updates/main amd64 python2.7 amd64 2.7.17-1~18.04ubuntu1 [248 kB]
Get:4 http://cn.archive.ubuntu.com/ubuntu bionic/main amd64 libpython-stdlib amd64 2.7.15~rc1-1 [7,620 B]                                       
Get:5 http://cn.archive.ubuntu.com/ubuntu bionic/main amd64 python amd64 2.7.15~rc1-1 [140 kB]                                                  
Fetched 1,717 kB in 6s (278 kB/s)                                                                                                               
Selecting previously unselected package python2.7-minimal.
(Reading database ... 208792 files and directories currently installed.)
Preparing to unpack .../python2.7-minimal_2.7.17-1~18.04ubuntu1_amd64.deb ...
Unpacking python2.7-minimal (2.7.17-1~18.04ubuntu1) ...
Selecting previously unselected package python-minimal.
Preparing to unpack .../python-minimal_2.7.15~rc1-1_amd64.deb ...
Unpacking python-minimal (2.7.15~rc1-1) ...
Selecting previously unselected package python2.7.
Preparing to unpack .../python2.7_2.7.17-1~18.04ubuntu1_amd64.deb ...
Unpacking python2.7 (2.7.17-1~18.04ubuntu1) ...
Selecting previously unselected package libpython-stdlib:amd64.
Preparing to unpack .../libpython-stdlib_2.7.15~rc1-1_amd64.deb ...
Unpacking libpython-stdlib:amd64 (2.7.15~rc1-1) ...
Setting up python2.7-minimal (2.7.17-1~18.04ubuntu1) ...
Linking and byte-compiling packages for runtime python2.7...
Setting up python-minimal (2.7.15~rc1-1) ...
Selecting previously unselected package python.
(Reading database ... 208849 files and directories currently installed.)
Preparing to unpack .../python_2.7.15~rc1-1_amd64.deb ...
Unpacking python (2.7.15~rc1-1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for desktop-file-utils (0.23-1ubuntu3.18.04.2) ...
Setting up python2.7 (2.7.17-1~18.04ubuntu1) ...
Setting up libpython-stdlib:amd64 (2.7.15~rc1-1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for gnome-menus (3.13.3-11ubuntu1.1) ...
Setting up python (2.7.15~rc1-1) ...
root@ubantu:/usr/local/libexec/ipsec# 

成功安装上python后,重新执行ipsec verify,结果如下:

root@ubantu:/usr/local/libexec/ipsec# ipsec verify
/usr/local/libexec/ipsec/verify 
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                   	[OK]
Openswan U2.6.51.5/K5.3.0-46-generic (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects            	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                         	[OK]
Hardware random device check                      	[N/A]
Checking rp_filter                                	[ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter            	[ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter        	[ENABLED]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE on tcp 500               	[NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto listening for IKE/NAT-T on tcp 4500        	[NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)     	[NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]

ipsec verify: encountered errors
root@ubantu:/usr/local/libexec/ipsec# 

算是解决了ipsec verify无法显示的问题。

3.3 启动IPSec服务:

通过命令/etc/init.d/ipsec start命令来启动IPSec服务(为啥我的服务打印了这么多信息我还不清楚,原来大的环境记得没这么多内容,但是应该不是出错的原因):

root@ubantu:/usr/local/libexec/ipsec# /etc/init.d/ipsec start
export IPSECconfreadstatus=''
export IPSECklipsdebug=''
export IPSECplutodebug=''
export IPSECplutostderrlogtime='no'
export IPSECplutorestartoncrash='yes'
export IPSECdumpdir='/var/run/pluto/'
export IPSECplutowait='no'
export IPSECoe='no'
export IPSECfragicmp='yes'
export IPSEChidetos='yes'
export IPSECuniqueids='yes'
export IPSECnocrsend='no'
export IPSECstrictcrlpolicy='no'
export IPSECforce_busy='no'
export IPSECvirtual_private='%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10'
export IPSECnat_traversal='yes'
export IPSECdisable_port_floating='no'
export IPSECforce_keepalive='no'
export IPSECprotostack='auto'
export IPSECnhelpers='-1'
export IPSECsecctx_attr_value='32001'
# obsolete option 'IPSECforwardcontrol' ignored
# obsolete option 'IPSECrp_filter' ignored
# obsolete option 'IPSECplutofork' ignored
<27>Apr 30 10:09:19 ipsec_setup: /usr/local/lib/ipsec/_realsetup start
<27>Apr 30 10:09:19 ipsec_setup: Starting Openswan IPsec 2.6.51.5...
<27>Apr 30 10:09:19 ipsec_setup: /usr/local/lib/ipsec/_startklips --info /var/run/pluto/ipsec.info --debug  --omtu  --fragicmp  --hidetos  --log daemon.error %defaultroute
<27>Apr 30 10:09:19 ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
<27>Apr 30 10:09:20 ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
<27>Apr 30 10:09:20 ipsec_setup: /usr/local/lib/ipsec/_startnetkey 
<27>Apr 30 10:09:20 ipsec_setup: MANUALSTART_confreadstatus=
<27>Apr 30 10:09:20 ipsec_setup: MANUALSTART_confreadnames=""
<27>Apr 30 10:09:20 ipsec_setup: /usr/local/lib/ipsec/_plutorun --debug  --uniqueids yes --force_busy  --nocrsend  --strictcrlpolicy  --nat_traversal  --keep_alive  --protostack auto --force_keepalive  --disable_port_floating no --virtual_private  --listen  --crlcheckinterval 0 --ocspuri  --nhelpers  --secctx_attr_value  --dump  --opts  --stderrlog  --wait no --plutostderrlogtime no --pre  --post  --log daemon.error --pid /var/run/pluto/pluto.pid
root@ubantu:/usr/local/libexec/ipsec# 

然后重新通过ipsec verify查看启动情况:

root@ubantu:/usr/local/libexec/ipsec# ipsec verify
/usr/local/libexec/ipsec/verify 
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                   	[OK]
Openswan U2.6.51.5/K5.3.0-46-generic (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[NOT DISABLED]
  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
         ICMP default/accept_redirects            	[NOT DISABLED]
  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                         	[OK]
Hardware random device check                      	[N/A]
Checking rp_filter                                	[ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter            	[ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter        	[ENABLED]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE on tcp 500               	[NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500        	[DISABLED]
 Pluto listening for IKE/NAT-T on tcp 4500        	[NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)     	[NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]

ipsec verify: encountered errors
root@ubantu:/usr/local/libexec/ipsec# 

该启动的基本成功启动。

3.4 修改配置文件:

3.4 修改配置文件:

由于使用ipsec verify命令查询模块信息时会提示Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!类似的信息,因此需要修改配置禁用ICMP的重定向功能。我根据网上的资料,整理了一个shell脚本。直接运行脚本即可:

#########################################################################
# File Name: openswan_redirects.sh
# Author: Toney Sun
# mail: [email protected]
# Created Time: 2020年05月01日 星期五 10时33分15秒
#########################################################################
#!/bin/bash

for each in /proc/sys/net/ipv4/conf/*
do
	echo ${
     each##*/}
    #echo 0 > $each/send_redirects
    #echo 0 > $each/accept_redirects
    echo "net.ipv4.conf.${each##*/}.send_redirects=0" >> /etc/sysctl.conf
    echo "net.ipv4.conf.${each##*/}.accept_redirects=0" >> /etc/sysctl.conf
done
sysctl -p

3.5 重新启动ipsec功能:

再次输入命令重启ipsec功能:/etc/init.d/ipsec restart

root@ubantu:/etc/ipsec.d# 
root@ubantu:/etc/ipsec.d# /etc/init.d/ipsec restart
<27>May  1 14:43:01 ipsec_setup: Stopping Openswan IPsec...
<27>May  1 14:43:02 ipsec_setup: Starting Openswan IPsec U2.6.51.5/K5.3.0-51-generic...
root@ubantu:/etc/ipsec.d# 

注意:我在3.3时,启动ipsec服务,打印了很多内容,这里确实是有问题的,可能是配置文件有错误导致的。我花费了一个上午的时间也没有找到是什么原因。后来更换了一个配置文件(自己写的ipsec隧道连接信息)就好了:(。我想说的是正常的启动只有上述两行打印信息。。。

3.6 添加自己的隧道环境配置

这里我添加上自己的配置信息,这是个最基本的隧道协商配置,可以协商成功:

  • /etc/ipsec.conf

    这个文件是openswan安装后的一个配置文件,可以在这个文件里添加隧道配置信息,但是我不推荐,因为我想尽可能的保留它的原有信息。只添加了最后一行,引入自己的配置文件(ipsec_.conf)

    # /etc/ipsec.conf - Openswan IPsec configuration file
    
    # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
    #
    # Manual:     ipsec.conf.5
    
    
    version	2.0	# conforms to second version of ipsec.conf specification
    
    # basic configuration
    config setup
    	# Do not set debug options to debug configuration issues!
    	# plutodebug / klipsdebug = "all", "none" or a combination from below:
    	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    	# eg:
    	# plutodebug="control parsing"
    	# Again: only enable plutodebug or klipsdebug when asked by a developer
    	#
    	# enable to get logs per-peer
    	# plutoopts="--perpeerlog"
    	#
    	# Enable core dumps (might require system changes, like ulimit -C)
    	# This is required for abrtd to work properly
    	# Note: incorrect SElinux policies might prevent pluto writing the core
    	dumpdir=/var/run/pluto/
    	#
    	# NAT-TRAVERSAL support, see README.NAT-Traversal
    	nat_traversal=yes
    	# exclude networks used on server side by adding %v4:!a.b.c.0/24
    	# It seems that T-Mobile in the US and Rogers/Fido in Canada are
    	# using 25/8 as "private" address space on their 3G network.
    	# This range has not been announced via BGP (at least upto 2010-12-21)
    	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    	# OE is now off by default. Uncomment and change to on, to enable.
    	oe=off
    	# which IPsec stack to use. auto will try netkey, then klips then mast
    	#protostack=auto
    	protostack=netkey
    	# Use this to log to a file, or disable logging on embedded systems (like openwrt)
    	plutostderrlog=/var/log/pluto.log
    
    # Add connections here
    
    # sample VPN connection
    # for more examples, see /etc/ipsec.d/examples/
    #conn sample
    #		# Left security gateway, subnet behind it, nexthop toward right.
    #		left=10.0.0.1
    #		leftsubnet=172.16.0.0/24
    #		leftnexthop=10.22.33.44
    #		# Right security gateway, subnet behind it, nexthop toward left.
    #		right=10.12.12.1
    #		rightsubnet=192.168.0.0/24
    #		rightnexthop=10.101.102.103
    #		# To authorize this connection, but not actually start it, 
    #		# at startup, uncomment this.
    #		#auto=add
    include /etc/ipsec.d/ipsec_.conf
    
  • /etc/ipsec.d/ipsec_.conf

这个文件完全是自己的(当然是参考给的demo)隧道配置信息:

conn test

        auto=start
        pfs=no                  # PFS(Perfect Forward Secrecy)
        compress=no             # IP Compression
        type=tunnel     
        keyingtries=0
        disablearrivalcheck=no

        ## phase 1 ##
        ike=aes128-sha1;modp1024  # 第一阶段参数
        ikelifetime=86400s        # 第一阶段的生存时间
        keyexchange=ike
        ## phase 2 ##
        phase2alg=aes128-sha1     # 第二阶段参数
        salifetime=3600s          # 第二阶段参数
        phase2=esp

        left=192.168.1.3
        leftid=@left
        leftsubnet=10.28.1.0/24
        leftsourceip=192.168.1.3
        leftnexthop=%defaultroute

        right=192.168.1.13
        rightid=@right
        rightsubnet=10.28.2.0/24
        rightsourceip=192.168.1.13
        rightnexthop=%defaultroute
       
	# rsakey AQPGLAfkE
	leftrsasigkey=0sAQPGLAfkEfGISg4FfXZqRe47LMX5sGyG+0ec1b5FWDriEpy4tiOvjusVzx2eyP3PTM+J9uKW93GxRugxpqa82O/aegGpnUpWGHBnEBBIvjpiMawrv3RhtCYeXodMKKqI6jhdEYzU69AYHkbPI3jOtk8TVYhaoSEkDRoBkbUzasAXOCrxL6a61G8C8XwOaW0qz+yEaoYwh/Nhc0fz1li/vQWofwXuR7ZQ5FlfDUY+JCgqbIhpmUfA9mRtawqIupYxQO3j55lhX4yUT9mBcRl9dlUNZnNEXL3hvoIABm/O+xMTwM695JBF0lVM5MJ/zizy7TsbHFJlNEPuGMI/An4FseHK0pQwe4BUZ08A8izIiI9ZT4Lp
	# rsakey AQOzIeXfR
	rightrsasigkey=0sAQOzIeXfRPL5ODGw97Y6wwotc9LExdihgdfxprYLKukKSpe3oH9G6smILqqkU+8INImuHwpL7mDPqKxDWb/YiYxRgRciXAMkuhq8c/IjcVIbK9EXSmWyPkC1Rn5+cD+2FDUd85FtQWMlEObwLJDC0UxqN5ZoFr7sR0Kur9LqZFS1FlD72E/x3RckY1R/LiR27R83Zv2EXEi1lhYf/ZstKPsGuzlEAzSnyV6jRz9Urz/SFrnyL8vGapiq5p6q+PkBEqsw97Wp8taj8tzK+lH1oxMB4+ArUKhGNk/w+tKPgKrLI8AR2nh2892P6cN0dta83t67k8Mf0ZrOCpxWLcZUnjLkFBvs9fJca3ONXH2RA+jMjn1l

隧道两端可以使用同一个配置文件(已经区分开了左右的配置)。


隧道协商过程抓包如下:
openswan源码ubantu下编译、安装、基本环境搭建_第1张图片

使用命令行查看状态信息如下:

root@ubantu:/home# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface ens33/ens33 2409:8a00:18eb:2b00:69e6:ab5c:116a:da03 (AF_INET6)
000 interface ens33/ens33 2409:8a00:18eb:2b00:cdca:7d9:32ac:4d08 (AF_INET6)
000 interface lo/lo ::1 (AF_INET6)
000 interface lo/lo 127.0.0.1 (AF_INET)
000 interface lo/lo 127.0.0.1 (AF_INET)
000 interface ens33/ens33 192.168.1.3 (AF_INET)
000 interface ens33/ens33 192.168.1.3 (AF_INET)
000 using secrets file: /etc/ipsec.secrets
000 %myid = (none)
000 debug none
000  
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets: 
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 
000          private address space in internal use, it should be excluded!
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {
     curr_cnt, total_cnt, maxsz} :context={
     0,2,64} trans={
     0,2,3072} attrs={
     0,2,2048} 
000  
000 "test": 10.28.1.0/24===192.168.1.3[@left]---192.168.1.1...192.168.1.1---192.168.1.13[@right]===10.28.2.0/24; erouted; eroute owner: #4
000 "test":     myip=192.168.1.3; hisip=192.168.1.13;
000 "test":   keys: 1:8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022 2:none...
000 "test":        ....1:AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D 2:none 
000 "test":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
000 "test":   policy: RSASIG+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: ens33; kind=CK_PERMANENT
000 "test":   newest ISAKMP SA: #1; newest IPsec SA: #4; eroute owner: #4;
000 "test":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "test":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "test":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "test":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "test":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "test":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>
000  
000 #3: "test":500 IKEv1.0 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3207s; isakmp#2; idle; import:not set
000 #3: "test" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #2: "test":500 IKEv1.0 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 86007s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #4: "test":500 IKEv1.0 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2940s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #4: "test" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #1: "test":500 IKEv1.0 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85579s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000  
root@ubantu:/home# 

从80行开始便是隧道协商信息。

日志信息如下:

root@ubantu:/var/log# cat pluto.log 
Plutorun started on Fri May 1 15:06:45 CST 2020
adjusting ipsec.d to /etc/ipsec.d
Labelled IPsec not enabled; value 32001 ignored.
Starting Pluto (Openswan Version 2.6.51.5; Vendor ID OSW~|tYiWYsW) pid:25601
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   NAT-Traversal support  [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=25603 (fd:7)
Using Linux XFRM/NETKEY IPsec interface code on 5.3.0-51-generic
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
using /dev/urandom as source of random entropy
loaded key: 8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022
loaded key: AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D
use keyid: 1:8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022 / 2:<>
use keyid: 1:AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D / 2:<>
adding connection: "test"
listening for IKE messages
adding interface ens33/ens33 192.168.1.3:500 (AF_INET)
adding interface ens33/ens33 192.168.1.3:4500
adding interface lo/lo 127.0.0.1:500 (AF_INET)
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500 (AF_INET6)
adding interface ens33/ens33 2409:8a00:18eb:2b00:cdca:7d9:32ac:4d08:500 (AF_INET6)
adding interface ens33/ens33 2409:8a00:18eb:2b00:69e6:ab5c:116a:da03:500 (AF_INET6)
loading secrets from "/etc/ipsec.secrets"
loaded private key for keyid: PPK_RSA:AQPGLAfkE/8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022
| creating SPD to 192.168.1.3->spi=[email protected] proto=61
| creating SPD to 192.168.1.3->spi=[email protected] proto=61
"test" #1: initiating Main Mode
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
pending Quick Mode with 192.168.1.13 "test" took too long -- replacing phase 1
"test" #1: ERROR: asynchronous network error report on ens33 (sport=500) for message to 192.168.1.13 port 500, complainant 192.168.1.13: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
packet from 192.168.1.13:500: received Vendor ID payload [Openswan (this version) 2.6.51.5 ]
packet from 192.168.1.13:500: received Vendor ID payload [Dead Peer Detection]
packet from 192.168.1.13:500: received Vendor ID payload [RFC 3947] method set to=115 
packet from 192.168.1.13:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
packet from 192.168.1.13:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
packet from 192.168.1.13:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
packet from 192.168.1.13:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
"test" #2: responding to Main Mode
"test" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"test" #2: STATE_MAIN_R1: sent MR1, expecting MI2
"test" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
"test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"test" #2: STATE_MAIN_R2: sent MR2, expecting MI3
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/crypt_start_dh.c:160: encryptor 'aes' expects keylen 16/128, SA #2 INITIATOR keylen is 20
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/crypt_start_dh.c:160: encryptor 'aes' expects keylen 16/128, SA #2 RESPONDER keylen is 0
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/ikev1_main.c:1206: encryptor 'aes' expects keylen 16/128, SA #2 INITIATOR keylen is 20
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/ikev1_main.c:1206: encryptor 'aes' expects keylen 16/128, SA #2 RESPONDER keylen is 0
"test" #2: Main mode peer ID is ID_FQDN: '@right'
"test" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"test" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG oursig= theirsig=AQOzIeXfR cipher=aes_128 prf=oakley_sha group=modp1024}
"test" #2: the peer proposed: 10.28.1.0/24:0/0 -> 10.28.2.0/24:0/0
"test" #3: responding to Quick Mode proposal {msgid:d7a7bc25}
"test" #3:     us: 10.28.1.0/24===192.168.1.3[@left]---192.168.1.1
"test" #3:   them: 192.168.1.1---192.168.1.13[@right]===10.28.2.0/24
| creating SPD to 192.168.1.13->spi=[email protected] proto=4
"test" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"test" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
| creating SPD to 192.168.1.3->spi=[email protected] proto=4
"test" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"test" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4476710a <0xaaa03819 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
"test" #1: received Vendor ID payload [Openswan (this version) 2.6.51.5 ]
"test" #1: received Vendor ID payload [Dead Peer Detection]
"test" #1: received Vendor ID payload [RFC 3947] method set to=115 
"test" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
"test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/crypt_start_dh.c:160: encryptor 'aes' expects keylen 16/128, SA #1 INITIATOR keylen is 20
| WARNING: /usr/src/openswan-2.6.51.5/programs/pluto/crypt_start_dh.c:160: encryptor 'aes' expects keylen 16/128, SA #1 RESPONDER keylen is 0
"test" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
"test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"test" #1: received Vendor ID payload [CAN-IKEv2]
"test" #1: Main mode peer ID is ID_FQDN: '@right'
"test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG oursig= theirsig=AQOzIeXfR cipher=aes_128 prf=oakley_sha group=modp1024}
"test" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:e65ec697 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
| creating SPD to 192.168.1.3->spi=[email protected] proto=4
"test" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"test" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5863f7d3 <0xf2d719f9 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
root@ubantu:/var/log# 

至此,openswan才是真的编译、安装、环境搭建完毕。

你可能感兴趣的:(openswan源码分析,openswan编译安装,ipsec,verify,ipsec,openswan)