重启两个网关以启动 FreeS/WAN。检查/var/log/messages文件是否有任何故障迹象。如果一切顺利,您应该在/var/log/messages文件中看到类似这样的内容
Feb 2 05:22:35 deep ipsec_setup: Starting FreeS/WAN IPSEC snap2000jan31b... Feb 2 05:22:35 deep ipsec_setup: KLIPS debug `none' Feb 2 05:22:35 deep ipsec_setup: KLIPS ipsec0 on eth0 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 Feb 2 05:22:36 deep ipsec_setup: Disabling core dumps: Feb 2 05:22:36 deep ipsec_setup: Starting Pluto (debug `none'): Feb 2 05:22:37 deep ipsec_setup: Loading Pluto database `deep-mail': Feb 2 05:22:37 deep ipsec_setup: Enabling Pluto negotiation: Feb 2 05:22:37 deep ipsec_setup: Routing for Pluto conns `deep-mail': Feb 2 05:22:37 deep ipsec_setup: Initiating Pluto tunnel `deep-mail': Feb 2 05:22:39 deep ipsec_setup: 102 "deep-mail" #1: STATE_MAIN_I1: initiate Feb 2 05:22:39 deep ipsec_setup: 104 "deep-mail" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2 Feb 2 05:22:39 deep ipsec_setup: 106 "deep-mail" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3 Feb 2 05:22:39 deep ipsec_setup: 004 "deep-mail" #1: STATE_MAIN_I4: SA established Feb 2 05:22:39 deep ipsec_setup: 110 "deep-mail" #2: STATE_QUICK_I1: initiate Feb 2 05:22:39 deep ipsec_setup: 004 "deep-mail" #2: STATE_QUICK_I2: SA established Feb 2 05:22:39 deep ipsec_setup: ...FreeS/WAN IPSEC started |
检查/var/log/secure文件是否有任何故障迹象。如果一切顺利,您应该看到类似以下内容
Feb 21 14:45:42 deep Pluto[432]: Starting Pluto (FreeS/WAN Version 1.3) Feb 21 14:45:43 deep Pluto[432]: added connection description "deep-mail" Feb 21 14:45:43 deep Pluto[432]: listening for IKE messages Feb 21 14:45:43 deep Pluto[432]: adding interface ipsec0/eth0 192.168.1.1 Feb 21 14:45:43 deep Pluto[432]: loading secrets from "/etc/ipsec.secrets" Feb 21 14:45:43 deep Pluto[432]: "deep-mail" #1: initiating Main Mode Feb 21 14:45:44 deep Pluto[432]: "deep-mail" #1: ISAKMP SA established Feb 21 14:45:44 deep Pluto[432]: "deep-mail" #2: initiating Quick Mode POLICY_RSASIG+POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_TUNNEL+POLICY_PFS Feb 21 14:45:46 deep Pluto[432]: "deep-mail" #2: sent QI2, IPsec SA established Feb 21 14:45:47 deep Pluto[432]: "deep-mail" #3: responding to Main Mode Feb 21 14:45:49 deep Pluto[432]: "deep-mail" #3: sent MR3, ISAKMP SA established Feb 21 14:45:49 deep Pluto[432]: "deep-mail" #4: responding to Quick Mode Feb 21 14:45:50 deep Pluto[432]: "deep-mail" #4: IPsec SA established |
在两个网关上,现在应该在/proc/net/目录下存在以下条目
[root@deep] /# ls -l /proc/net/ipsec_* |
-r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_eroute -r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_klipsdebug -r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_spi -r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_spigrp -r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_spinew -r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_tncfg -r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_version |
IPSEC 接口应该附加在指定的物理接口之上。使用以下命令确认:
[root@deep] /# cat /proc/net/ipsec_tncfg |
ipsec0 -> eth0 mtu=16260 -> 1500 ipsec1 -> NULL mtu=0 -> 0 ipsec2 -> NULL mtu=0 -> 0 ipsec3 -> NULL mtu=0 -> 0 |
现在执行以下命令以显示最少的调试信息,并查看输出是否类似于这样:
[root@deep] /# ipsec look |
deep.openna.com Fri Feb 4 17:25:17 EST 2000 ============-============ 192.168.1.1/32 -> 192.168.1.2/32 => tun0x106@192.168.1.2 esp0x4450894d@192.168.1.2 ah0x4450894c@192.168.1.2 ------------=------------ ah0x3350f551@192.168.1.1 AH_HMAC_MD5: dir=in ooowin=32 seq=115 bit=0xffffffff alen=128 aklen=16 life(c,s,h)=bytes(16140,0,0)add(51656,0,0)use(54068,0,0)packets(115,0,0) idle=499 ah0x4450894c@192.168.1.2 AH_HMAC_MD5: dir=out ooowin=32 seq=2828 alen=128 aklen=16 life(c,s,h)=bytes(449488,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6 esp0x3350f552@192.168.1.1 ESP_3DES: dir=in ooowin=32 seq=115 bit=0xffffffff eklen=24 life(c,s,h)=bytes(13380,0,0)add(51656,0,0)use(54068,0,0)packets(115,0,0) idle=499 esp0x4450894d@192.168.1.2 ESP_3DES: dir=out ooowin=32 seq=2828 eklen=24 life(c,s,h)=bytes(381616,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6 tun0x105@192.168.1.1 IPIP: dir=in 192.168.1.2 -> 192.168.1.1 life(c,s,h)=add(51656,0,0) tun0x106@192.168.1.2 IPIP: dir=out 192.168.1.1 -> 192.168.1.2 life(c,s,h)=bytes(327581,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 192.168.1.2 192.168.1.2 255.255.255.255 UGH 0 0 0 ipsec0 Destination Gateway Genmask Flags MSS Window irtt Iface |
尝试 ping192.168.1.2来自192.168.1.1客户端。如果这有效,那么您已正确设置。如果它不起作用,请检查您的网络以确保208.164.186.1可以到达208.164.186.2,并且 TCP-IP 转发已启用,并确保没有防火墙规则阻止数据包,或在允许 IPSec 相关流量的规则之前尝试伪装它们。为了使此测试有效,重要的是使用从一个子网到另一个子网的 ping。
208.164.186.1 ---- 205.151.222.250 ---- 205.151.222.251 ---- 208.164.186.2 | | 192.168.1.0/24 192.168.1.0/24 | | 192.168.1.1 192.168.1.2 |
关于测试 FreeSWAN IPSEC 安装的最后一点说明,如果您遇到无法解决的问题,可以使用以下命令查看调试信息的集合,文件内容、日志选段等。任何与 IPSEC 加密/身份验证系统相关的内容,您都应该发送到 Linux-IPSEC 邮件列表<linux-ipsec@clinet.fi>以获得帮助。使用以下命令生成调试信息集合的输出:
[root@deep] /# ipsec barf > result |