配置L2TP/IPSEC的一些问题解决

==== .conf 书写格式问题 ========================

该文件里增加内容不多，但需要注意缩进格式

/etc/ipsec.conf

config setup

protostack=netkey

interfaces="%defaultroute"

内容属于config setup的子项，需要TAB缩进保持一致

注释最好换行写，不要写在配置项的后面

/etc/ipsec.d/l2tp-ipsec.conf

conn L2TP-PSK-NAT

rightsubnet=0.0.0.0/0

dpddelay=10

dpdtimeout=20

dpdaction=clear

forceencaps=yes

also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret

pfs=no

auto=add

keyingtries=3

rekey=no

ikelifetime=8h

keylife=1h

type=transport

left=152.32.123.45

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

==== IPSec 启动失败 ==================================

systemctl restart ipsec

启动失败

可以用 systemctl status ipsec

如缺少有用信息可以执行

journalctl -u ipsec

一些配置错误的具体信息会有体现，例如下面中 cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:24: syntax error, u

[root@10-7-162-198 ~]# journalctl -u ipsec

-- Logs begin at Fri 2021-10-01 02:29:23 HKT, end at Sun 2021-10-03 23:53:44 HKT. --

Oct 03 20:01:50 10-7-162-198 systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...

Oct 03 20:01:50 10-7-162-198 addconn[1995]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:24: syntax error, u

Oct 03 20:01:50 10-7-162-198 systemd[1]: ipsec.service: control process exited, code=exited status=3

Oct 03 20:01:50 10-7-162-198 ipsec[2003]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:24: syntax error, une

Oct 03 20:01:50 10-7-162-198 systemd[1]: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.

Oct 03 20:01:50 10-7-162-198 systemd[1]: Unit ipsec.service entered failed state.

Oct 03 20:01:50 10-7-162-198 systemd[1]: ipsec.service failed.

Oct 03 20:01:50 10-7-162-198 systemd[1]: ipsec.service holdoff time over, scheduling restart.

Oct 03 20:01:50 10-7-162-198 systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.

Oct 03 20:01:50 10-7-162-198 systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...

Oct 03 20:01:50 10-7-162-198 addconn[2012]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:24: syntax error, u

Oct 03 20:01:50 10-7-162-198 systemd[1]: ipsec.service: control process exited, code=exited status=3

Oct 03 20:01:50 10-7-162-198 ipsec[2020]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:24: syntax error, une

Oct 03 20:01:50 10-7-162-198 systemd[1]: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.

==== ipsec verify 报错 ===================================

[root@10-7-162-198 ~]# ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path [OK]

Libreswan 3.25 (netkey) on 4.19.0-9.el7.ucloud.x86_64

Checking for IPsec support in kernel [OK]

NETKEY: Testing XFRM related proc values

ICMP default/send_redirects [OK]

ICMP default/accept_redirects [OK]

XFRM larval drop [OK]

Pluto ipsec.conf syntax [OK]

Two or more interfaces found, checking IP forwarding [OK]

##rp_filter警告

Checking rp_filter [ENABLED]

/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]

/proc/sys/net/ipv4/conf/eth2/rp_filter [ENABLED]

rp_filter is not fully aware of IPsec and should be disabled

Checking that pluto is running [OK]

Pluto listening for IKE on udp 500 [OK]

Pluto listening for IKE/NAT-T on udp 4500 [OK]

Pluto ipsec.secret syntax [OK]

Checking 'ip' command [OK]

Checking 'iptables' command [OK]

Checking 'prelink' command does not interfere with FIPS [OK]

Checking for obsolete ipsec.conf options [OK]

ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

##确认问题如下

[root@10-7-162-198 ~]# cat /proc/sys/net/ipv4/conf/eth1/rp_filter

1

##解决方法

[root@10-7-162-198 ~]# echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter

[root@10-7-162-198 ~]# echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter