IPSec VPN 터널 문제 [종료]

tag-icon tag-icon ipsec
IPSec VPN 터널 문제 [종료]

연결 시 IPSec에 문제가 있습니다. 이것은 내 다이어그램입니다. 차트

VPN 연결이 비정상이고 IPsec을 다시 시작해야 합니다 ==> 정상, 그 다음 비정상

root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
root@vungtau:~# /etc/init.d/ipsec restart 
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
Escape character is '^]'.
^[$^]
telnet> q
Connection closed.

5분 후에 10.225.198.3 3900에 텔넷을 연결할 수 없습니다(터널 VPN은 여전히 ​​유효합니다).

root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out

상태 VPN

IPsec running  - pluto pid: 11088
pluto pid 11088
1 tunnels up
some eroutes exist

때로는 상태가 2 또는 3 또는 4 또는 5 또는 0 터널 UP입니다.

IPsec running  - pluto pid: 11088
pluto pid 11088
3 tunnels up
some eroutes exist

=> 내 VPN 연결은 어떻게 되었으며 그 이유는 무엇입니까? 어떡해?

이것이 내 구성입니다.

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Do not set debug options to debug configuration issues!
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    # plutodebug="control parsing"
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    #
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    #
    # Enable core dumps (might require system changes, like ulimit -C)
    # This is required for abrtd to work properly
    # Note: incorrect SElinux policies might prevent pluto writing the core
    dumpdir=/var/run/pluto/
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast


    #protostack=auto
    protostack=netkey

    # Use this to log to a file, or disable logging on embedded systems (like openwrt)
    #plutostderrlog=/dev/null


conn vpntanza
        authby=secret
        auto=start
        ike=aes128-sha1;modp1024
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        phase2=esp
        phase2alg=3des,aes
        compress=no
        pfs=yes
        type=tunnel

        #FROM TTV
        left=125.X.X.X.X
        leftsourceip=10.58.82.179
#        leftsourceip=125.X.X.X
        leftsubnet=10.58.82.0/24

        ## for direct routing ##
        leftnexthop=%defaultroute
        rightnexthop=%defaultroute

        #TO 
        right=169.255.X.X
        rightsubnet=10.225.196.0/22


#include /etc/ipsec.d/*.conf

관련 정보