C# - lua格式化
619 2023-04-03 01:29:15
这是我的配置:
conn my-conn type=tunnel authby=secret auth=esp ikelifetime=86400s keylife=3600s esp=3des-sha1 ike=3des-sha1-modp1024 keyexchange=ike pfs=no forceencaps=yes # Left security gateway, subnet behind it, nexthop toward right. left=10.0.0.4 leftsubnet=10.0.0.4/32 leftnexthop=%defaultroute # Right security gateway, subnet behind it, nexthop toward left. right=1.2.3.4 rightsubnet=1.2.3.5/32 rightnexthop=%defaultroute # To authorize this connection, but not actually start it, # at startup, uncomment this. auto=start
以下是日志的输出:
Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: initiating Main ModeDec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: enabling possible NAT-traversal with method RFC 3947Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [Cisco-Unity]Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [Dead Peer Detection]Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [883f3a4fb4782a3ae88bf05cdfe38ae0]Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [XAUTH]Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATedDec 28 18:02:20 myserver pluto[15753]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-TDec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: Peer ID is ID_IPV4_ADDR: '1.2.3.4'Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ISAKMP SA establishedDec 28 18:02:20 myserver pluto[15753]: "my-conn" #331: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#330}Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type NO_PROPOSAL_CHOSENDec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
给我连接到cisco路由器的配置是:
Key Management: IKE Diffie-Hellman Group: Group 2 Encryption Algorithm: 3DES (rec) Hash Algorithm: SHA-1 (rec.) Authentication Method: Preshared Pre-Shared Secret Key: TBC Life Time: 86400s (24h) Encryption Phase 2 (IPSec): Encapsulation: ESP Encryption Algorithm used: 3DES (rec) Hash Algorithm: SHA-1 (rec.) Perfect Forward Secrecy: Groupe 2 Aggressive Mode: NO Life Time: 3600s (1h)如果我没记错的话,Amazon EC2使用一些NAT来使您的实例可以从Internet访问.
虽然NAT友好的应用程序可以无缝工作(想想http或ssh),但某些协议是在端到端通信成为规则的时候设计的,而NAT将破坏这些协议.
FTP或SIP(实际上是rtp)使用动态选择的端口,但设计了帮助程序.例如,STUN用于VoIP.
在IPSec的情况下,阶段1成功.这是NAT检测.所以你的服务器在日志中说我是NATed.
但是,第2阶段(NAT遍历决策)失败.您可能必须启用思科称之为“IPSec NAT透明度”的双方.因此,ipsec有效载荷不在第3层(IP),而在第4层,在UDP中.
这有点类似于openvpn所做的,但使用ssl而不是IPSec.
看看Cisco’s site regarding NAT traversal.以cisco为中心,它将帮助您设置隧道.