devbox
小蓝xlanll
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

嵌入式linux 搭建L2TP+IPSEC客户端_setsockopt recvref[30]: protocol not available

作者:小蓝xlanll | 2024-03-04 22:36:43

setsockopt recvref[30]: protocol not available

搭建L2TP+IPSEC客户端需要对应的源码 xl2tpd-1.3.10和openswan,还需要一些依赖的库,gmp,libpcap

一、安装openswan

安装依赖库gmp-6.1.2

1、下载:https://gmplib.org/#DOWNLOAD

2、配置

./configure --host=arm-hisiv100nptl-linux --with-pcap=linux --prefix=/work/my/code/vpn/L2TP/gmp/install CC=arm-hisiv100nptl-linux-gcc

3、编译

make

4、安装

make install

5、下载 openswan

https://download.openswan.org/openswan/old/openswan-2.6/

5、修改makefile.inc

把依赖文件gmp.h 拷贝到目录/openswan-2.6.50/include,libgmp.a 拷贝到 openswan-2.6.50/lib。

修改 Makefile.inc 

  1. #LIBGMP?=-lgmp
  2. LIBGMP =-L /openswan-2.6.50/lib -lgmp

6、编译

make CC=arm-hisiv100nptl-linux-gcc programs

7、可能存在的错误

  1. lex.yy.c
  2. /work/my/code/vpn/L2TP/openswan-2.6.50/lib/libipsecconf/parser.l: In function 'parser_y_include':
  3. /work/my/code/vpn/L2TP/openswan-2.6.50/lib/libipsecconf/parser.l:200: error: 'GLOB_BRACE' undeclared (first use in this function)
  4. /work/my/code/vpn/L2TP/openswan-2.6.50/lib/libipsecconf/parser.l:200: error: (Each undeclared identifier is reported only once
  5. /work/my/code/vpn/L2TP/openswan-2.6.50/lib/libipsecconf/parser.l:200: error: for each function it appears in.)
  6. /work/my/code/vpn/L2TP/openswan-2.6.50/lib/libipsecconf/parser.l:207: error: 'GLOB_NOMAGIC' undeclared (first use in this function)
  7. /work/my/code/vpn/L2TP/openswan-2.6.50/lib/libipsecconf/../Makefile.library:107: recipe for target 'lex.yy.o' failed

解决:找到交叉编译目录中的glob.h文件,我的路径如下

/opt/hisi-linux-nptl/arm-hisiv100-linux/target/usr/include/glob.h
  1. #if ( !defined __USE_POSIX2 || defined __USE_BSD || defined __USE_GNU ) //&& defined __UCLIBC_HAS_GNU_GLOB__
  2. # define GLOB_MAGCHAR	 (1 << 8)/* Set in gl_flags if any metachars seen.  */
  3. #if 1 /* uClibc gnu glob does not support these */
  4. # define GLOB_ALTDIRFUNC (1 << 9)/* Use gl_opendir et al functions.  */
  5. # define GLOB_BRACE	 (1 << 10)/* Expand "{a,b}" to "a" "b".  */
  6. # define GLOB_NOMAGIC	 (1 << 11)/* If no magic chars, retu rn the pattern.  */
  7. # define GLOB_TILDE	 (1 << 12)/* Expand ~user and ~ to home directories. */
  8. # define GLOB_ONLYDIR	 (1 << 13)/* Match only directories.  */
  9. # define GLOB_TILDE_CHECK (1 << 14)/* Like GLOB_TILDE but return an error
  10. 				      if the user name is not available.  */
  11. # define __GLOB_FLAGS	(GLOB_ERR|GLOB_MARK|GLOB_NOSORT|GLOB_DOOFFS| \
  12. 			 GLOB_NOESCAPE|GLOB_NOCHECK|GLOB_APPEND|     \
  13. 			 GLOB_PERIOD|GLOB_ALTDIRFUNC|GLOB_BRACE|     \
  14. 			 GLOB_NOMAGIC|GLOB_TILDE|GLOB_ONLYDIR|GLOB_TILDE_CHECK)
  15. #else
  16. # define __GLOB_FLAGS	(GLOB_ERR|GLOB_MARK|GLOB_NOSORT|GLOB_DOOFFS| \
  17. 			 GLOB_NOESCAPE|GLOB_NOCHECK|GLOB_APPEND|     \
  18. 			 GLOB_PERIOD)
  19. #endif
  20. #else
  21. # define __GLOB_FLAGS	(GLOB_ERR|GLOB_MARK|GLOB_NOSORT|GLOB_DOOFFS| \
  22. 			 GLOB_NOESCAPE|GLOB_NOCHECK|GLOB_APPEND|     \
  23.

注释掉://&& defined __UCLIBC_HAS_GNU_GLOB__


8、安装

修改Makefile.inc

  1. #INC_USRLOCAL=/usr/local
  2. INC_USRLOCAL=/work/my/code/vpn/L2TP/openswan_client/install

这里修改成自己安装的目录。

make install
9、拷贝文件

a、拷贝虚拟机中的脚本/etc/init.d/ipsec到设备目录/etc/init.d/中,做如下修改。

  1. IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/local/libexec/ipsec}"
  2. IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/local/lib/ipsec}"
  3. IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/local/sbin}"
  4. IPSEC_CONFS="${IPSEC_CONFS-/etc}"

修改为:

  1. IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
  2. IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
  3. IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
  4. IPSEC_CONFS="${IPSEC_CONFS-/etc}"

b、拷贝安装生成的几个目录到设备上,如lib 、libexec、sbin/ipsec

  1. root@ubuntu16:/work/my/code/vpn/L2TP/openswan_client/install# ls
  2. lib  libexec  man  sbin  share

根据启动脚本/etc/init.d/ipsec,我们做如下具体的拷贝

目录lib、libexec拷贝到设备/usr目录中

脚本sbin/ipsec拷贝到设备/usr/sbin/中,拷贝完也要做如下修改

  1. IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
  2. IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
  3. IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
  4. IPSEC_CONFS="${IPSEC_CONFS-/etc}"

10、添加配置文件

a、/etc/ipsec.conf

内容如下:

  1. config setup
  2.     nat_traversal=yes
  3.     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
  4.     oe=off
  5.     protostack=netkey
  6.  
  7. conn L2TP-PSK-NAT
  8.     rightsubnet=vhost:%priv
  9.     also=L2TP-PSK-noNAT
  10.  
  11. conn L2TP-PSK-noNAT
  12.     authby=secret
  13.     pfs=no
  14.     auto=add
  15.     keyingtries=3
  16.     rekey=no
  17.     ikelifetime=8h
  18.     keylife=1h
  19.     type=transport
  20.     left=192.168.9.166
  21.     leftprotoport=17/1701
  22.     right=192.168.9.161
  23.     rightprotoport=17/1701

type 有三种模式 transport、 tunnel、beet,这里选择是transport。left是本地地址,leftprotoport是端口号使用1701端口。right是要连接服务器对应的地址,rightProtoport对应的端口号。

b、/etc/ipsec.secrets

添加内容如下:

192.168.9.166 192.168.9.161: PSK "l2tp_123456789"

192.168.9.166是本地地址,也可以用%any代替,192.168.9.161是对应服务器的地址,PSK是预共享秘钥。这个要跟服务器设置要相同。

二、安装xl2tpd

安装依赖库libpcap-1.8.1

1、下载:http://www.linuxfromscratch.org/blfs/view/svn/basicnet/libpcap.html

2、配置

./configure --host=arm-hisiv100nptl-linux --with-pcap=linux --prefix=/work/my/code/vpn/L2TP/libpcap/install CC=arm-hisiv100nptl-linux-gcc

3、编译

make

4、安装

make install

5、下载xl2tpd-1.3.10

https://www.xelerance.com/archives/147

6、修改Makefile

a、添加变量

LIBSRC ?=

b、添加变量$(LIBSRC)

$(CC) $(LDFLAGS) -o pfc -L $(LIBSRC) pfc.o -lpcap $(LDLIBS)

7、编译

make CC=arm-hisiv100nptl-linux-gcc KERNELSRC=/work/my/code/vpn/L2TP/libpcap/install LIBSRC=/work/my/code/vpn/L2TP/libpcap/install/lib
这个不需要安装,我们只需要执行文件xl2tpd,把它拷贝到设备目录/usr/sbin/

8、配置文件

a、添加/etc/xl2tpd/xl2tpd.conf,内容如下

  1. [global]
  2. listen-addr = 192.168.9.166
  3.  
  4. auth file=/etc/ppp/chap-secrets
  5.  
  6. [lac l2tp]
  7. lns = 192.168.9.161
  8. redial = yes
  9. redial timeout = 15
  10. require chap = yes
  11. refuse pap = yes
  12. require authentication = yes
  13. name = 2018
  14. ppp debug = yes
  15. pppoptfile = /etc/ppp/peers/options.l2tpd.client
  16. length bit = yes

lns 是服务器的地址,name是登录名

b、添加/etc/ppp/chap-secrets,内容如下。

  1. # Secrets for authentication using CHAP
  2. # client        server  secret                  IP addresses
  3. 2018    *       123     *

2018客户端登录名,123登录密码,其他的用*替代。

c、添加/etc/ppp/peers/options.l2tpd.client,内容如下

  1. asyncmap 0
  2. noauth
  3. crtscts
  4. lock
  5. hide-password
  6. modem
  7. netmask 255.255.255.0
  8. proxyarp
  9. lcp-echo-interval 30
  10. lcp-echo-failure 4
  11. ipcp-accept-local
  12. ipcp-accept-remote

三、ppp

PPP是一个拨号软件,用来提供用户登录的用户名和密码验证用的。PPTP搭建的VPN也会用到PPP。所以,实际上,PPTP和L2TP是可以共存在一台服务器上的,而且它们还可以共享用户登录账号信息,因为它们都用PPP作为用户登录连接。

所以没有安装可以参考前面pptp客户端配置的文章

https://blog.csdn.net/u011425939/article/details/80498534

四、内核配置

一般情况内核没有默认把ipsec的模式编译进内核的,所以需要把内核中的的对应ipsec选项打开,不然会出现如下问题。

  1. # ipsec auto --up L2TP-PSK-noNAT
  2. 002 "L2TP-PSK-noNAT" #1: initiating Main Mode
  3. 105 "L2TP-PSK-noNAT" #1: STATE_MAIN_I1: initiate
  4. 003 "L2TP-PSK-noNAT" #1: received Vendor ID payload [Openswan (this version) 2.6.50 ]
  5. 003 "L2TP-PSK-noNAT" #1: received Vendor ID payload [Dead Peer Detection]
  6. 003 "L2TP-PSK-noNAT" #1: received Vendor ID payload [RFC 3947] method set to=115 
  7. 002 "L2TP-PSK-noNAT" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
  8. 002 "L2TP-PSK-noNAT" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
  9. 107 "L2TP-PSK-noNAT" #1: STATE_MAIN_I2: sent MI2, expecting MR2
  10. 003 "L2TP-PSK-noNAT" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
  11. 002 "L2TP-PSK-noNAT" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
  12. 109 "L2TP-PSK-noNAT" #1: STATE_MAIN_I3: sent MI3, expecting MR3
  13. 003 "L2TP-PSK-noNAT" #1: received Vendor ID payload [CAN-IKEv2]
  14. 002 "L2TP-PSK-noNAT" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.9.161'
  15. 002 "L2TP-PSK-noNAT" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
  16. 004 "L2TP-PSK-noNAT" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY oursig= theirsig= cipher=aes_128 prf=oakley_sha group=modp2048}
  17. 002 "L2TP-PSK-noNAT" #2: initiating Quick Mode PSK+ENCRYPT+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:82227a67 proposal=defaults pfsgroup=no-pfs}
  18. 118 "L2TP-PSK-noNAT" #2: STATE_QUICK_I1: initiate
  19. 003 "L2TP-PSK-noNAT" #2: ERROR: netlink response for Add SA esp.a37edb84@192.168.9.161 included errno 93: Protocol not supported
  20. 003 "L2TP-PSK-noNAT" #2: state #2: failed to setup outgoing SA
  21. 032 "L2TP-PSK-noNAT" #2: STATE_QUICK_I1: internal error

这里有个错误93, 说没有SA 和ESP 协议支持,所以需要把它在内核中打开。步骤如下。

a、Networking support


b、 Networking options 


c、找到这个两个选项。


这里选择的是transport 模式 ESP 转换,因为我们在配置文件/etc/ipsec.conf中type就是transport,这个也可以把ipsec的选项都选择。然后去尝试每种模式。但这里只需这个两个选项就可以 了。

d、编译

make

e、下载内核

这里也可以不用下载内核,直接把那两个选项编译成模块的方式,然后用insmod命令方式加载到内核中。

五、连接服务器

这个服务器我使用的是前面文章在Ubuntu中搭建的l2tp+ipsec服务器,所以有很多配置都是跟从这个服务器来配置的。链接

https://blog.csdn.net/u011425939/article/details/80525380

a、首先启动ipsec

ipsec setup start

还有其他的命令使用help查看

  1. # ipsec setup --help 
  2. Usage: ipsec setup {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
  1. # ipsec setup restart 
  2. ipsec_setup: Stopping Openswan IPsec...
  3. ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:
  4. ipsec_setup: Starting Openswan IPsec U2.6.50/K3.0.8...
  5. ipsec_setup: ipsec_setup: WARNING: cannot flush state/policy database -- `%defaultroute'. Install a newer version of iproute/iproute2 or install the ipsec-tools package to obtain the setkey command.

b、启动xl2tpd

xl2tpd -D

以调试的方式启动

  1. # xl2tpd -D
  2. xl2tpd[27109]: setsockopt recvref[30]: Protocol not available
  3. xl2tpd[27109]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
  4. xl2tpd[27109]: xl2tpd version xl2tpd-1.3.10 started on (none) PID:27109
  5. xl2tpd[27109]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
  6. xl2tpd[27109]: Forked by Scott Balmos and David Stipp, (C) 2001
  7. xl2tpd[27109]: Inherited by Jeff McAdams, (C) 2002
  8. xl2tpd[27109]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
  9. xl2tpd[27109]: Listening on IP address 192.168.9.166, port 1701
c、ipsec auto --up L2TP-PSK-noNAT 
  1. # ipsec auto --up L2TP-PSK-noNAT
  2. 002 "L2TP-PSK-noNAT" #1: initiating Main Mode
  3. 105 "L2TP-PSK-noNAT" #1: STATE_MAIN_I1: initiate
  4. 003 "L2TP-PSK-noNAT" #1: received Vendor ID payload [Openswan (this version) 2.6.50 ]
  5. 003 "L2TP-PSK-noNAT" #1: received Vendor ID payload [Dead Peer Detection]
  6. 003 "L2TP-PSK-noNAT" #1: received Vendor ID payload [RFC 3947] method set to=115 
  7. 002 "L2TP-PSK-noNAT" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
  8. 002 "L2TP-PSK-noNAT" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
  9. 107 "L2TP-PSK-noNAT" #1: STATE_MAIN_I2: sent MI2, expecting MR2
  10. 003 "L2TP-PSK-noNAT" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
  11. 002 "L2TP-PSK-noNAT" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
  12. 109 "L2TP-PSK-noNAT" #1: STATE_MAIN_I3: sent MI3, expecting MR3
  13. 003 "L2TP-PSK-noNAT" #1: received Vendor ID payload [CAN-IKEv2]
  14. 002 "L2TP-PSK-noNAT" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.9.161'
  15. 002 "L2TP-PSK-noNAT" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
  16. 004 "L2TP-PSK-noNAT" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY oursig= theirsig= cipher=aes_128 prf=oakley_sha group=modp2048}
  17. 002 "L2TP-PSK-noNAT" #2: initiating Quick Mode PSK+ENCRYPT+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:210b70d9 proposal=defaults pfsgroup=no-pfs}
  18. 118 "L2TP-PSK-noNAT" #2: STATE_QUICK_I1: initiate
  19. 002 "L2TP-PSK-noNAT" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
  20. 004 "L2TP-PSK-noNAT" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xaa65c77e <0xd326843a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

d、echo 'c l2tp' > /var/run/xl2tpd/l2tp-control

这个l2tp 是/etc/xl2tpd/xl2tpd.conf 中的[lac l2tp]

e、如果连接成功会出现一个虚拟的pppx网卡,如下

  1. # ifconfig
  2. eth0      Link encap:Ethernet  HWaddr C2:4F:B4:B3:97:D7  
  3.           inet addr:192.168.9.166  Bcast:192.168.9.255  Mask:255.255.255.0
  4.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  5.           RX packets:8371743 errors:0 dropped:3307 overruns:0 frame:0
  6.           TX packets:4276852 errors:0 dropped:0 overruns:0 carrier:0
  7.           collisions:0 txqueuelen:1000 
  8.           RX bytes:2476538003 (2.3 GiB)  TX bytes:248606867 (237.0 MiB)
  9.           Interrupt:119 
  10.  
  11. lo        Link encap:Local Loopback  
  12.           inet addr:127.0.0.1  Mask:255.0.0.0
  13.           UP LOOPBACK RUNNING  MTU:16436  Metric:1
  14.           RX packets:4800 errors:0 dropped:0 overruns:0 frame:0
  15.           TX packets:4800 errors:0 dropped:0 overruns:0 carrier:0
  16.           collisions:0 txqueuelen:0 
  17.           RX bytes:10056240 (9.5 MiB)  TX bytes:10056240 (9.5 MiB)
  18.  
  19. ppp0      Link encap:Point-to-Point Protocol  
  20.           inet addr:192.168.223.100  P-t-P:192.168.223.10  Mask:255.255.255.255
  21.           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1410  Metric:1
  22.           RX packets:3 errors:0 dropped:0 overruns:0 frame:0
  23.           TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
  24.           collisions:0 txqueuelen:3 
  25.           RX bytes:42 (42.0 B)  TX bytes:69 (69.0 B)
到此客户端搭建完成。

参考文章:http://blog.sina.com.cn/s/blog_9704e09601013quu.html




声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小蓝xlanll/article/detail/188889
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号