Closed oocco closed 7 years ago
hwdsl2
commented
7 years ago @oocco Your logs look fine. Check for listening ports with "netstat -anput". If that's all the logs you have for pluto, then your VPN connection traffic was not reaching the server at all. Check your router and port forwarding (Ref: [1]).
[1] https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/
oocco
commented
7 years ago 谢谢你的回答,我仔细检查了一下,发现iptables规则出了问题, 原本的:
root@OrangePI:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:l2f policy match dir in pol none
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- bogon/24 bogon/24
ACCEPT all -- anywhere bogon/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- bogon/24 anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere 允许500 1701 4500 INPUT后保存规则解决
iptables -I INPUT -p tcp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p tcp --dport 4500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -p tcp --dport 1701 -j ACCEPT
iptables -I INPUT -p udp --dport 1701 -j ACCEPTThank you very much
zuonidelaowang
commented
3 years ago Hello~ 电脑提示无法建立计算机与VPN服务器之间的网络连接,因为远程服务器未响应(注册表已添加); 手机连不上没有信息可看;
环境:个人网络,OrangePi挂路由器上,设置了DMZ主机,SSH,SS,FRP都没问题; 不太了解l2tp的运作方式,各种方式设置了一周多了还没成功, 希望指教,感激不尽;
ipsec verify (全部 [ok] )
root@OrangePI:~# service xl2tpd status ● xl2tpd.service - LSB: layer 2 tunelling protocol daemon Loaded: loaded (/etc/init.d/xl2tpd) Active: active (running) since Thu 2017-09-28 18:55:41 CST; 10min ago Process: 9456 ExecStop=/etc/init.d/xl2tpd stop (code=exited, status=0/SUCCESS) Process: 9460 ExecStart=/etc/init.d/xl2tpd start (code=exited, status=0/SUCCESS) CGroup: /system.slice/xl2tpd.service └─9463 /usr/sbin/xl2tpd Sep 28 18:55:41 OrangePI xl2tpd[9463]: xl2tpd version xl2tpd-1.3.6 started on OrangePI PID:9463 Sep 28 18:55:41 OrangePI xl2tpd[9463]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Sep 28 18:55:41 OrangePI xl2tpd[9463]: Forked by Scott Balmos and David Stipp, (C) 2001 Sep 28 18:55:41 OrangePI xl2tpd[9463]: Inherited by Jeff McAdams, (C) 2002 Sep 28 18:55:41 OrangePI xl2tpd[9463]: Forked again by Xelerance (www.xelerance.com) (C) 2006 Sep 28 18:55:41 OrangePI xl2tpd[9463]: Listening on IP address 0.0.0.0, port 1701 Sep 28 18:55:41 OrangePI systemd[1]: Started LSB: layer 2 tunelling protocol daemon. Sep 28 18:55:41 OrangePI xl2tpd[9460]: Starting xl2tpd: xl2tpd.root@OrangePI:~# grep pluto /var/log/auth.log ...... Sep 28 18:54:39 OrangePI pluto[8667]: loading secrets from "/etc/ipsec.secrets" Sep 28 18:55:38 OrangePI pluto[8667]: shutting down Sep 28 18:55:38 OrangePI pluto[8667]: forgetting secrets Sep 28 18:55:38 OrangePI pluto[8667]: "xauth-psk": deleting non-instance connection Sep 28 18:55:38 OrangePI pluto[8667]: "l2tp-psk": deleting non-instance connection Sep 28 18:55:38 OrangePI pluto[8667]: shutting down interface lo/lo ::1:500 Sep 28 18:55:38 OrangePI pluto[8667]: shutting down interface lo/lo 127.0.0.1:4500 Sep 28 18:55:38 OrangePI pluto[8667]: shutting down interface lo/lo 127.0.0.1:500 Sep 28 18:55:38 OrangePI pluto[8667]: shutting down interface eth0/eth0 192.168.99.4:4500 Sep 28 18:55:38 OrangePI pluto[8667]: shutting down interface eth0/eth0 192.168.99.4:500 Sep 28 18:55:38 OrangePI pluto[8667]: leak: kernel integ, item size: 16 Sep 28 18:55:38 OrangePI pluto[8667]: leak detective found 1 leaks, total size 16 Sep 28 18:55:39 OrangePI pluto[9162]: NSS DB directory: sql:/etc/ipsec.d Sep 28 18:55:39 OrangePI pluto[9162]: Initializing NSS Sep 28 18:55:39 OrangePI pluto[9162]: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 28 18:55:39 OrangePI pluto[9162]: NSS initialized Sep 28 18:55:39 OrangePI pluto[9162]: NSS crypto library initialized Sep 28 18:55:39 OrangePI pluto[9162]: FIPS HMAC integrity support [disabled] Sep 28 18:55:39 OrangePI pluto[9162]: libcap-ng support [enabled] Sep 28 18:55:39 OrangePI pluto[9162]: Linux audit support [disabled] Sep 28 18:55:39 OrangePI pluto[9162]: Starting Pluto (Libreswan Version 3.21 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SYSTEMD_WATCHDOG LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:9162 Sep 28 18:55:39 OrangePI pluto[9162]: core dump dir: /var/run/pluto Sep 28 18:55:39 OrangePI pluto[9162]: secrets file: /etc/ipsec.secrets Sep 28 18:55:39 OrangePI pluto[9162]: leak-detective enabled Sep 28 18:55:39 OrangePI pluto[9162]: NSS crypto [enabled] Sep 28 18:55:39 OrangePI pluto[9162]: XAUTH PAM support [enabled] Sep 28 18:55:39 OrangePI pluto[9162]: NAT-Traversal support [enabled] Sep 28 18:55:39 OrangePI pluto[9162]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500) Sep 28 18:55:39 OrangePI pluto[9162]: Encryption algorithms: Sep 28 18:55:39 OrangePI pluto[9162]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c) Sep 28 18:55:39 OrangePI pluto[9162]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b) Sep 28 18:55:39 OrangePI pluto[9162]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a) Sep 28 18:55:39 OrangePI pluto[9162]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des) Sep 28 18:55:39 OrangePI pluto[9162]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 28 18:55:39 OrangePI pluto[9162]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia) Sep 28 18:55:39 OrangePI pluto[9162]: AES_GCM_16 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c) Sep 28 18:55:39 OrangePI pluto[9162]: AES_GCM_12 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b) Sep 28 18:55:39 OrangePI pluto[9162]: AES_GCM_8 IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a) Sep 28 18:55:39 OrangePI pluto[9162]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr) Sep 28 18:55:39 OrangePI pluto[9162]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes) Sep 28 18:55:39 OrangePI pluto[9162]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent) Sep 28 18:55:39 OrangePI pluto[9162]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish) Sep 28 18:55:39 OrangePI pluto[9162]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh) Sep 28 18:55:39 OrangePI pluto[9162]: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast) Sep 28 18:55:39 OrangePI pluto[9162]: NULL IKEv1: ESP IKEv2: ESP [] Sep 28 18:55:39 OrangePI pluto[9162]: Hash algorithms: Sep 28 18:55:39 OrangePI pluto[9162]: MD5 IKEv1: IKE IKEv2: Sep 28 18:55:39 OrangePI pluto[9162]: SHA1 IKEv1: IKE IKEv2: FIPS (sha) Sep 28 18:55:39 OrangePI pluto[9162]: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256) Sep 28 18:55:39 OrangePI pluto[9162]: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384) Sep 28 18:55:39 OrangePI pluto[9162]: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512) Sep 28 18:55:39 OrangePI pluto[9162]: PRF algorithms: Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5) Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1) Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256) Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384) Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512) Sep 28 18:55:39 OrangePI pluto[9162]: Integrity algorithms: Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5) Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1) Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512) Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384) Sep 28 18:55:39 OrangePI pluto[9162]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256) Sep 28 18:55:39 OrangePI pluto[9162]: AES_XCBC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_xcbc) Sep 28 18:55:39 OrangePI pluto[9162]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac) Sep 28 18:55:39 OrangePI pluto[9162]: DH algorithms: Sep 28 18:55:39 OrangePI pluto[9162]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2) Sep 28 18:55:39 OrangePI pluto[9162]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5) Sep 28 18:55:39 OrangePI pluto[9162]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14) Sep 28 18:55:39 OrangePI pluto[9162]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15) Sep 28 18:55:39 OrangePI pluto[9162]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16) Sep 28 18:55:39 OrangePI pluto[9162]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17) Sep 28 18:55:39 OrangePI pluto[9162]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18) Sep 28 18:55:39 OrangePI pluto[9162]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256) Sep 28 18:55:39 OrangePI pluto[9162]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384) Sep 28 18:55:39 OrangePI pluto[9162]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521) Sep 28 18:55:39 OrangePI pluto[9162]: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS Sep 28 18:55:39 OrangePI pluto[9162]: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS Sep 28 18:55:39 OrangePI pluto[9162]: no crypto helpers will be started; all cryptographic operations will be done inline Sep 28 18:55:39 OrangePI pluto[9162]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.65 Sep 28 18:55:39 OrangePI pluto[9162]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs Sep 28 18:55:39 OrangePI pluto[9162]: watchdog: sending probes every 100 secs Sep 28 18:55:39 OrangePI pluto[9162]: seccomp security not supported Sep 28 18:55:40 OrangePI pluto[9162]: added connection description "l2tp-psk" Sep 28 18:55:40 OrangePI pluto[9162]: added connection description "xauth-psk" Sep 28 18:55:40 OrangePI pluto[9162]: listening for IKE messages Sep 28 18:55:40 OrangePI pluto[9162]: adding interface eth0/eth0 192.168.99.4:500 Sep 28 18:55:40 OrangePI pluto[9162]: adding interface eth0/eth0 192.168.99.4:4500 Sep 28 18:55:40 OrangePI pluto[9162]: adding interface lo/lo 127.0.0.1:500 Sep 28 18:55:40 OrangePI pluto[9162]: adding interface lo/lo 127.0.0.1:4500 Sep 28 18:55:40 OrangePI pluto[9162]: adding interface lo/lo ::1:500 Sep 28 18:55:40 OrangePI pluto[9162]: | setup callback for interface lo:500 fd 19 Sep 28 18:55:40 OrangePI pluto[9162]: | setup callback for interface lo:4500 fd 18 Sep 28 18:55:40 OrangePI pluto[9162]: | setup callback for interface lo:500 fd 17 Sep 28 18:55:40 OrangePI pluto[9162]: | setup callback for interface eth0:4500 fd 16 Sep 28 18:55:40 OrangePI pluto[9162]: | setup callback for interface eth0:500 fd 15 Sep 28 18:55:40 OrangePI pluto[9162]: loading secrets from "/etc/ipsec.secrets" Sep 28 18:56:05 OrangePI pluto[9162]: forgetting secrets Sep 28 18:56:05 OrangePI pluto[9162]: loading secrets from "/etc/ipsec.secrets" Sep 28 19:05:39 OrangePI pluto[9162]: forgetting secrets Sep 28 19:05:39 OrangePI pluto[9162]: loading secrets from "/etc/ipsec.secrets"root@OrangePI:~# grep xl2tpd /var/log/syslog ...... Sep 28 18:46:47 OrangePI xl2tpd[2738]: Starting xl2tpd: xl2tpd. Sep 28 18:54:38 OrangePI xl2tpd[2742]: death_handler: Fatal signal 15 received Sep 28 18:54:38 OrangePI xl2tpd[8961]: Stopping xl2tpd: xl2tpd. Sep 28 18:54:38 OrangePI xl2tpd[8968]: setsockopt recvref[30]: Protocol not available Sep 28 18:54:38 OrangePI xl2tpd[8968]: This binary does not support kernel L2TP. Sep 28 18:54:38 OrangePI xl2tpd[8966]: Starting xl2tpd: xl2tpd. Sep 28 18:54:38 OrangePI xl2tpd[8969]: xl2tpd version xl2tpd-1.3.6 started on OrangePI PID:8969 Sep 28 18:54:38 OrangePI xl2tpd[8969]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Sep 28 18:54:38 OrangePI xl2tpd[8969]: Forked by Scott Balmos and David Stipp, (C) 2001 Sep 28 18:54:38 OrangePI xl2tpd[8969]: Inherited by Jeff McAdams, (C) 2002 Sep 28 18:54:38 OrangePI xl2tpd[8969]: Forked again by Xelerance (www.xelerance.com) (C) 2006 Sep 28 18:54:38 OrangePI xl2tpd[8969]: Listening on IP address 0.0.0.0, port 1701 Sep 28 18:55:41 OrangePI xl2tpd[8969]: death_handler: Fatal signal 15 received Sep 28 18:55:41 OrangePI xl2tpd[9456]: Stopping xl2tpd: xl2tpd. Sep 28 18:55:41 OrangePI xl2tpd[9462]: setsockopt recvref[30]: Protocol not available Sep 28 18:55:41 OrangePI xl2tpd[9462]: This binary does not support kernel L2TP. Sep 28 18:55:41 OrangePI xl2tpd[9463]: xl2tpd version xl2tpd-1.3.6 started on OrangePI PID:9463 Sep 28 18:55:41 OrangePI xl2tpd[9463]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Sep 28 18:55:41 OrangePI xl2tpd[9463]: Forked by Scott Balmos and David Stipp, (C) 2001 Sep 28 18:55:41 OrangePI xl2tpd[9463]: Inherited by Jeff McAdams, (C) 2002 Sep 28 18:55:41 OrangePI xl2tpd[9463]: Forked again by Xelerance (www.xelerance.com) (C) 2006 Sep 28 18:55:41 OrangePI xl2tpd[9463]: Listening on IP address 0.0.0.0, port 1701 Sep 28 18:55:41 OrangePI xl2tpd[9460]: Starting xl2tpd: xl2tpd.发现没有监听1701端口,我也不知道是不是这样看?
root@OrangePI:~# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:8388 *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp6 0 0 [::]:7500 [::]:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 [::]:afs3-fileserver [::]:* LISTEN udp 0 0 localhost:ipsec-nat-t *:* udp 0 0 bogon:ipsec-nat-t *:* udp 0 0 localhost:isakmp *:* udp 0 0 bogon:isakmp *:* udp 0 0 *:bootpc *:* udp 0 0 bogon:ntp *:* udp 0 0 localhost:ntp *:* udp 0 0 *:ntp *:* udp 0 0 *:33409 *:* udp 0 0 *:l2f *:* udp 0 0 *:8388 *:* udp6 0 0 localhost:isakmp [::]:* udp6 0 0 [::]:20576 [::]:* udp6 0 0 fe80::f402:5eff:fe3:ntp [::]:* udp6 0 0 localhost:ntp [::]:* udp6 0 0 [::]:ntp [::]:* udp6 0 0 [::]:29900 [::]:* udp6 0 0 [::]:afs3-fileserver [::]:* raw6 0 0 [::]:ipv6-icmp [::]:* 7 Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6914 /var/run/NetworkManager/private unix 2 [ ACC ] STREAM LISTENING 6920 /var/run/NetworkManager/private-dhcp unix 2 [ ACC ] STREAM LISTENING 10507 /run/user/0/systemd/private unix 2 [ ACC ] STREAM LISTENING 7708 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 14149 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 4694 /run/systemd/private unix 2 [ ACC ] SEQPACKET LISTENING 4719 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 4723 /run/systemd/journal/stdout unix 2 [ ACC ] STREAM LISTENING 18560 /var/run/pluto/pluto.ctl unix 2 [ ACC ] STREAM LISTENING 9146 /var/run/supervisor.sock.2173
我用frp转发到内网,连接不上, 能帮我看看啥问题吗?
zuonidelaowang
commented
3 years ago 谢谢你的回答,我仔细检查了一下,发现iptables规则出了问题, 原本的:
root@OrangePI:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP udp -- anywhere anywhere udp dpt:l2f policy match dir in pol none DROP all -- anywhere anywhere ctstate INVALID ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere ctstate INVALID ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- bogon/24 bogon/24 ACCEPT all -- anywhere bogon/24 ctstate RELATED,ESTABLISHED ACCEPT all -- bogon/24 anywhere DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (0 references) target prot opt source destination RETURN all -- anywhere anywhere允许500 1701 4500 INPUT后保存规则解决
iptables -I INPUT -p tcp --dport 500 -j ACCEPT iptables -I INPUT -p udp --dport 500 -j ACCEPT iptables -I INPUT -p tcp --dport 4500 -j ACCEPT iptables -I INPUT -p udp --dport 4500 -j ACCEPT iptables -I INPUT -p tcp --dport 1701 -j ACCEPT iptables -I INPUT -p udp --dport 1701 -j ACCEPTThank you very much
你好,我通过frp转发到内网,连接不上, 能不能帮我看看啥问题
Hello~ 电脑提示无法建立计算机与VPN服务器之间的网络连接,因为远程服务器未响应(注册表已添加); 手机连不上没有信息可看;
环境:个人网络,OrangePi挂路由器上,设置了DMZ主机,SSH,SS,FRP都没问题; 不太了解l2tp的运作方式,各种方式设置了一周多了还没成功, 希望指教,感激不尽;
ipsec verify (全部 [ok] )
发现没有监听1701端口,我也不知道是不是这样看?