Yang's questions

尽管我们将近一半的内存用于 FS 缓存，但我们一直遇到 OOM 杀手。我们一直在每分钟记录一次内存统计信息（如 top 所报告的），但似乎有足够的可用性。

...

Mem:  15339640k total, 15268304k used,    71336k free,     3152k buffers
Swap:        0k total,        0k used,        0k free,  6608384k cached

Mem:  15339640k total, 14855280k used,   484360k free,    13748k buffers
Swap:        0k total,        0k used,        0k free,  6481852k cached

[OOM killer: postgres killed]

Mem:  15339640k total,  8212200k used,  7127440k free,    32776k buffers
Swap:        0k total,        0k used,        0k free,  2394444k cached

...

来自 syslog 的 OOM 详细信息：

...
Jun 10 05:45:25 db kernel: [11209156.840462] wal-e invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0, oom_score_adj=0
Jun 10 05:45:25 db kernel: [11209156.840469] wal-e cpuset=/ mems_allowed=0
Jun 10 05:45:25 db kernel: [11209156.840474] Pid: 7963, comm: wal-e Not tainted 3.2.0-43-virtual #68-Ubuntu
Jun 10 05:45:25 db kernel: [11209156.840477] Call Trace:
Jun 10 05:45:25 db kernel: [11209156.840498]  [<ffffffff81119711>] dump_header+0x91/0xe0
Jun 10 05:45:25 db kernel: [11209156.840502]  [<ffffffff81119a95>] oom_kill_process+0x85/0xb0
Jun 10 05:45:25 db kernel: [11209156.840506]  [<ffffffff81119e3a>] out_of_memory+0xfa/0x220
Jun 10 05:45:25 db kernel: [11209156.840511]  [<ffffffff8111f823>] __alloc_pages_nodemask+0x8c3/0x8e0
Jun 10 05:45:25 db kernel: [11209156.840520]  [<ffffffff81216e00>] ? noalloc_get_block_write+0x30/0x30
Jun 10 05:45:25 db kernel: [11209156.840528]  [<ffffffff811566c6>] alloc_pages_current+0xb6/0x120
Jun 10 05:45:25 db kernel: [11209156.840534]  [<ffffffff81116637>] __page_cache_alloc+0xb7/0xd0
Jun 10 05:45:25 db kernel: [11209156.840539]  [<ffffffff81118602>] filemap_fault+0x212/0x3c0
Jun 10 05:45:25 db kernel: [11209156.840553]  [<ffffffff81138c32>] __do_fault+0x72/0x550
Jun 10 05:45:25 db kernel: [11209156.840557]  [<ffffffff8113c2ea>] handle_pte_fault+0xfa/0x200
Jun 10 05:45:25 db kernel: [11209156.840562]  [<ffffffff8100638e>] ? xen_pmd_val+0xe/0x10
Jun 10 05:45:25 db kernel: [11209156.840567]  [<ffffffff81005309>] ? __raw_callee_save_xen_pmd_val+0x11/0x1e
Jun 10 05:45:25 db kernel: [11209156.840571]  [<ffffffff8113d559>] handle_mm_fault+0x269/0x370
Jun 10 05:45:25 db kernel: [11209156.840576]  [<ffffffff8100a56d>] ? xen_force_evtchn_callback+0xd/0x10
Jun 10 05:45:25 db kernel: [11209156.840581]  [<ffffffff8100ad42>] ? check_events+0x12/0x20
Jun 10 05:45:25 db kernel: [11209156.840589]  [<ffffffff8165b3cb>] do_page_fault+0x14b/0x520
Jun 10 05:45:25 db kernel: [11209156.840594]  [<ffffffff81160d64>] ? kmem_cache_free+0x104/0x110
Jun 10 05:45:25 db kernel: [11209156.840600]  [<ffffffff811ba2c8>] ? ep_remove+0xa8/0xc0
Jun 10 05:45:25 db kernel: [11209156.840604]  [<ffffffff811bb133>] ? sys_epoll_ctl+0xb3/0x3d0
Jun 10 05:45:25 db kernel: [11209156.840614]  [<ffffffff81658035>] page_fault+0x25/0x30
Jun 10 05:45:25 db kernel: [11209156.840617] Mem-Info:
Jun 10 05:45:25 db kernel: [11209156.840618] Node 0 DMA per-cpu:
Jun 10 05:45:25 db kernel: [11209156.840622] CPU    0: hi:    0, btch:   1 usd:   0
Jun 10 05:45:25 db kernel: [11209156.840624] CPU    1: hi:    0, btch:   1 usd:   0
Jun 10 05:45:25 db kernel: [11209156.840627] CPU    2: hi:    0, btch:   1 usd:   0
Jun 10 05:45:25 db kernel: [11209156.840629] CPU    3: hi:    0, btch:   1 usd:   0
Jun 10 05:45:25 db kernel: [11209156.840631] Node 0 DMA32 per-cpu:
Jun 10 05:45:25 db kernel: [11209156.840634] CPU    0: hi:  186, btch:  31 usd:  30
Jun 10 05:45:25 db kernel: [11209156.840637] CPU    1: hi:  186, btch:  31 usd:  47
Jun 10 05:45:25 db kernel: [11209156.840639] CPU    2: hi:  186, btch:  31 usd:  15
Jun 10 05:45:25 db kernel: [11209156.840641] CPU    3: hi:  186, btch:  31 usd:   2
Jun 10 05:45:25 db kernel: [11209156.840643] Node 0 Normal per-cpu:
Jun 10 05:45:25 db kernel: [11209156.840646] CPU    0: hi:  186, btch:  31 usd:   0
Jun 10 05:45:25 db kernel: [11209156.840648] CPU    1: hi:  186, btch:  31 usd:  14
Jun 10 05:45:25 db kernel: [11209156.840650] CPU    2: hi:  186, btch:  31 usd:   0
Jun 10 05:45:25 db kernel: [11209156.840653] CPU    3: hi:  186, btch:  31 usd:   1
Jun 10 05:45:25 db kernel: [11209156.840658] active_anon:3616567 inactive_anon:4798 isolated_anon:0
Jun 10 05:45:25 db kernel: [11209156.840660]  active_file:98 inactive_file:168 isolated_file:20
Jun 10 05:45:25 db kernel: [11209156.840661]  unevictable:1597 dirty:73 writeback:0 unstable:0
Jun 10 05:45:25 db kernel: [11209156.840662]  free:16921 slab_reclaimable:17631 slab_unreclaimable:7534
Jun 10 05:45:25 db kernel: [11209156.840663]  mapped:1614529 shmem:1613928 pagetables:124012 bounce:0
Jun 10 05:45:25 db kernel: [11209156.840666] Node 0 DMA free:7888kB min:4kB low:4kB high:4kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:7632kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes
Jun 10 05:45:25 db kernel: [11209156.840681] lowmem_reserve[]: 0 4016 15112 15112
Jun 10 05:45:25 db kernel: [11209156.840686] Node 0 DMA32 free:48368kB min:4176kB low:5220kB high:6264kB active_anon:3776804kB inactive_anon:28kB active_file:0kB inactive_file:20kB unevictable:932kB isolated(anon):0kB isolated(file):0kB present:4112640kB mlocked:932kB dirty:0kB writeback:0kB mapped:1458536kB shmem:1458632kB slab_reclaimable:17604kB slab_unreclaimable:8088kB kernel_stack:1872kB pagetables:190616kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:437 all_unreclaimable? yes
Jun 10 05:45:25 db kernel: [11209156.840698] lowmem_reserve[]: 0 0 11095 11095
Jun 10 05:45:25 db kernel: [11209156.840703] Node 0 Normal free:11428kB min:11548kB low:14432kB high:17320kB active_anon:10689464kB inactive_anon:19164kB active_file:528kB inactive_file:652kB unevictable:5456kB isolated(anon):0kB isolated(file):80kB present:11362176kB mlocked:5456kB dirty:292kB writeback:0kB mapped:4999580kB shmem:4997080kB slab_reclaimable:52920kB slab_unreclaimable:22048kB kernel_stack:2584kB pagetables:305432kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:1974 all_unreclaimable? yes
Jun 10 05:45:25 db kernel: [11209156.840715] lowmem_reserve[]: 0 0 0 0
Jun 10 05:45:25 db kernel: [11209156.840720] Node 0 DMA: 2*4kB 3*8kB 1*16kB 3*32kB 3*64kB 3*128kB 2*256kB 1*512kB 2*1024kB 2*2048kB 0*4096kB = 7888kB
Jun 10 05:45:25 db kernel: [11209156.840752] Node 0 DMA32: 5813*4kB 2636*8kB 114*16kB 15*32kB 5*64kB 1*128kB 1*256kB 0*512kB 1*1024kB 0*2048kB 0*4096kB = 48372kB
Jun 10 05:45:25 db kernel: [11209156.840776] Node 0 Normal: 1888*4kB 10*8kB 46*16kB 4*32kB 3*64kB 2*128kB 1*256kB 1*512kB 0*1024kB 1*2048kB 0*4096kB = 11760kB
Jun 10 05:45:25 db kernel: [11209156.840788] 1615243 total pagecache pages
Jun 10 05:45:25 db kernel: [11209156.840790] 0 pages in swap cache
Jun 10 05:45:25 db kernel: [11209156.840801] Swap cache stats: add 0, delete 0, find 0/0
Jun 10 05:45:25 db kernel: [11209156.840803] Free swap  = 0kB
Jun 10 05:45:25 db kernel: [11209156.840805] Total swap = 0kB
Jun 10 05:45:25 db kernel: [11209156.909794] 3934192 pages RAM
Jun 10 05:45:25 db kernel: [11209156.909804] 99282 pages reserved
Jun 10 05:45:25 db kernel: [11209156.909809] 18899146 pages shared
Jun 10 05:45:25 db kernel: [11209156.909811] 2198511 pages non-shared
Jun 10 05:45:25 db kernel: [11209156.909817] [ pid ]   uid  tgid total_vm      rss cpu oom_adj oom_score_adj name
Jun 10 05:45:25 db kernel: [11209156.909835] [  332]     0   332     4308      109   1       0             0 upstart-udev-br
Jun 10 05:45:25 db kernel: [11209156.909845] [  346]     0   346     5384      271   2     -17         -1000 udevd
Jun 10 05:45:25 db kernel: [11209156.909851] [  408]     0   408     5364      174   2     -17         -1000 udevd
...
Jun 10 05:45:25 db kernel: [11209156.910703] [ 7963]   111  7963    17456     2966   0       0             0 wal-e
Jun 10 05:45:25 db kernel: [11209156.910707] [ 7968]   111  7968  1639372     2351   3       0             0 postgres
Jun 10 05:45:25 db kernel: [11209156.910711] [ 7969]   111  7969  1639371     1934   2       0             0 postgres
Jun 10 05:45:25 db kernel: [11209156.910716] Out of memory: Kill process 12443 (postgres) score 418 or sacrifice child
Jun 10 05:45:25 db kernel: [11209156.910733] Killed process 12443 (postgres) total-vm:6555152kB, anon-rss:4600kB, file-rss:6396572kB
Jun 10 05:45:30 db kernel: [11209159.293083] postgres invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0, oom_score_adj=0
Jun 10 05:45:31 db kernel: [11209159.293091] postgres cpuset=/ mems_allowed=0
Jun 10 05:45:31 db kernel: [11209159.293095] Pid: 6508, comm: postgres Not tainted 3.2.0-43-virtual #68-Ubuntu
Jun 10 05:45:31 db kernel: [11209159.293098] Call Trace:
Jun 10 05:45:31 db kernel: [11209159.293111]  [<ffffffff81119711>] dump_header+0x91/0xe0
Jun 10 05:45:31 db kernel: [11209159.293115]  [<ffffffff81119a95>] oom_kill_process+0x85/0xb0
Jun 10 05:45:31 db kernel: [11209159.293119]  [<ffffffff81119e3a>] out_of_memory+0xfa/0x220
...

我们可以尝试将这些分辨率提高到大约每秒一次，但是这里有任何 OOM 的原因吗？（我们已经看过http://bl0rg.krunch.be/oom-frag.html但我们正在使用更大的绝对内存量，其中大部分被内核的 FS 缓存占用。）

postgresql.conf还包括我们以下的相关部分：

shared_buffers = 6GB
effective_cache_size = 8GB

我没有从文档中找到有关修复工作原理和要求的详细信息。

对于磨砂膏的自动修复，我需要镜像吗？RAIDZ？任何一个？两者都不是（校验和本身是否包含奇偶校验）？

我按照各种 教程/文档在 Ubuntu 12.04 服务器（在 EC2 上）上配置了 openswan 和 xl2tpd，这些教程/文档似乎在很大程度上说了同样的事情，但最近是这个。

但是，我尝试从 Windows 连接（我使用共享密钥和用户名/密码配置）失败。日志表明 IPsec 隧道已建立，但没有任何反应。

这是数据包转储和日志活动（系统日志中没有任何内容，因此没有 iptables 日志消息）：

$ sudo tcpdump -n host 64.236.139.254 and not port 22
21:00:49.843198 IP 64.236.139.254.26712 > 10.252.60.213.500: isakmp: phase 1 I ident
21:00:49.844815 IP 10.252.60.213.500 > 64.236.139.254.26712: isakmp: phase 1 R ident
21:00:49.928882 IP 64.236.139.254.26712 > 10.252.60.213.500: isakmp: phase 1 I ident
21:00:49.930819 IP 10.252.60.213.500 > 64.236.139.254.26712: isakmp: phase 1 R ident
21:00:49.972728 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 1 I ident[E]
21:00:49.973924 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 1 R ident[E]
21:00:50.000353 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:50.001429 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:00:50.030932 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:50.037256 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:50.055200 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:00:50.415676 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:50.415731 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:00:50.416605 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:00:53.055631 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:53.060694 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:00:53.088162 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:53.088180 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:00:53.088437 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:00:57.069750 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:57.070741 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:00:57.101194 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:57.101390 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:00:57.101817 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:01:05.087873 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:01:05.089292 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:01:05.117423 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:01:05.117815 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:01:05.118026 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:01:09.122471 IP 10.252.60.213.4500 > 64.236.139.254.26724: isakmp-nat-keep-alive
21:01:09.122664 IP 10.252.60.213.4500 > 64.236.139.254.26724: isakmp-nat-keep-alive
21:01:09.301582 IP 64.236.139.254.26724 > 10.252.60.213.4500: isakmp-nat-keep-alive
21:01:15.180248 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:01:15.181699 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:01:15.288574 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:01:15.288612 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:01:15.289452 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:01:25.229928 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:01:25.230090 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:01:25.233650 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:01:25.251769 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]

$ tail -fn0 /var/log/syslog
Feb  6 21:00:30 ip-10-252-60-213 kernel: [11977313.441315] device eth0 entered promiscuous mode

$ tail -fn0 /var/log/auth.log
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: received Vendor ID payload [RFC 3947] method set to=109
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [FRAGMENTATION]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [Vid-Initial-Contact]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [IKE CGA version 1]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: responding to Main Mode from unknown peer 64.236.139.254
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: STATE_MAIN_R1: sent MR1, expecting MI2
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: STATE_MAIN_R2: sent MR2, expecting MI3
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: Main mode peer ID is ID_IPV4_ADDR: '10.0.2.15'
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: deleting connection "L2TP-PSK-NAT" instance with peer 64.236.139.254 {isakmp=#0/ipsec=#0}
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: new NAT mapping for #50, was 64.236.139.254:26712, now 64.236.139.254:26724
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/0
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: responding to Quick Mode proposal {msgid:01000000}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xed4ff6b8 <0x9232de04 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: responding to Quick Mode proposal {msgid:02000000}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: keeping refhim=4294901761 during rekey
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xb245cb36 <0x76292945 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0xed4ff6b8) payload: deleting IPSEC State #51
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: responding to Quick Mode proposal {msgid:03000000}
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: keeping refhim=4294901761 during rekey
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xb6953c9c <0x3331cb4f xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0xb245cb36) payload: deleting IPSEC State #52
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: responding to Quick Mode proposal {msgid:04000000}
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: keeping refhim=4294901761 during rekey
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x2ca92f36 <0x86256756 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0xb6953c9c) payload: deleting IPSEC State #53
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: responding to Quick Mode proposal {msgid:05000000}
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: keeping refhim=4294901761 during rekey
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x8df1a782 <0x61eed691 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0x2ca92f36) payload: deleting IPSEC State #54
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: responding to Quick Mode proposal {msgid:06000000}
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: keeping refhim=4294901761 during rekey
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x021d5dde <0xc9c31f90 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0x8df1a782) payload: deleting IPSEC State #55
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0x021d5dde) payload: deleting IPSEC State #56
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA payload: deleting ISAKMP State #50
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254: deleting connection "L2TP-PSK-NAT" instance with peer 64.236.139.254 {isakmp=#0/ipsec=#0}
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26724: received and ignored informational message

在那之后似乎什么也没有发生，Windows 放弃了。

这是我在客户端看到的数据包——我看到完全相同的数据包，所以没有过滤掉任何东西：

$ sudo tcpdump -i wlan3 -n host $ip and not port 22
12:59:16.170388 IP 10.66.230.208.53383 > 54.245.182.129.500: isakmp: phase 1 I ident
12:59:16.197972 IP 54.245.182.129.500 > 10.66.230.208.53383: isakmp: phase 1 R ident
12:59:16.255396 IP 10.66.230.208.53383 > 54.245.182.129.500: isakmp: phase 1 I ident
12:59:16.282917 IP 54.245.182.129.500 > 10.66.230.208.53383: isakmp: phase 1 R ident
12:59:16.299043 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 1 I ident[E]
12:59:16.326840 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 1 R ident[E]
12:59:16.328144 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:16.357804 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
12:59:16.358888 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:16.362385 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:16.741818 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
12:59:16.743117 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:16.743396 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:16.769431 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]
12:59:19.383010 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:19.414362 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
12:59:19.415559 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
...
12:59:31.441952 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
12:59:31.443878 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:31.444124 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:31.476359 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]
12:59:35.499825 IP 54.245.182.129.4500 > 10.66.230.208.53200: isakmp-nat-keep-alive
12:59:35.500068 IP 54.245.182.129.4500 > 10.66.230.208.53200: isakmp-nat-keep-alive
12:59:35.629175 IP 10.66.230.208.53200 > 54.245.182.129.4500: isakmp-nat-keep-alive
12:59:41.429705 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:41.534606 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E].537423 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:41.537675 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:41.642367 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]
12:59:51.482628 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:51.482836 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:51.587334 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]
12:59:51.604347 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]

这是事态：

+ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-37-virtual (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

+ ifconfig
eth0      Link encap:Ethernet  HWaddr 22:00:0a:fc:3c:d5
          inet addr:10.252.60.213  Bcast:10.252.60.255  Mask:255.255.255.192
          inet6 addr: fe80::2000:aff:fefc:3cd5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4803 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:376849 (376.8 KB)  TX bytes:628809 (628.8 KB)
          Interrupt:25

eth0:0    Link encap:Ethernet  HWaddr 22:00:0a:fc:3c:d5
          inet addr:172.22.1.1  Bcast:172.22.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:25

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

+ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level warning prefix "blah blah: "

+ sudo egrep -v '^[[:space:]]*(#|$)' /etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:172.16.0.0/12
        oe=off
        protostack=auto
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=10.252.60.213
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    forceencaps=yes

+ sudo cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

+ sudo cat /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/{accept,send}_redirects
1
0
0
0
0
0
0
0

==> /proc/sys/net/ipv4/conf/lo/send_redirects <==
0

+ grep -v '^;' /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
debug tunnel = yes

[lns default]
ip range = 172.22.1.2-172.22.1.99
local ip = 172.22.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

+ sudo cat /etc/ipsec.secrets
include /var/lib/openswan/ipsec.secrets.inc
10.252.60.213 %any: PSK "MYSHAREDSECRET"

+ sudo cat /etc/ppp/chap-secrets 
# client        server  secret                  IP addresses
yang l2tpd MYPASSWORD *

我正在尝试使用 Android 示例 ToyVpnServer 在 EC2 (Ubuntu 12.04) 上设置一个简单的 VPN 服务器。它的指令：

// There are several ways to play with this program. Here we just give an
// example for the simplest scenario. Let us say that a Linux box has a
// public IPv4 address on eth0. Please try the following steps and adjust
// the parameters when necessary.
//
// # Enable IP forwarding
// echo 1 > /proc/sys/net/ipv4/ip_forward
//
// # Pick a range of private addresses and perform NAT over eth0.
// iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
//
// # Create a TUN interface.
// ip tuntap add dev tun0 mode tun
//
// # Set the addresses and bring up the interface.
// ifconfig tun0 10.0.0.1 dstaddr 10.0.0.2 up
//
// # Create a server on port 8000 with shared secret "test".
// ./ToyVpnServer tun0 8000 test -m 1400 -a 10.0.0.2 32 -d 8.8.8.8 -r 0.0.0.0 0
//
// This program only handles a session at a time. To allow multiple sessions,
// multiple servers can be created on the same port, but each of them requires
// its own TUN interface. A short shell script will be sufficient. Since this
// program is designed for demonstration purpose, it performs neither strong
// authentication nor encryption. DO NOT USE IT IN PRODUCTION!

我按照上面的操作，但将 10.* 替换为 192.168.*，因为 EC2 的网络已经占用了 10.*：

$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ ip tuntap add dev tun0 mode tun
$ ifconfig tun0 192.168.0.1 dstaddr 192.168.0.2 up
$ iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
$ ./ToyVpnServer tun0 8000 test -m 1400 -a 192.168.0.2 32 -d 8.8.8.8 -r 0.0.0.0 0

然后我从 Android 模拟器建立连接，这很有效。然后，当我尝试从 Android 浏览器发出 Web 请求时，服务器会收到数据包，但不会转发它们：

$ sudo tcpdump -i tun0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
07:41:46.342823 IP 192.168.0.2.21668 > 8.8.8.8.53: 59997+ A? www.google.com. (32)
07:41:51.347913 IP 192.168.0.2.35397 > 8.8.8.8.53: 49390+ A? www.google.com. (32)
07:41:56.353276 IP 192.168.0.2.35397 > 8.8.8.8.53: 49390+ A? www.google.com. (32)
^C

$ sudo tcpdump -i eth0 not host 64.236.139.254 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C

其他情况：

$ ip route
default via 10.252.49.129 dev eth0  metric 100
10.252.49.128/26 dev eth0  proto kernel  scope link  src 10.252.49.153
192.168.0.2 dev tun0  proto kernel  scope link  src 192.168.0.1

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 22:00:0a:fc:31:99 brd ff:ff:ff:ff:ff:ff
    inet 10.252.49.153/26 brd 10.252.49.191 scope global eth0
    inet6 fe80::2000:aff:fefc:3199/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 500
    link/none 
    inet 192.168.0.1 peer 192.168.0.2/32 scope global tun0

$ cat /proc/sys/net/ipv4/ip_forward 
1

任何帮助将不胜感激。谢谢。

很长一段时间以来，我一直在我的 x86 Ubuntu 上使用 NIS/am-utils 安装 NFS 共享，但是今天我的系统进入了一种状态，它无法再访问自动安装的目录，而是经常挂断试图访问它们，返回“输入/输出错误”或“权限被拒绝”（几乎随机），以及“陈旧的文件句柄”。但是，我可以手动挂载该共享。重新启动 am-utils 并不能帮助我的系统摆脱困境。有没有其他方法可以让我的系统不卡住？

我无法重新启动我的 Ubuntu 9.04 x86_64 机器。我只看到以下内容，然后什么也没有发生。我已经输入了好几次了。

$ sudo reboot
[sudo] password for yang:
$
Broadcast message from yang@harvard.csail.mit.edu
        (/dev/pts/7) at 4:31 ...

The system is going down for reboot NOW!

可能相关的信息：在 NFS/NIS 服务器（同一主机）数小时无法访问后，我的 amd 管理的 NFS 挂载出现故障。我可以很好地创建新的 NFS 挂载，但现有的挂载没有响应（或者更准确地说，几乎没有响应）。例如，目录上的 ls 挂起几分钟，然后失败，只有一些子目录实际上被列出（尽管是红色的），而其他的则导致“没有这样的文件或目录”错误消息。

这是因为我的 NFS 挂载出了问题，我试图重新启动（我尝试卸载这些但无济于事）。我已经等了三天了重新启动。

我正在运行带有定期更新的 Ubuntu 9.04。我没有对计算机的物理访问权限，因此我能够重新启动它而不是简单地关闭是很重要的。顺便说一句，如果有人知道如何在不重新启动的情况下处理挂起的 NFS 挂载，那也很高兴知道。

提前感谢您的帮助。