Я пытаюсь подключиться из своего Linux Mint 16 к серверу CloudStack через IPsec L2TP. Наращивание соединения работает (пинги работают через туннель). Однако через 30 секунд туннель IPsec неожиданно прерывается. Что могло вызвать такое последовательное поведение и как это исправить?
Туннель настраивается с использованием OpenSwan (U2.6.38 / K (код ядра в настоящее время не загружен)) с диспетчером L2TP IPsec VPN от Werner Jaeger 1.0.9. Клиент находится за маршрутизатором с NAT, а сервер находится на общедоступном IP (CloudStack 4.2).
При запуске ipsec verify возникает жалоба на поддержку IPsec в ядре. Не уверен, что это проблема, так как соединение создается:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
SAref kernel support [N/A]
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Конфигурация туннеля:
версия 2.0 # соответствует второй версии спецификации ipsec.conf
config setup
# plutodebug="parsing emitting control private"
plutodebug=none
strictcrlpolicy=no
nat_traversal=yes
interfaces=%defaultroute
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey
conn %default
keyingtries=3
pfs=no
rekey=yes
type=transport
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701
conn Tunnel1
authby=secret
right=37.48.75.97
rightid=""
auto=add
Файл журнала создания VPN-соединения:
aug. 23 17:12:54.708 ipsec_setup: Starting Openswan IPsec U2.6.38/K3.11.0-12-generic...
aug. 23 17:12:55.155 ipsec_setup: multiple ip addresses, using 192.168.178.32 on eth0
aug. 23 17:12:55.165 ipsec__plutorun: Starting Pluto subsystem...
aug. 23 17:12:55.174 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
aug. 23 17:12:55.177 recvref[30]: Protocol not available
aug. 23 17:12:55.177 xl2tpd[14339]: This binary does not support kernel L2TP.
aug. 23 17:12:55.178 Starting xl2tpd: xl2tpd.
aug. 23 17:12:55.178 xl2tpd[14345]: xl2tpd version xl2tpd-1.3.1 started on desktopmint PID:14345
aug. 23 17:12:55.178 xl2tpd[14345]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
aug. 23 17:12:55.179 xl2tpd[14345]: Forked by Scott Balmos and David Stipp, (C) 2001
aug. 23 17:12:55.179 xl2tpd[14345]: Inherited by Jeff McAdams, (C) 2002
aug. 23 17:12:55.179 xl2tpd[14345]: Forked again by Xelerance (www.xelerance.com) (C) 2006
aug. 23 17:12:55.180 xl2tpd[14345]: Listening on IP address 0.0.0.0, port 1701
aug. 23 17:12:55.214 ipsec__plutorun: 002 added connection description "Tunnel1"
aug. 23 17:13:15.532 104 "Tunnel1" #1: STATE_MAIN_I1: initiate
aug. 23 17:13:15.532 003 "Tunnel1" #1: ignoring unknown Vendor ID payload [4f45755c645c6a795c5c6170]
aug. 23 17:13:15.532 003 "Tunnel1" #1: received Vendor ID payload [Dead Peer Detection]
aug. 23 17:13:15.533 003 "Tunnel1" #1: received Vendor ID payload [RFC 3947] method set to=115
aug. 23 17:13:15.533 106 "Tunnel1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
aug. 23 17:13:15.534 003 "Tunnel1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
aug. 23 17:13:15.534 108 "Tunnel1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
aug. 23 17:13:15.534 010 "Tunnel1" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
aug. 23 17:13:15.545 003 "Tunnel1" #1: received Vendor ID payload [CAN-IKEv2]
aug. 23 17:13:15.547 004 "Tunnel1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
aug. 23 17:13:15.547 117 "Tunnel1" #2: STATE_QUICK_I1: initiate
aug. 23 17:13:15.547 010 "Tunnel1" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
aug. 23 17:13:15.548 004 "Tunnel1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x0ecef28b <0x3e1fbe3b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
aug. 23 17:13:16.549 xl2tpd[14345]: Connecting to host <VPN gateway>, port 1701
aug. 23 17:13:18.576 xl2tpd[14345]: Connection established to <VPN gateway>, 1701. Local: 21163, Remote: 12074 (ref=0/0).
aug. 23 17:13:18.576 xl2tpd[14345]: Calling on tunnel 21163
aug. 23 17:13:18.577 xl2tpd[14345]: check_control: Received out of order control packet on tunnel 12074 (got 0, expected 1)
aug. 23 17:13:18.577 xl2tpd[14345]: handle_packet: bad control packet!
aug. 23 17:13:18.577 xl2tpd[14345]: check_control: Received out of order control packet on tunnel 12074 (got 0, expected 1)
aug. 23 17:13:18.577 xl2tpd[14345]: handle_packet: bad control packet!
aug. 23 17:13:18.599 xl2tpd[14345]: Call established with <VPN gateway>, Local: 39035, Remote: 57266, Serial: 1 (ref=0/0)
aug. 23 17:13:18.605 xl2tpd[14345]: start_pppd: I'm running:
aug. 23 17:13:18.605 xl2tpd[14345]: "/usr/sbin/pppd"
aug. 23 17:13:18.606 xl2tpd[14345]: "passive"
aug. 23 17:13:18.606 xl2tpd[14345]: "nodetach"
aug. 23 17:13:18.606 xl2tpd[14345]: ":"
aug. 23 17:13:18.606 xl2tpd[14345]: "file"
aug. 23 17:13:18.606 xl2tpd[14345]: "/etc/ppp/Tunnel1.options.xl2tpd"
aug. 23 17:13:18.606 xl2tpd[14345]: "ipparam"
aug. 23 17:13:18.607 xl2tpd[14345]: "<VPN gateway>"
aug. 23 17:13:18.607 xl2tpd[14345]: "/dev/pts/4"
aug. 23 17:13:18.607 pppd[14438]: Plugin passprompt.so loaded.
aug. 23 17:13:18.607 pppd[14438]: pppd 2.4.5 started by root, uid 0
aug. 23 17:13:18.608 pppd[14438]: Using interface ppp0
aug. 23 17:13:18.608 pppd[14438]: Connect: ppp0 <--> /dev/pts/4
aug. 23 17:13:21.650 pppd[14438]: CHAP authentication succeeded: Access granted
aug. 23 17:13:21.651 pppd[14438]: CHAP authentication succeeded
aug. 23 17:13:21.692 pppd[14438]: local IP address 10.1.2.2
aug. 23 17:13:21.693 pppd[14438]: remote IP address 10.1.2.1
aug. 23 17:13:21.693 pppd[14438]: primary DNS address 10.1.2.1
aug. 23 17:13:21.694 pppd[14438]: secondary DNS address 10.1.2.1
aug. 23 17:13:46.528 Stopping xl2tpd: xl2tpd.
aug. 23 17:13:46.528 xl2tpd[14345]: death_handler: Fatal signal 15 received
aug. 23 17:13:46.529 pppd[14438]: Modem hangup
aug. 23 17:13:46.529 pppd[14438]: Connect time 0.5 minutes.
aug. 23 17:13:46.529 pppd[14438]: Sent 1866 bytes, received 1241 bytes.
aug. 23 17:13:46.529 pppd[14438]: Connection terminated.
aug. 23 17:13:46.562 ipsec_setup: Stopping Openswan IPsec...
aug. 23 17:13:46.576 pppd[14438]: Exit.
Системный журнал предоставляет немного больше деталей в момент остановки туннеля:
Aug 23 17:13:22 desktopmint kernel: [ 6870.640048] device ppp0 entered promiscuous mode
Aug 23 17:13:22 desktopmint kernel: [ 6870.648955] device ppp0 left promiscuous mode
Aug 23 17:13:26 desktopmint kernel: [ 6875.148476] device ppp0 entered promiscuous mode
Aug 23 17:13:46 desktopmint L2tpIPsecVpnControlDaemon: Opening client connection
Aug 23 17:13:46 desktopmint L2tpIPsecVpnControlDaemon: Executing command service xl2tpd stop
Aug 23 17:13:46 desktopmint xl2tpd[14345]: death_handler: Fatal signal 15 received
Aug 23 17:13:46 desktopmint L2tpIPsecVpnControlDaemon: Command service xl2tpd stop finished with exit code 0
Aug 23 17:13:46 desktopmint pppd[14438]: Modem hangup
Aug 23 17:13:46 desktopmint pppd[14438]: Connect time 0.5 minutes.
Aug 23 17:13:46 desktopmint pppd[14438]: Sent 1866 bytes, received 1241 bytes.
Aug 23 17:13:46 desktopmint pppd[14438]: Connection terminated.
Aug 23 17:13:46 desktopmint avahi-daemon[1193]: Withdrawing workstation service for ppp0.
Aug 23 17:13:46 desktopmint kernel: [ 6894.747292] device ppp0 left promiscuous mode
Aug 23 17:13:46 desktopmint NetworkManager[1306]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Aug 23 17:13:46 desktopmint L2tpIPsecVpnControlDaemon: Executing command ipsec setup stop
Aug 23 17:13:46 desktopmint ipsec_setup: Stopping Openswan IPsec...
Aug 23 17:13:46 desktopmint pppd[14438]: Exit.
Aug 23 17:13:48 desktopmint kernel: [ 6896.490565] NET: Unregistered protocol family 15
Aug 23 17:13:48 desktopmint ipsec_setup: ...Openswan IPsec stopped