У меня проблема с конфигурацией openswan. В таблице маршрутизации создайте на клиенте следующие строки после подключения к серверу:
Dest mask Gateway Conn Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.102 4245
0.0.0.0 0.0.0.0 Kapcsolaton belüli 172.22.1.10 21
Server: Public IP: 100.100.100.100
DHCP Pool: 172.22.1.10-172.22.1.20
Client: behind router :
- router WAN IP: 200.200.200.200
- router LAN IP: 192.168.1.1
- client IP: 192.168.1.102
«Ipsec verify» везде говорит ОК, кроме этого: Поддержка оппортунистического шифрования [ОТКЛЮЧЕНО] (но я не могу поверить, что это проблема ...)
Ведение журнала выполняется в режиме отладки. Вот мой auth.log. Эти строки создаются, когда соединение находится в процессе.
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1:
received Delete SA(0xa37e281a) payload: deleting IPSEC State #2
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0}
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: received and ignored informational message
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200 #1: received Delete SA payload: deleting ISAKMP State #1
May 23 21:19:12 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[2] 200.200.200.200: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0}
May 23 21:19:12 <server hostname> pluto[10384]: packet from 200.200.200.200:41505: received and ignored informational message
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: received Vendor ID payload [RFC 3947] method set to=109
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [FRAGMENTATION]
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [Vid-Initial-Contact]
May 23 21:19:26 <server hostname> pluto[10384]: packet from 200.200.200.200:38824: ignoring Vendor ID payload [IKE CGA version 1]
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: responding to Main Mode from unknown peer 200.200.200.200
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: STATE_MAIN_R1: sent MR1, expecting MI2
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 23 21:19:26 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: STATE_MAIN_R2: sent MR2, expecting MI3
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.102'
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[4] 200.200.200.200 #3: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: deleting connection "L2TP-PSK-NAT" instance with peer 200.200.200.200 {isakmp=#0/ipsec=#0}
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: new NAT mapping for #3, was 200.200.200.200:38824, now 200.200.200.200:41505
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: the peer proposed: 100.100.100.100/32:17/1701 -> 192.168.1.102/32:17/0
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: Virtual IP 192.168.1.102/32 overlaps with connection vpn-teszt"" (kind=CK_PERMANENT) '200.200.200.200'
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: Kernel method 'netkey' does not support overlapping IP ranges
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[5] 200.200.200.200 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: responding to Quick Mode proposal {msgid:01000000}
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: us: 100.100.100.100<100.100.100.100>[+S=C]:17/1701
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: them: 200.200.200.200[192.168.1.102,+S=C]:17/1701===192.168.1.102/32
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 23 21:19:27 <server hostname> pluto[10384]: "L2TP-PSK-NAT"[6] 200.200.200.200 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x8b1543f8 <0x0ea8c020 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.102 NATD=200.200.200.200:41505 DPD=none}
ipsec.conf:
version 2.0
config setup
forwardcontrol=no
nat_traversal=yes
oe=off
protostack=netkey
syslog=auth.debug
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=109.61.102.18
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
conn vpn-teszt
authby=secret
auto=add
left=<server hostname>
leftid=@<server hostname>
leftnexthop=%defaultroute leftrsasigkey=0sAQOLR9JpZSVxZYqkEKOXHMiry8UvCqVYZw/HgYEWKrwippm+jXFNcm7TOxctnAopy7F0vAIm4YX2I9BsoQvfy330Mz7WrzfGgwuE66fVVwQ22mAQ+dyOP4AbVFcaSTCYJ0labJY5onL3JmLLmFTReca6n2L76SdBV3FNhJVd4Z+7NlzvKe0i+v5luemFewMyzuB2XgwATnH7Anf04LKiow0u21j3bcp4QfLi9VF1gdQbiCP1DrwrZp8K2MYmVrYv9xbW34oifEeFjFGqc1gCmoBWVAyTXBFDRnmDgUttbYSfy6UApQ7U/1czQcq/YSYrpvv8E9yURKtnQ5oV+h49
right=200.200.200.200
rightid=200.200.200.200
rightnexthop=172.22.1.1
rightsubnet=192.168.1.0/24
type=transport
ipsec.secret:: PSK "пароль"
Я тоже установил xl2tpd. xl2tpd.conf:
[lns default] ; Our fallthrough LNS definition
; exclusive = no ; * Only permit one tunnel per host
ip range = 172.22.1.10-172.22.1.20 ; * Allocate from this IP range
; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
; ip range = 192.168.0.5 ; * But this one is okay
; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's
; no lac = untrusted.marko.net ; * This guy can't connect
; hidden bit = no ; * Use hidden AVP's?
local ip = 172.22.1.1 ; * Our local IP to use
length bit = yes ; * Use length bit in payload?
; require chap = yes ; * Require CHAP auth. by peer
refuse pap = yes ; * Refuse PAP authentication
refuse chap = yes ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
require authentication = yes ; * Require peer to authenticate
; unix authentication = no ; * Use /etc/passwd for auth.
name = <server hostname> ; * Report this as our hostname
ppp debug = yes ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file
options.l2tpd.lns:
crtscts
idle 1800
mtu 1500
mru 1500
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
ms-dns 8.8.4.4
ms-dns 8.8.8.8
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4
logfile /var/log/ppp.log
После подключения клиент получает IP-адрес (172.22.1.10) от сервера, но сервер не проверяет связь, поскольку таблица маршрутизации клиента была перезаписана.
Вы можете мне помочь, в чем проблема?
PS: Простите за мой английский! :)
С уважением, jjani