LINUX.ORG.RU
ФорумAdmin

debian xl2tp IPsec NAT

 , ,


0

1

Здравсвтуйте! Пытаюсь настроить l2tp подключение через IPsec (xl2tpd+openswan) на Debian 7, но никак не хочет работать. До этого криво работал OpeVPN, после чего я настроил pptpd и он успешно работал. Но т.к. сервер стоит в локалке и основная его функция это предоставление различных сервисов локальным пользователям - критическим встал вопрос безопасности pptp соединения из вне. Также на сервере стоит squid использующий 2 eth порта для фильтрации и кеширования всего трафика, bin9 и apache2 (с локальными сервисами и доменами). На интернет канале стоит роутер с NAT.
Клиенты будут подключаться с различных OS - Android, iOS, Windows 7/8.
Настройка велась по статье: https://wiki.debian.org/ru/xl2tpd/Server
На роутере открыты порты: 1701, 500, 4500 (ping на внешний ип заблокирован)
Настройки на сервере:
/etc/ipsec.conf

config setup
        nat_traversal=yes
        virtual_private=%v4:10.10.0.0/24,%v4:10.10.50.0/24
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
# значение должно содержать список всех приватных сетей, которые
# допускаются в качестве подсетей для удалённых VPN-клиентов.
# Другими словами, это диапазон IP-адресов, который находиться
# за маршрутизатором и NAT, которым является наш VPN-сервер, через который подключаются VPN-клиенты.
        oe=off
        protostack=netkey
        plutostderrlog=/var/log/ipsec.log
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
# Устанавливаем значения параметров ikelifetime и keylife
# в соответсвующие значения по-умолчанию для Windows
        ikelifetime=8h
        keylife=1h
        type=transport
# Replace IP address with your local IP (private, behind NAT IP is okay as well)
        left=10.10.0.111
# Для новых VPN-клиентов под операционными системами Windows 2000/XP,
# то есть для поддержки VPN-клиентов под устаревшими операционными системами
# используйте leftprotoport=17/%any
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
#force all to be nat'ed. because of iOS
        forceencaps=yes
/etc/x2ltpd/xl2tpd.conf
[global]
ipsec saref = no
listen-addr = 10.10.0.111
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets

[lns default]
ip range = 10.10.50.2-10.10.50.254
local ip = 10.10.50.1
;require chap = yes
refuse chap = yes
refuse pap = yes
;assign ip = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.x2ltpd
;refuse-mschap-v2
;refuse-mschap
require-mschap-v2
ms-dns 10.10.0.112
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
/var/log/ipsec.log
"L2TP-PSK-NAT"[2] *.*.241.161 #5:   them: *.*.241.161[192.168.1.9,+S=C]:17/1701
"L2TP-PSK-NAT"[2] *.*.241.161 #5: keeping refhim=4294901761 during rekey
"L2TP-PSK-NAT"[2] *.*.241.161 #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"L2TP-PSK-NAT"[2] *.*.241.161 #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
"L2TP-PSK-NAT"[2] *.*.241.161 #5: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
"L2TP-PSK-NAT"[2] *.*.241.161 #5: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"L2TP-PSK-NAT"[2] *.*.241.161 #5: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xb59c768e <0x8d6df54f xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.9 NATD=*.*.241.161:19590 DPD=none}
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received Delete SA(0x8e89e290) payload: deleting IPSEC State #4
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received and ignored informational message
"L2TP-PSK-NAT"[2] *.*.241.161 #1: the peer proposed: *.*.84.196/32:17/0 -> 192.168.1.9/32:17/1701
"L2TP-PSK-NAT"[2] *.*.241.161 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
"L2TP-PSK-NAT"[2] *.*.241.161 #6: responding to Quick Mode proposal {msgid:05000000}
"L2TP-PSK-NAT"[2] *.*.241.161 #6:     us: 10.10.0.111/32===10.10.0.111<10.10.0.111>[+S=C]:17/%any
"L2TP-PSK-NAT"[2] *.*.241.161 #6:   them: *.*.241.161[192.168.1.9,+S=C]:17/1701
"L2TP-PSK-NAT"[2] *.*.241.161 #6: keeping refhim=4294901761 during rekey
"L2TP-PSK-NAT"[2] *.*.241.161 #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"L2TP-PSK-NAT"[2] *.*.241.161 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
"L2TP-PSK-NAT"[2] *.*.241.161 #6: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
"L2TP-PSK-NAT"[2] *.*.241.161 #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"L2TP-PSK-NAT"[2] *.*.241.161 #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x4e59d20c <0x15dab5e0 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.9 NATD=*.*.241.161:19590 DPD=none}
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received Delete SA(0xb59c768e) payload: deleting IPSEC State #5
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received and ignored informational message
"L2TP-PSK-NAT"[2] *.*.241.161 #1: the peer proposed: *.*.84.196/32:17/0 -> 192.168.1.9/32:17/1701
"L2TP-PSK-NAT"[2] *.*.241.161 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
"L2TP-PSK-NAT"[2] *.*.241.161 #7: responding to Quick Mode proposal {msgid:06000000}
"L2TP-PSK-NAT"[2] *.*.241.161 #7:     us: 10.10.0.111/32===10.10.0.111<10.10.0.111>[+S=C]:17/%any
"L2TP-PSK-NAT"[2] *.*.241.161 #7:   them: *.*.241.161[192.168.1.9,+S=C]:17/1701
"L2TP-PSK-NAT"[2] *.*.241.161 #7: keeping refhim=4294901761 during rekey
"L2TP-PSK-NAT"[2] *.*.241.161 #7: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"L2TP-PSK-NAT"[2] *.*.241.161 #7: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
"L2TP-PSK-NAT"[2] *.*.241.161 #7: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
"L2TP-PSK-NAT"[2] *.*.241.161 #7: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"L2TP-PSK-NAT"[2] *.*.241.161 #7: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x507c8444 <0x1a7aa257 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.9 NATD=*.*.241.161:19590 DPD=none}
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received Delete SA(0x4e59d20c) payload: deleting IPSEC State #6
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received and ignored informational message
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received Delete SA(0x507c8444) payload: deleting IPSEC State #7
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received and ignored informational message
"L2TP-PSK-NAT"[2] *.*.241.161 #1: received Delete SA payload: deleting ISAKMP State #1
"L2TP-PSK-NAT"[2] *.*.241.161: deleting connection "L2TP-PSK-NAT" instance with peer *.*.241.161 {isakmp=#0/ipsec=#0}
packet from *.*.241.161:19590: received and ignored informational message

Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.