Centos 7. Пытаюсь настроить IPSec с помощью libreswan. Без L2TP. Цель - чтобы устройства соединялись и ходили «в интернет» через этот сервер. Аутентификация через PSK (Preshared Key) и по логину-паролю. Клиент - стандартный интерфейс в OS X (как я понимаю, racoon под капотом). Не соединяет.
/etc/ipsec.conf:
config setup
protostack=netkey
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn vpn
auto=add
authby=secret
left=%defaultroute
leftsubnet=0.0.0.0/0
leftxauthserver=yes
leftmodecfgserver=yes
xauthby=file
right=%any
rightaddresspool=10.152.81.1-10.152.81.254
rightxauthclient=yes
rightmodecfgclient=yes
modecfgpull=yes
/etc/ipsec.secrets
vbezhenar.com %any : PSK "mypskpassword"
/etc/ipsec.d/passwd
user:czlEF.pnzqLgM:vpn
В фаервол добавил правила для 500, 4500 udp портов и для 50, 51 протоколов.
Последние строчки в логе сервера:
Oct 11 17:15:03 vbezhenar.com pluto[10899]: "vpn"[2] 37.150.95.208 #1: modecfg_inR0(STF_OK)
Oct 11 17:15:03 vbezhenar.com pluto[10899]: "vpn"[2] 37.150.95.208 #1: transition from state STATE_MODE_CFG_R0
to state STATE_MODE_CFG_R1
Oct 11 17:15:03 vbezhenar.com pluto[10899]: "vpn"[2] 37.150.95.208 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, ex
pecting Ack
Oct 11 17:15:03 vbezhenar.com pluto[10899]: "vpn"[2] 37.150.95.208 #1: the peer proposed: 0.0.0.0/0:0/0 -> 10.
152.81.1/32:0/0
Oct 11 17:15:03 vbezhenar.com pluto[10899]: "vpn"[2] 37.150.95.208 #2: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
Oct 11 17:15:06 vbezhenar.com pluto[10899]: "vpn"[2] 37.150.95.208 #2: discarding duplicate packet; already STATE_QUICK_R0
-- повторяется это сообщение около 10 раз
Oct 11 17:15:32 vbezhenar.com pluto[10899]: "vpn"[2] 37.150.95.208 #2: discarding duplicate packet; already STATE_QUICK_R0
Oct 11 17:15:33 vbezhenar.com pluto[10899]: "vpn"[2] 37.150.95.208 #1: received Delete SA payload: deleting ISAKMP State #1
Oct 11 17:15:33 vbezhenar.com pluto[10899]: packet from 37.150.95.208:4500: received and ignored empty informational notification payload
и клиент говорит, что не удалось подключиться к серверу.
В логах у клиента последние строчки:
Oct 12 03:15:19 neptune racoon[33289] <Notice>: IPSec Network Configuration requested.
Oct 12 03:15:19 neptune racoon[33289] <Notice>: IPSec Network Configuration established.
Oct 12 03:15:19 neptune racoon[33289] <Notice>: >>>>> phase change status = Phase 1 established
Oct 12 03:15:19 neptune racoon[33289] <Notice>: IKE Packet: receive success. (MODE-Config).
Oct 12 03:15:20 neptune racoon[33289] <Notice>: IPSec Phase 2 started (Initiated by me).
Oct 12 03:15:20 neptune racoon[33289] <Notice>: >>>>> phase change status = Phase 2 started
Oct 12 03:15:20 neptune racoon[33289] <Notice>: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Oct 12 03:15:23 Neptune.local racoon[33289] <Notice>: IKE Packet: transmit success. (Phase 2 Retransmit).
--- last message repeated 8 times ---
Oct 12 03:15:50 Neptune.local racoon[33289] <Notice>: IPSec disconnecting from server 81.4.110.134
Oct 12 03:15:50 Neptune.local racoon[33289] <Notice>: IKE Packet: transmit success. (Information message).
Oct 12 03:15:50 Neptune.local racoon[33289] <Notice>: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Oct 12 03:15:50 Neptune.local racoon[33289] <Notice>: IPSec disconnecting from server 81.4.110.134
Oct 12 03:15:50 Neptune.local racoon[33289] <Warning>: glob found no matches for path "/var/run/racoon/*.conf"
Oct 12 03:15:50 neptune racoon[33289] <Notice>: Connecting.
Oct 12 03:15:50 neptune racoon[33289] <Error>: Unknown Informational exchange received.
Oct 12 03:15:51 neptune racoon[33289] <Error>: Internal error - attempt to re-send Phase 2 with no Phase 1 bound.
