LINUX.ORG.RU
ФорумAdmin

косяк с ipsec

 , ,


0

1

Всем привет! есть openwrt на нем поднял ipsec/l2tp openswan, при старте появляется ошибка, 

Aug 27 16:10:04 gw daemon.err ipsec_setup: Using NETKEY(XFRM) stack
Aug 27 16:10:04 gw kern.warn kernel: [13632.990000] ipcomp6: Unknown symbol ipcomp_input (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13632.990000] ipcomp6: Unknown symbol ipcomp_destroy (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.000000] ipcomp6: Unknown symbol xfrm6_tunnel_alloc_spi (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.010000] ipcomp6: Unknown symbol ipcomp_output (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.010000] ipcomp6: Unknown symbol xfrm6_tunnel_spi_lookup (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.020000] ipcomp6: Unknown symbol ipcomp_init_state (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.030000] ipcomp: Unknown symbol ipcomp_input (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.040000] ipcomp: Unknown symbol ipcomp_destroy (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.040000] ipcomp: Unknown symbol ipcomp_output (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.050000] ipcomp: Unknown symbol ipcomp_init_state (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.060000] xfrm6_tunnel: Unknown symbol xfrm6_tunnel_register (err 0)
Aug 27 16:10:04 gw kern.warn kernel: [13633.070000] xfrm6_tunnel: Unknown symbol xfrm6_tunnel_deregister (err 0)
Aug 27 16:10:04 gw kern.info kernel: [13633.210000] Initializing XFRM netlink socket
Aug 27 16:10:04 gw authpriv.err ipsec__plutorun: Starting Pluto subsystem...
Aug 27 16:10:04 gw daemon.err ipsec_setup: ...Openswan IPsec started
Aug 27 16:10:04 gw user.warn syslog: adjusting ipsec.d to /etc/ipsec.d
Aug 27 16:10:04 gw daemon.err ipsec_setup: Starting Openswan IPsec U2.6.38-gb812c102/K3.3.8...
Aug 27 16:10:05 gw daemon.err ipsec__plutorun: 002 added connection description "L2TP-PSK"
но при этом ipsec стартует, после запуска я пытаюсь подключиться с андройда и при этом выдаются ошибки, прошу помогите с настройкой, уже мыслей нет куда копать. конфига ниже xl2tpd.conf 
[global]
port = 1701
access control = no
ipsec saref = yes

[lns default]
exclusive = yes
ip range = 10.20.20.202-10.20.20.210
local ip = 10.20.20.2
length bit = yes
ppp debug = yes
require authentication = yes
name = gw.xx.xx
pppoptfile = /etc/ppp/options.xl2tpd
unix authentication = no
require chap = yes
require pap = yes

конфига ниже ipsec.conf 

version 2.0

config setup
   nat_traversal=yes
   virtual_private=%v4:10.20.20.0/24
   oe=off
   protostack=netkey

conn L2TP-PSK
   authby=secret
   pfs=no
   compress=no
   rekey=no
   keyingtries=3
   type=transport
   left=%defaultroute
   leftprotoport=17/1701
   right=%any
   rightsubnet=vhost:%no,%priv
   rightprotoport=17/%any
   auto=add
   forceencaps=yes

tcpdump 

15:54:30.138075 IP 194.186.x.x.500 > 80.251.x.x.500: isakmp: phase 1 I ident
15:54:30.139321 IP 80.251.x.x.500 > 194.186.x.x.500: isakmp: phase 1 R ident
15:54:30.192242 IP 194.186.x.x.500 > 80.251.x.x.500: isakmp: phase 1 I ident
15:54:30.210766 IP 80.251.x.x.500 > 194.186.x.x.500: isakmp: phase 1 R ident
15:54:30.262160 IP 194.186.x.x.4500 > 80.251.x.x.4500: NONESP-encap: isakmp: phase 1 I ident[E]
15:54:30.263397 IP 80.251.x.x.4500 > 194.186.x.x.4500: NONESP-encap: isakmp: phase 1 R ident[E]
15:54:30.291531 IP 194.186.x.x.4500 > 80.251.x.x.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
15:54:30.792798 IP 62.67.209.111.443 > 80.251.x.x.36115: UDP, length 42
15:54:31.314989 IP 194.186.x.x.4500 > 80.251.x.x.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
15:54:31.320069 IP 80.251.x.x.4500 > 194.186.x.x.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
15:54:31.341903 IP 194.186.x.x.4500 > 80.251.x.x.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
15:54:31.957513 IP 80.251.x.x.36115 > 62.67.209.111.443: UDP, length 42
15:54:32.141801 IP 194.186.x.x.4500 > 80.251.x.x.4500: UDP-encap: ESP(spi=0xb660786f,seq=0x1), length 116
15:54:34.142939 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x1), length 164
15:54:34.144132 IP 194.186.x.x.4500 > 80.251.x.x.4500: UDP-encap: ESP(spi=0xb660786f,seq=0x2), length 116
15:54:34.145034 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x2), length 68
15:54:34.163638 IP 194.186.x.x.4500 > 80.251.x.x.4500: UDP-encap: ESP(spi=0xb660786f,seq=0x3), length 68
15:54:34.164557 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x3), length 68
15:54:34.184621 IP 194.186.x.x.4500 > 80.251.x.x.4500: UDP-encap: ESP(spi=0xb660786f,seq=0x4), length 84
15:54:34.185402 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x4), length 84
15:54:34.185583 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x5), length 68
15:54:34.200142 IP 194.186.x.x.4500 > 80.251.x.x.4500: UDP-encap: ESP(spi=0xb660786f,seq=0x5), length 100
15:54:34.202883 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x6), length 68
15:54:34.219140 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x7), length 84
15:54:34.233966 IP 194.186.x.x.4500 > 80.251.x.x.4500: UDP-encap: ESP(spi=0xb660786f,seq=0x6), length 84
15:54:34.234831 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x8), length 68
15:54:34.235092 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0x9), length 132
15:54:35.236149 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0xa), length 132
15:54:36.237179 IP 80.251.x.x.4500 > 194.186.x.x.4500: UDP-encap: ESP(spi=0x0036df9d,seq=0xb), length 132
логи ниже с роутера 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: control_finish: Peer requested tunnel 39053 twice, ignoring second one.
Aug 27 15:54:34 gw daemon.notice xl2tpd[2209]: Connection established to 194.186.x.x, 47573.  Local: 37445, Remote: 39053 (ref=0/0).  LNS session is 'default'
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: start_pppd: I'm running: 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "/usr/sbin/pppd" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "passive" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "nodetach" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "10.20.20.2:10.20.20.202" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "auth" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "require-pap" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "require-chap" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "name" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "gw.droider.org" 
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: "debug" 
Aug 27 15:54:34 gw daemon.info pppd[7433]: Plugin pppol2tp.so loaded.
Aug 27 15:54:34 gw daemon.info pppd[7433]: pppd options in effect:
Aug 27 15:54:34 gw daemon.info pppd[7433]: debug debug		# (from /etc/ppp/options.xl2tpd)
Aug 27 15:54:34 gw daemon.info pppd[7433]: nodetach		# (from command line)
Aug 27 15:54:34 gw daemon.info pppd[7433]: idle 1800		# (from /etc/ppp/options.xl2tpd)
Aug 27 15:54:34 gw daemon.info pppd[7433]: logfile /var/log/xl2tpd.log		# (from /etc/ppp/options.xl2tpd)
Aug 27 15:54:34 gw daemon.info pppd[7433]: maxfail 0		# (from /etc/ppp/options)
Aug 27 15:54:34 gw daemon.info pppd[7433]: connect-delay 5000		# (from /etc/ppp/options.xl2tpd)
Aug 27 15:54:34 gw daemon.info pppd[7433]: dump		# (from /etc/ppp/options.xl2tpd)
Aug 27 15:54:34 gw daemon.info pppd[7433]: plugin pppol2tp.so		# (from command line)
Aug 27 15:54:34 gw daemon.info pppd[7433]: require-mschap-v2		# (from /etc/ppp/options.xl2tpd)
Aug 27 15:54:34 gw daemon.info pppd[7433]: refuse-pap		# (from /etc/ppp/options.xl2tpd)
Aug 27 15:54:34 gw daemon.info pppd[7433]: refuse-eap		# (from /etc/ppp/options.xl2tpd)
Aug 27 15:54:34 gw daemon.info pppd[7433]: name gw.droider.org		# (from command line)
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: child_handler : pppd terminated for call 55734 by signal 11
Aug 27 15:54:34 gw daemon.info xl2tpd[2209]: call_close: Call 41619 to 194.186.x.x disconnected
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: result_code_avp: avp is incorrect size.  8 < 10
Aug 27 15:54:34 gw daemon.warn xl2tpd[2209]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Aug 27 15:54:34 gw daemon.debug xl2tpd[2209]: Terminating pppd: sending TERM signal to pid 7433
Aug 27 15:54:34 gw daemon.info xl2tpd[2209]: Connection 39053 closed to 194.186.x.x, port 47573 (Result Code: expected at least 10, got 8)
Aug 27 15:54:39 gw daemon.debug xl2tpd[2209]: Unable to deliver closing message for tunnel 37445. Destroying anyway.

где может быть ошибка ?


Ответ на: комментарий от Disova 
lock
auth
debug
dump
logfd 2
logfile /var/log/xl2tpd.log
noccp
novj
novjccomp
nopcomp
noaccomp
require-mschap
require-mschap-v2
ms-dns 10.20.20.2
lcp-echo-interval 120
lcp-echo-failure 10
idle 1800
connect-delay 5000
nodefaultroute
noipdefault

proxyarp
mtu 1400
mru 1400

refuse-eap
refuse-pap
nobsdcomp
nodeflate
taku
() автор топика

Ошибки при старте - это проблемы с отсутствующим ipsec в ядре для IPv6, если IPv6 не нужно - можно забить.
Ошибки в логе - это ошибки согласования l2tp, или android, или x2ltpd где-то забивают на стандарт и потому у них проблемы с некоторыми AVP. Можно попробовать заюзать более старый / новый x2ltpd или взять accel-ppp.

whoami
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Admin