strongswan + xl2tpd + dnsmasq = xl2tpd[-] : Maximum retries exceeded for tunnel -. Closing.

debian, dnsmasq, ipsec, strongswan, xl2tpd

0

1

Всем хеллоу.

Есть

  Linux - 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 GNU/Linux
  
  xl2tpd version:  xl2tpd-1.3.12
  
  Linux strongSwan U5.7.2/K4.19.0-5-amd64
  
  Dnsmasq version 2.80

/etc/ipsec.conf

		config setup
		   charondebug="enc 0, net 0, ike 0, cfg 0, knl 0, lib 0, job 0, dmn 0"

		conn vpnserver
		   authby=secret
		   auto=add
		   type=transport
		   left={ip-2}
		   leftprotoport=17/1701
		   right=%any
		   rightprotoport=17/%any
		   rekey=no

/etc/dnsmasq.conf

dhcp-range=10.1.2.3,static
dhcp-option=option:router
dhcp-option=121,10.1.2.1/32,10.1.2.2,{ip-1}/32,10.1.2.2
dhcp-option=249,10.1.2.1/32,10.1.2.2,{ip-1}/32,10.1.2.2
dhcp-option=vendor:MSFT,2,1i

/etc/xl2tpd/xl2tpd.conf

		[global]
			ipsec saref = yes

		[lns default]
			ip range = 10.1.2.3-10.1.2.25
			local ip = 10.1.2.2
			require chap = yes
			refuse pap = yes
			require authentication = yes
			pppoptfile = /etc/ppp/options.xl2tpd

/etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
debug
auth
name vpnserver
proxyarp
mtu 1372

/etc/iptables/rules.v4

		*filter

		-A INPUT -i lo -j ACCEPT
		-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
		-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

		-A INPUT -p udp --dport 4500 -j ACCEPT
		-A INPUT -p udp --dport 500 -j ACCEPT

		-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
		-A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable

		-A INPUT -i ppp+ -s 10.1.2.0/24 -j ACCEPT
		-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

		-A INPUT -j DROP


		-A FORWARD -s 8.8.8.8 -j ACCEPT
		-A FORWARD -d 8.8.8.8 -j ACCEPT

		-A FORWARD -j REJECT

		-A OUTPUT -j ACCEPT

		-A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
		-A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable

		COMMIT

		*nat
		-A POSTROUTING -o ens3 -s 10.1.2.0/24 --jump MASQUERADE
		#-I POSTROUTING 1 -j LOG

		COMMIT

/etc/network/interfaces

auto ens3
iface ens3 inet static
        address {ip-1}
        netmask 255.255.255.255
        gateway 10.0.0.1
        pointopoint 10.0.0.1
        up ip addr add {ip-2}/32 dev ens3
        down ip addr del {ip-2}/32 dev ens3

auto dummy0
iface dummy0 inet static
        address 10.1.2.1
        netmask 255.255.255.0
        pre-up ip link add dummy0 type dummy

/etc/modules

dummy

/etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.ip_forward = 1

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:57:d7:ec brd ff:ff:ff:ff:ff:ff
    inet {ip-1} peer 10.0.0.1/32 brd {ip-1} scope global ens3
       valid_lft forever preferred_lft forever
    inet {ip-2}/32 scope global ens3
       valid_lft forever preferred_lft forever
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether f6:ed:c9:9f:fc:ef brd ff:ff:ff:ff:ff:ff
    inet 10.1.2.1/24 brd 10.1.2.255 scope global dummy0
       valid_lft forever preferred_lft forever

В результате всего этого имеем

Aug  7 03:46:43 - charon: 00[DMN] signal of type SIGINT received. Shutting down
Aug  7 03:46:43 - ipsec[585]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  7 03:46:43 - ipsec[585]: 00[CFG]   loaded IKE secret for {ip-2}
Aug  7 03:46:43 - ipsec[585]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug  7 03:46:43 - ipsec[585]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug  7 03:46:43 - ipsec[585]: 00[JOB] spawning 16 worker threads
Aug  7 03:46:43 - ipsec[585]: 05[CFG] received stroke: add connection 'vpnserver'
Aug  7 03:46:43 - ipsec[585]: 05[CFG] added configuration 'vpnserver'
Aug  7 03:46:43 - ipsec[585]: 00[DMN] signal of type SIGINT received. Shutting down
Aug  7 03:46:43 - ipsec[585]: charon stopped after 200 ms
Aug  7 03:46:43 - ipsec[585]: ipsec starter stopped
Aug  7 03:46:43 - systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
Aug  7 03:46:43 - systemd[1]: strongswan.service: Succeeded.
Aug  7 03:46:43 - systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Aug  7 03:46:43 - systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Aug  7 03:46:43 - ipsec[684]: Starting strongSwan 5.7.2 IPsec [starter]...
Aug  7 03:46:43 - systemd[1]: Stopping LSB: layer 2 tunelling protocol daemon...
Aug  7 03:46:43 - xl2tpd[613]: death_handler: Fatal signal 15 received
Aug  7 03:46:43 - xl2tpd[694]: Stopping xl2tpd: xl2tpd.
Aug  7 03:46:43 - systemd[1]: xl2tpd.service: Succeeded.
Aug  7 03:46:43 - systemd[1]: Stopped LSB: layer 2 tunelling protocol daemon.
Aug  7 03:46:43 - systemd[1]: Starting LSB: layer 2 tunelling protocol daemon...
Aug  7 03:46:43 - charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug  7 03:46:43 - xl2tpd[711]: Enabling IPsec SAref processing for L2TP transport mode SAs
Aug  7 03:46:43 - xl2tpd[711]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Aug  7 03:46:43 - xl2tpd[711]: setsockopt recvref[30]: Protocol not available
Aug  7 03:46:43 - xl2tpd[711]: Not looking for kernel support.
Aug  7 03:46:43 - xl2tpd[703]: Starting xl2tpd: xl2tpd.
Aug  7 03:46:43 - systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
Aug  7 03:46:43 - xl2tpd[712]: xl2tpd version xl2tpd-1.3.12 started on -.info PID:712
Aug  7 03:46:43 - xl2tpd[712]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug  7 03:46:43 - xl2tpd[712]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug  7 03:46:43 - xl2tpd[712]: Inherited by Jeff McAdams, (C) 2002
Aug  7 03:46:43 - xl2tpd[712]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Aug  7 03:46:43 - xl2tpd[712]: Listening on IP address 0.0.0.0, port 1701
Aug  7 03:46:43 - charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  7 03:46:43 - charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  7 03:46:43 - charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  7 03:46:43 - charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  7 03:46:43 - charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  7 03:46:43 - charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  7 03:46:43 - charon: 00[CFG]   loaded IKE secret for {ip-2}
Aug  7 03:46:43 - charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug  7 03:46:43 - charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug  7 03:46:43 - charon: 00[JOB] spawning 16 worker threads
Aug  7 03:46:43 - systemd[1]: Stopping dnsmasq - A lightweight DHCP and caching DNS server...
Aug  7 03:46:43 - ipsec[684]: charon (710) started after 40 ms
Aug  7 03:46:43 - charon: 05[CFG] received stroke: add connection 'vpnserver'
Aug  7 03:46:43 - charon: 05[CFG] added configuration 'vpnserver'
Aug  7 03:46:43 - dnsmasq[649]: exiting on receipt of SIGTERM
Aug  7 03:46:43 - systemd[1]: dnsmasq.service: Succeeded.
Aug  7 03:46:43 - systemd[1]: Stopped dnsmasq - A lightweight DHCP and caching DNS server.
Aug  7 03:46:43 - systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
Aug  7 03:46:43 - dnsmasq[740]: dnsmasq: syntax check OK.
Aug  7 03:46:43 - dnsmasq[748]: started, version 2.80 cachesize 150
Aug  7 03:46:43 - dnsmasq[748]: DNS service limited to local subnets
Aug  7 03:46:43 - dnsmasq[748]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
Aug  7 03:46:43 - dnsmasq-dhcp[748]: DHCP, static leases only on 10.1.2.3, lease time 1h
Aug  7 03:46:43 - dnsmasq[748]: reading /etc/resolv.conf
Aug  7 03:46:43 - dnsmasq[748]: using nameserver 8.8.8.8#53
Aug  7 03:46:43 - dnsmasq[748]: using nameserver 8.8.4.4#53
Aug  7 03:46:43 - dnsmasq[748]: read /etc/hosts - 5 addresses
Aug  7 03:46:43 - systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Aug  7 03:46:55 - charon: 07[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (408 bytes)
Aug  7 03:46:55 - charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Aug  7 03:46:55 - charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Aug  7 03:46:55 - charon: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Aug  7 03:46:55 - charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Aug  7 03:46:55 - charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug  7 03:46:55 - charon: 07[IKE] received FRAGMENTATION vendor ID
Aug  7 03:46:55 - charon: 07[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Aug  7 03:46:55 - charon: 07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Aug  7 03:46:55 - charon: 07[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Aug  7 03:46:55 - charon: 07[IKE] {ip-client} is initiating a Main Mode IKE_SA
Aug  7 03:46:55 - charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
Aug  7 03:46:55 - charon: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug  7 03:46:55 - charon: 07[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (160 bytes)
Aug  7 03:46:55 - charon: 08[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (228 bytes)
Aug  7 03:46:55 - charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug  7 03:46:55 - charon: 08[IKE] remote host is behind NAT
Aug  7 03:46:55 - charon: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug  7 03:46:55 - charon: 08[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (212 bytes)
Aug  7 03:46:55 - charon: 09[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug  7 03:46:55 - charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug  7 03:46:55 - charon: 09[CFG] looking for pre-shared key peer configs matching {ip-2}...{ip-client}[192.168.98.25]
Aug  7 03:46:55 - charon: 09[CFG] selected peer config "vpnserver"
Aug  7 03:46:55 - charon: 09[IKE] IKE_SA vpnserver[1] established between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug  7 03:46:55 - charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug  7 03:46:55 - charon: 09[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (76 bytes)
Aug  7 03:46:55 - charon: 11[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (444 bytes)
Aug  7 03:46:55 - charon: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug  7 03:46:55 - charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug  7 03:46:55 - charon: 11[IKE] received 3600s lifetime, configured 0s
Aug  7 03:46:55 - charon: 11[IKE] received 250000000 lifebytes, configured 0
Aug  7 03:46:55 - charon: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug  7 03:46:55 - charon: 11[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (204 bytes)
Aug  7 03:46:55 - charon: 12[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (60 bytes)
Aug  7 03:46:55 - charon: 12[ENC] parsed QUICK_MODE request 1 [ HASH ]
Aug  7 03:46:55 - charon: 12[IKE] CHILD_SA vpnserver{1} established with SPIs c14bb892_i 06c946b0_o and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug  7 03:46:56 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:46:58 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:02 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:10 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:20 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:26 - xl2tpd[712]: Maximum retries exceeded for tunnel 35573.  Closing.
Aug  7 03:47:26 - xl2tpd[712]: Connection 13 closed to {ip-client}, port 1701 (Timeout)
Aug  7 03:47:30 - charon: 15[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug  7 03:47:30 - charon: 15[ENC] parsed INFORMATIONAL_V1 request 3378750910 [ HASH D ]
Aug  7 03:47:30 - charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI 06c946b0
Aug  7 03:47:30 - charon: 15[IKE] closing CHILD_SA vpnserver{1} with SPIs c14bb892_i (648 bytes) 06c946b0_o (0 bytes) and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug  7 03:47:30 - charon: 16[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (92 bytes)
Aug  7 03:47:30 - ipsec[684]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  7 03:47:30 - ipsec[684]: 00[CFG]   loaded IKE secret for {ip-2}
Aug  7 03:47:30 - ipsec[684]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug  7 03:47:30 - ipsec[684]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug  7 03:47:30 - ipsec[684]: 00[JOB] spawning 16 worker threads
Aug  7 03:47:30 - ipsec[684]: 05[CFG] received stroke: add connection 'vpnserver'
Aug  7 03:47:30 - ipsec[684]: 05[CFG] added configuration 'vpnserver'
Aug  7 03:47:30 - ipsec[684]: 07[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (408 bytes)
Aug  7 03:47:30 - ipsec[684]: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Aug  7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Aug  7 03:47:30 - ipsec[684]: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Aug  7 03:47:30 - ipsec[684]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Aug  7 03:47:30 - ipsec[684]: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug  7 03:47:30 - ipsec[684]: 07[IKE] received FRAGMENTATION vendor ID
Aug  7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Aug  7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Aug  7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Aug  7 03:47:30 - ipsec[684]: 07[IKE] {ip-client} is initiating a Main Mode IKE_SA
Aug  7 03:47:30 - ipsec[684]: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
Aug  7 03:47:30 - ipsec[684]: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug  7 03:47:30 - ipsec[684]: 07[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (160 bytes)
Aug  7 03:47:30 - ipsec[684]: 08[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (228 bytes)
Aug  7 03:47:30 - ipsec[684]: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug  7 03:47:30 - charon: 16[ENC] parsed INFORMATIONAL_V1 request 1455205357 [ HASH D ]
Aug  7 03:47:30 - ipsec[684]: 08[IKE] remote host is behind NAT
Aug  7 03:47:30 - ipsec[684]: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug  7 03:47:30 - ipsec[684]: 08[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (212 bytes)
Aug  7 03:47:30 - ipsec[684]: 09[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug  7 03:47:30 - ipsec[684]: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug  7 03:47:30 - ipsec[684]: 09[CFG] looking for pre-shared key peer configs matching {ip-2}...{ip-client}[192.168.98.25]
Aug  7 03:47:30 - ipsec[684]: 09[CFG] selected peer config "vpnserver"
Aug  7 03:47:30 - ipsec[684]: 09[IKE] IKE_SA vpnserver[1] established between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug  7 03:47:30 - ipsec[684]: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug  7 03:47:30 - ipsec[684]: 09[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (76 bytes)
Aug  7 03:47:30 - ipsec[684]: 11[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (444 bytes)
Aug  7 03:47:30 - ipsec[684]: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug  7 03:47:30 - ipsec[684]: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug  7 03:47:30 - ipsec[684]: 11[IKE] received 3600s lifetime, configured 0s
Aug  7 03:47:30 - ipsec[684]: 11[IKE] received 250000000 lifebytes, configured 0
Aug  7 03:47:30 - ipsec[684]: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug  7 03:47:30 - ipsec[684]: 11[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (204 bytes)
Aug  7 03:47:30 - ipsec[684]: 12[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (60 bytes)
Aug  7 03:47:30 - ipsec[684]: 12[ENC] parsed QUICK_MODE request 1 [ HASH ]
Aug  7 03:47:30 - ipsec[684]: 12[IKE] CHILD_SA vpnserver{1} established with SPIs c14bb892_i 06c946b0_o and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug  7 03:47:30 - ipsec[684]: 15[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug  7 03:47:30 - ipsec[684]: 15[ENC] parsed INFORMATIONAL_V1 request 3378750910 [ HASH D ]
Aug  7 03:47:30 - ipsec[684]: 15[IKE] received DELETE for ESP CHILD_SA with SPI 06c946b0
Aug  7 03:47:30 - ipsec[684]: 15[IKE] closing CHILD_SA vpnserver{1} with SPIs c14bb892_i (648 bytes) 06c946b0_o (0 bytes) and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug  7 03:47:30 - ipsec[684]: 16[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (92 bytes)
Aug  7 03:47:30 - ipsec[684]: 16[ENC] parsed INFORMATIONAL_V1 request 1455205357 [ HASH D ]
Aug  7 03:47:30 - ipsec[684]: 16[IKE] received DELETE for IKE_SA vpnserver[1]
Aug  7 03:47:30 - charon: 16[IKE] received DELETE for IKE_SA vpnserver[1]
Aug  7 03:47:30 - charon: 16[IKE] deleting IKE_SA vpnserver[1] between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug  7 03:47:57 - xl2tpd[712]: Unable to deliver closing message for tunnel 35573. Destroying anyway.
Aug  7 03:48:20 - systemd[1]: Started Session 3 of user root.

Пробовал подключение через двух разных провайдеров - результат идентичный => вряд ли провайдер блокирует что-то.

С этим конфигом всё работало на debian 9 Результат стал таким при применении обозначенных конфигов на debian 10. А может чего-то перепутано... :)

Хелп плз :)

Ссылка

Судя по логам, IPSec SA создаются, а вот на этапе создания L2TP туннеля возникают сложности. Включите debug L2TP туннеля.

ZANSWER ★
(07.08.19 06:12:17 MSK)

Присоединяюсь в выше отписавшемуся. Смотрите логи xl2tpd, в deb9 по умолчанию выхлоп был в /var/log/debug как в deb10 не знаю.

anc ★★★★★
(07.08.19 17:31:52 MSK)

 Aug  7 03:46:56 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:46:58 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:02 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:10 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:20 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:26 - xl2tpd[712]: Maximum retries exceeded for tunnel 35573.  Closing.

А вообще судя по этой части логов, LNS получает SCCRQ сообщения от LAC, отправляет очевидно в ответ SCCRP сообщение, но LAC по какой-то причине не направляет в ответ SCCCN сообщение, а шлёт снова SCCRQ сообщение, о чём свидетельствует сообщение в логах, что LAC запросил открытие туннеля дважды.

Последние же сообщение указывает на то, что максимальное количество попыток которые делает LNS, чтобы направить SCCRP сообщение в адрес LAC, исчерпано.

Сложно сказать без более подробных логов, что на самом деле там происходит. И я к тому же не нашёл расшифровку всех xl2tpd сообщений, что он пишет в лог.

ZANSWER ★
(08.08.19 05:58:48 MSK)
Последнее исправление: ZANSWER 08.08.19 06:01:11 MSK (всего исправлений: 2)

Ответ на: комментарий от ZANSWER 08.08.19 05:58:48 MSK

Спасибо за помощь :)

Дело было в том, что в конфиге /etc/xl2tpd/xl2tpd.conf в секции global не хватало определения опции listen-addr

Прописал.

После этого всё заработало.

Всем спасибо!

Тему можно закрывать.

noisebringer
(11.08.19 16:34:42 MSK) автор топика

Похожие темы