LINUX.ORG.RU
ФорумAdmin

L2TP over IPsec с использованием сертификатов

 , , ,


0

1

Я пытаюсь сделать L2TP over IPsec vpn с использованием сертификатов, с PSK у меня все получилось.

Сертификаты делал как в этой статье: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-20-04-ru

Мой ipsec.conf:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no


conn L2TPServer
        type=transport
        keyingtries=1
        left=5.63.159.153
        leftprotoport=udp/1701

#       authby=secret
        leftcert=server-cert.pem
        leftsendcert=always
        leftid=*.*.*.*
        keyexchange=ikev1
        rightrsasigkey=%cert

        right=%any
        rightprotoport=udp/%any
        auto=add

ipsec.secrets:

: RSA "server-key.pem"

Логи с ошибкой:

Apr 23 17:08:21 5-63-159-153 charon: 07[NET] received packet: from 188.170.86.198[12966] to *.*.*.*[500] (408 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Apr 23 17:08:21 5-63-159-153 charon: 07[ENC] received unknown vendor ID: 01:52:8b:00:00:00:01
Apr 23 17:08:21 5-63-159-153 charon: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Apr 23 17:08:21 5-63-159-153 charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Apr 23 17:08:21 5-63-159-153 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 23 17:08:21 5-63-159-153 charon: 07[IKE] received FRAGMENTATION vendor ID
Apr 23 17:08:21 5-63-159-153 charon: 07[ENC] received unknown vendor ID: fb:1d:e3:c:b7:e5:be:08:55:f1:20
Apr 23 17:08:21 5-63-159-153 charon: 07[ENC] received unknown vendor ID: 26:24:4d:38:e3:d0:cf:b8:19
Apr 23 17:08:21 5-63-159-153 charon: 07[ENC] received unknown vendor ID: e3:a5:96:6a:722:82:31:e5:ce:86:52
Apr 23 17:08:21 5-63-159-153 charon: 07[IKE] 188.170.86.198 is initiating a Main Mode IKE_SA
Apr 23 17:08:21 5-63-159-153 charon: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Apr 23 17:08:21 5-63-159-153 charon: 07[NET] sending packet: from *.*.*.*[500] to 188.170.86.198[12966] (160 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 08[NET] received packet: from 188.170.86.198[12966] to *.*.*.*[500] (228 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 23 17:08:21 5-63-159-153 charon: 08[IKE] remote host is behind NAT
Apr 23 17:08:21 5-63-159-153 charon: 08[IKE] sending cert request for "CN=VPN root CA"
Apr 23 17:08:21 5-63-159-153 charon: 08[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Apr 23 17:08:21 5-63-159-153 charon: 08[NET] sending packet: from *.*.*.*[500] to 188.170.86.198[12966] (241 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 09[NET] received packet: from 188.170.86.198[12966] to *.*.*.*[500] (408 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Apr 23 17:08:21 5-63-159-153 charon: 09[ENC] received unknown vendor ID: 01:52:8b:bb:96:129:ab:9a:1c:5b
Apr 23 17:08:21 5-63-159-153 charon: 09[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Apr 23 17:08:21 5-63-159-153 charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Apr 23 17:08:21 5-63-159-153 charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 23 17:08:21 5-63-159-153 charon: 09[IKE] received FRAGMENTATION vendor ID
Apr 23 17:08:21 5-63-159-153 charon: 09[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:be:08:55:f1:20
Apr 23 17:08:21 5-63-159-153 charon: 09[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:63:d0:cf:b8:19
Apr 23 17:08:21 5-63-159-153 charon: 09[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7e5:ce:86:52
Apr 23 17:08:21 5-63-159-153 charon: 09[IKE] 188.170.86.198 is initiating a Main Mode IKE_SA
Apr 23 17:08:21 5-63-159-153 charon: 09[ENC] generating ID_PROT response 0 [ SA V V V V ]
Apr 23 17:08:21 5-63-159-153 charon: 09[NET] sending packet: from *.*.*.*[500] to 188.170.86.198[12966] (160 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 10[NET] received packet: from 188.170.86.198[20725] to *.*.*.*[4500] (92 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 10[ENC] parsed INFORMATIONAL_V1 request 2213899583 [ HASH N((28)) ]
Apr 23 17:08:21 5-63-159-153 charon: 10[IKE] received (28) error notify
Apr 23 17:08:21 5-63-159-153 charon: 11[NET] received packet: from 188.170.86.198[12966] to *.*.*.*[500] (228 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 23 17:08:21 5-63-159-153 charon: 11[IKE] remote host is behind NAT
Apr 23 17:08:21 5-63-159-153 charon: 11[IKE] sending cert request for "CN=VPN root CA"
Apr 23 17:08:21 5-63-159-153 charon: 11[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Apr 23 17:08:21 5-63-159-153 charon: 11[NET] sending packet: from *.*.*.* [500] to 188.170.86.198[12966] (241 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 12[NET] received packet: from 188.170.86.198[20725] to *.*.*.*[4500] (92 bytes)
Apr 23 17:08:21 5-63-159-153 charon: 12[ENC] parsed INFORMATIONAL_V1 request 1129329395 [ HASH N((28)) ]
Apr 23 17:08:21 5-63-159-153 charon: 12[IKE] received (28) error notify

Я просто не понимаю где у меня ошибка, просто какой-то error notify.

Еще не понимаю какой тип данных для входа выбирать на винде в vpn подключениях, логин и пароль или сертификат, я выбираю логин и пароль, ведь вход у меня идет черех секреты в xl2tpd.