Добрый день Не могу настроить сервер IPSecчто бы могли подключаться Windows Server 2003 и современные OS (Windows 10, macOS). Получается настроить или вин. сервер 2003 или современные ОС. Подскажите пожалуйста, как это обойти?
Сервер Debian 10. Который находиться в интернете и надо что бы к нему все подключались и заходили по RDP на Windows Server 2003.
/etc# cat /etc/ipsec.conf
version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
uniqueids=no
conn shared
left=%defaultroute
leftid=195.189.226.225
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=300
dpdaction=clear
ikev2=never
## ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048;modp1024
ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
## phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
phase2alg=3des-sha1,aes-sha1,aes-sha2,3des-sha2,aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
ikelifetime=24h
salifetime=24h
sha2-truncbug=no
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.43.101-192.168.43.199
modecfgdns="8.8.8.8 8.8.4.4"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
cisco-unity=yes
also=shared
include /etc/ipsec.d/*.conf
/etc/ppp# cat options.xl2tpd
+mschap-v2
ipcp-accept-local
ipcp-accept-remote
noccp
auth
mtu 1280
mru 1280
proxyarp
lcp-echo-failure 4
lcp-echo-interval 30
connect-delay 5000
ms-dns 8.8.8.8
ms-dns 8.8.4.4
grep -vE "#|^$" pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
proxyarp
nodefaultroute
lock
nobsdcomp
novj
nologfd
ms-dns 8.8.8.8
nobsdcomp
noipx
mtu 1490
mru 1490
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 195.189.227.248 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 195.189.227.248 0.0.0.0 UG 0 0 0 eth0
10.8.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.42.10 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
195.189.226.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
iptables -L -n -v
Chain INPUT (policy ACCEPT 10501 packets, 5715K bytes)
pkts bytes target prot opt in out source destination
1273 88901 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
4530 611K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none
319 12843 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1536 118K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
20 2899 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
1 140 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.8.0.0/24 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- eth0 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp+ eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * eth0 192.168.43.0/24 0.0.0.0/0
0 0 ACCEPT all -- * ppp+ 192.168.43.0/24 0.0.0.0/0
4505 369K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3108 packets, 1229K bytes)
pkts bytes target prot opt in out source destination
Когда подключается Windows 10, то лог выглядит так:
tail -f /var/log/auth.log
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: responding to Main Mode from unknown peer 46.98.146.113:9407
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: sent Main Mode R1
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: sent Main Mode R2
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: Peer ID is ID_IPV4_ADDR: '192.168.11.8'
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: switched to "l2tp-psk"[8] 46.98.146.113
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113: deleting connection instance with peer 46.98.146.113 {isakmp=#0/ipsec=#0}
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: the peer proposed: 195.189.226.225/32:1701 -UDP-> 192.168.11.8/32:1701
Nov 5 21:02:14 unassigned-hostname pluto[1859]: | checking hostpair 195.189.226.225/32:1701 -> 46.98.146.113/32:0
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: responding to Quick Mode proposal {msgid:00000001}
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: us: 195.189.226.225/32:UDP/1701===195.189.226.225 them: 46.98.146.113[192.168.11.8]===46.98.146.113/32:UDP/1701
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x509c8732 <0xeb51c015 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: IPsec SA established transport mode {ESPinUDP=>0x509c8732 <0xeb51c015 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: the peer proposed: 195.189.226.225/32:1701 -UDP-> 192.168.11.8/32:1701
Nov 5 21:02:14 unassigned-hostname pluto[1859]: | checking hostpair 195.189.226.225/32:1701 -> 46.98.146.113/32:1701
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: responding to Quick Mode proposal {msgid:00000002}
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: us: 195.189.226.225/32:UDP/1701===195.189.226.225 them: 46.98.146.113[192.168.11.8]===46.98.146.113/32:UDP/1701
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x85f5dea4 <0x4aef7b38 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: IPsec SA established transport mode {ESPinUDP=>0x85f5dea4 <0x4aef7b38 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: received Delete SA(0x509c8732) payload: deleting IPsec State #15
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: deleting state (STATE_QUICK_R2) aged 0.099591s and sending notification
Nov 5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: ESP traffic information: in=0B out=0B
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: the peer proposed: 195.189.226.225/32:1701 -UDP-> 192.168.11.8/32:1701
Nov 5 21:02:17 unassigned-hostname pluto[1859]: | checking hostpair 195.189.226.225/32:1701 -> 46.98.146.113/32:1701
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: responding to Quick Mode proposal {msgid:00000003}
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: us: 195.189.226.225/32:UDP/1701===195.189.226.225 them: 46.98.146.113[192.168.11.8]===46.98.146.113/32:UDP/1701
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x3e824638 <0xb467e989 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: IPsec SA established transport mode {ESPinUDP=>0x3e824638 <0xb467e989 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: received Delete SA(0x85f5dea4) payload: deleting IPsec State #16
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: deleting state (STATE_QUICK_R2) aged 2.990805s and sending notification
Nov 5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: ESP traffic information: in=0B out=0B
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: the peer proposed: 195.189.226.225/32:1701 -UDP-> 192.168.11.8/32:1701
Nov 5 21:02:21 unassigned-hostname pluto[1859]: | checking hostpair 195.189.226.225/32:1701 -> 46.98.146.113/32:1701
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #18: responding to Quick Mode proposal {msgid:00000004}
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #18: us: 195.189.226.225/32:UDP/1701===195.189.226.225 them: 46.98.146.113[192.168.11.8]===46.98.146.113/32:UDP/1701
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #18: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x1ea3460a <0x23146ec5 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #18: IPsec SA established transport mode {ESPinUDP=>0x1ea3460a <0x23146ec5 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: received Delete SA(0x3e824638) payload: deleting IPsec State #17
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: deleting state (STATE_QUICK_R2) aged 4.024323s and sending notification
Nov 5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: ESP traffic information: in=0B out=0B