LINUX.ORG.RU
ФорумAdmin

IPSec и Windows Server 2003

 ,


0

1

Добрый день Не могу настроить сервер IPSecчто бы могли подключаться Windows Server 2003 и современные OS (Windows 10, macOS). Получается настроить или вин. сервер 2003 или современные ОС. Подскажите пожалуйста, как это обойти?

Сервер Debian 10. Который находиться в интернете и надо что бы к нему все подключались и заходили по RDP на Windows Server 2003.

/etc# cat /etc/ipsec.conf
version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  uniqueids=no

conn shared
  left=%defaultroute
  leftid=195.189.226.225
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=300
  dpdaction=clear
  ikev2=never
##  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048;modp1024
  ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
##  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  phase2alg=3des-sha1,aes-sha1,aes-sha2,3des-sha2,aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  sha2-truncbug=no

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.101-192.168.43.199
  modecfgdns="8.8.8.8 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  cisco-unity=yes
  also=shared

include /etc/ipsec.d/*.conf
/etc/ppp# cat options.xl2tpd
+mschap-v2
ipcp-accept-local
ipcp-accept-remote
noccp
auth
mtu 1280
mru 1280
proxyarp
lcp-echo-failure 4
lcp-echo-interval 30
connect-delay 5000
ms-dns 8.8.8.8
ms-dns 8.8.4.4
grep -vE "#|^$" pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
proxyarp
nodefaultroute
lock
nobsdcomp
novj
nologfd
ms-dns 8.8.8.8
nobsdcomp
noipx
mtu 1490
mru 1490
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         195.189.227.248 0.0.0.0         UG    0      0        0 eth0
0.0.0.0         195.189.227.248 0.0.0.0         UG    0      0        0 eth0
10.8.8.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.42.10   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
195.189.226.0   0.0.0.0         255.255.254.0   U     0      0        0 eth0
iptables -L -n -v
Chain INPUT (policy ACCEPT 10501 packets, 5715K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1273 88901 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
 4530  611K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol none
  319 12843 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 1536  118K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   20  2899 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
    1   140 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol ipsec
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       10.8.0.0/24          0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     all  --  eth0   ppp+    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  ppp+   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ppp+   ppp+    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            192.168.43.0/24      ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      eth0    192.168.43.0/24      0.0.0.0/0
    0     0 ACCEPT     all  --  *      ppp+    192.168.43.0/24      0.0.0.0/0
 4505  369K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3108 packets, 1229K bytes)
 pkts bytes target     prot opt in     out     source               destination

Когда подключается Windows 10, то лог выглядит так:

tail -f /var/log/auth.log
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: responding to Main Mode from unknown peer 46.98.146.113:9407
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: sent Main Mode R1
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: sent Main Mode R2
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: Peer ID is ID_IPV4_ADDR: '192.168.11.8'
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113 #14: switched to "l2tp-psk"[8] 46.98.146.113
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[7] 46.98.146.113: deleting connection instance with peer 46.98.146.113 {isakmp=#0/ipsec=#0}
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: the peer proposed: 195.189.226.225/32:1701 -UDP-> 192.168.11.8/32:1701
Nov  5 21:02:14 unassigned-hostname pluto[1859]: |   checking hostpair 195.189.226.225/32:1701 -> 46.98.146.113/32:0
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: responding to Quick Mode proposal {msgid:00000001}
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15:     us: 195.189.226.225/32:UDP/1701===195.189.226.225  them: 46.98.146.113[192.168.11.8]===46.98.146.113/32:UDP/1701
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x509c8732 <0xeb51c015 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: IPsec SA established transport mode {ESPinUDP=>0x509c8732 <0xeb51c015 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: the peer proposed: 195.189.226.225/32:1701 -UDP-> 192.168.11.8/32:1701
Nov  5 21:02:14 unassigned-hostname pluto[1859]: |   checking hostpair 195.189.226.225/32:1701 -> 46.98.146.113/32:1701
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: responding to Quick Mode proposal {msgid:00000002}
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16:     us: 195.189.226.225/32:UDP/1701===195.189.226.225  them: 46.98.146.113[192.168.11.8]===46.98.146.113/32:UDP/1701
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x85f5dea4 <0x4aef7b38 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: IPsec SA established transport mode {ESPinUDP=>0x85f5dea4 <0x4aef7b38 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: received Delete SA(0x509c8732) payload: deleting IPsec State #15
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: deleting state (STATE_QUICK_R2) aged 0.099591s and sending notification
Nov  5 21:02:14 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #15: ESP traffic information: in=0B out=0B
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: the peer proposed: 195.189.226.225/32:1701 -UDP-> 192.168.11.8/32:1701
Nov  5 21:02:17 unassigned-hostname pluto[1859]: |   checking hostpair 195.189.226.225/32:1701 -> 46.98.146.113/32:1701
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: responding to Quick Mode proposal {msgid:00000003}
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17:     us: 195.189.226.225/32:UDP/1701===195.189.226.225  them: 46.98.146.113[192.168.11.8]===46.98.146.113/32:UDP/1701
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x3e824638 <0xb467e989 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: IPsec SA established transport mode {ESPinUDP=>0x3e824638 <0xb467e989 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: received Delete SA(0x85f5dea4) payload: deleting IPsec State #16
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: deleting state (STATE_QUICK_R2) aged 2.990805s and sending notification
Nov  5 21:02:17 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #16: ESP traffic information: in=0B out=0B
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: the peer proposed: 195.189.226.225/32:1701 -UDP-> 192.168.11.8/32:1701
Nov  5 21:02:21 unassigned-hostname pluto[1859]: |   checking hostpair 195.189.226.225/32:1701 -> 46.98.146.113/32:1701
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #18: responding to Quick Mode proposal {msgid:00000004}
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #18:     us: 195.189.226.225/32:UDP/1701===195.189.226.225  them: 46.98.146.113[192.168.11.8]===46.98.146.113/32:UDP/1701
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #18: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x1ea3460a <0x23146ec5 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #18: IPsec SA established transport mode {ESPinUDP=>0x1ea3460a <0x23146ec5 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.11.8 NATD=46.98.146.113:50350 DPD=unsupported}
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #14: received Delete SA(0x3e824638) payload: deleting IPsec State #17
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: deleting state (STATE_QUICK_R2) aged 4.024323s and sending notification
Nov  5 21:02:21 unassigned-hostname pluto[1859]: "l2tp-psk"[8] 46.98.146.113 #17: ESP traffic information: in=0B out=0B

Для того чтобы оставить комментарий войдите или зарегистрируйтесь.