LINUX.ORG.RU

Настройка l2tp + strongswan VPN Ubuntu

 , ,


0

1

Всем привет! Есть ubuntu-16.04.4, делаю впн сеть. Но ни с одного устройства не получается присоединится к этой сети Вот конфиги:

/etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = внешний айпи
port = 1701
ipsec saref = yes
auth file = /etc/l2tpd/l2tp-secrets
access control = no
[lns default]
ip range = 10.21.12.2-10.21.12.14
local ip = 10.21.12.1
lac = внешний айпи
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = vpnserv

/etc/ppp/options.xl2tpd

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
ms-dns 8.8.8.8
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name VPN
proxyarp
logfd 2
logfile /var/log/xl2tpd.log
lcp-echo-interval 30
lcp-echo-failure 4
debug

/etc/ipsec.conf

conn L2TP-PSK
    authby=secret
    rekey=no
    type=tunnel
#   type=transport
    esp=aes128-sha1
    ike=aes128-sha-modp1024
    ikelifetime=8h
    keylife=1h
    left=внешний айпи
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    rightsubnetwithin=10.21.12.0/24
    auto=add
    dpddelay=30

    dpdtimeout=120
    dpdaction=clear

conn ikev1-xauth-rsa
        keyexchange=ikev1
        auto=add
        rightauth=pubkey
        rightauth2=xauth-radius

conn ikev1-xauth-hybrid
        keyexchange=ikev1
        auto=add
        rightauth=xauth-radius

conn ikev2-eap
        keyexchange=ikev2
        auto=add
        rightauth=eap-radius
        eap_identity=%any

/etc/ipsec.secrets

 : PSK общийклюс
логиндляайфона : XAUTH "пароль"

/etc/xl2tp/l2tp-secrets

'юзер' * 'пароль' '10.21.12.5'

[/spoiler]

При попытке присоединиться с винды в логе появляется следующее: [spoiler]

root@vpnserv:/etc/ppp# tail -f /var/log/syslog
Apr  8 17:10:08 vpnserv xl2tpd[2470]: setsockopt recvref[30]: Protocol not available
Apr  8 17:10:08 vpnserv xl2tpd[2462]: Starting xl2tpd: xl2tpd.
Apr  8 17:10:08 vpnserv xl2tpd[2470]: Not looking for kernel support.
Apr  8 17:10:08 vpnserv systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
Apr  8 17:10:08 vpnserv xl2tpd[2471]: xl2tpd version xl2tpd-1.3.6 started on vpnserv PID:2471
Apr  8 17:10:08 vpnserv xl2tpd[2471]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Apr  8 17:10:08 vpnserv xl2tpd[2471]: Forked by Scott Balmos and David Stipp, (C) 2001
Apr  8 17:10:08 vpnserv xl2tpd[2471]: Inherited by Jeff McAdams, (C) 2002
Apr  8 17:10:08 vpnserv xl2tpd[2471]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Apr  8 17:10:08 vpnserv xl2tpd[2471]: Listening on IP address ip_servera, port 1701
Apr  8 17:10:30 vpnserv charon: 12[NET] received packet: from ip_kompa[500] to ip_servera[500] (880 bytes)
Apr  8 17:10:30 vpnserv charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Apr  8 17:10:30 vpnserv charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Apr  8 17:10:30 vpnserv charon: 12[IKE] received MS-Negotiation Discovery Capable vendor ID
Apr  8 17:10:30 vpnserv charon: 12[IKE] received Vid-Initial-Contact vendor ID
Apr  8 17:10:30 vpnserv charon: 12[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Apr  8 17:10:30 vpnserv charon: 12[IKE] ip_kompa is initiating an IKE_SA
Apr  8 17:10:30 vpnserv charon: 12[IKE] remote host is behind NAT
Apr  8 17:10:30 vpnserv charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr  8 17:10:30 vpnserv charon: 12[NET] sending packet: from ip_servera[500] to ip_kompa[500] (312 bytes)
Apr  8 17:10:30 vpnserv charon: 13[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (1356 bytes)
Apr  8 17:10:30 vpnserv charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Apr  8 17:10:30 vpnserv charon: 13[IKE] received 45 cert requests for an unknown ca
Apr  8 17:10:30 vpnserv charon: 13[CFG] looking for peer configs matching ip_servera[%any]...ip_kompa[192.168.1.100]
Apr  8 17:10:30 vpnserv charon: 13[CFG] selected peer config 'L2TP-PSK'
Apr  8 17:10:30 vpnserv charon: 13[IKE] peer requested EAP, config inacceptable
Apr  8 17:10:30 vpnserv charon: 13[CFG] switching to peer config 'ikev2-eap'
Apr  8 17:10:30 vpnserv charon: 13[IKE] EAP-Identity request configured, but not supported
Apr  8 17:10:30 vpnserv charon: 13[IKE] loading EAP_RADIUS method failed
Apr  8 17:10:30 vpnserv charon: 13[IKE] peer supports MOBIKE
Apr  8 17:10:30 vpnserv charon: 13[CFG] no IDr configured, fall back on IP address
Apr  8 17:10:30 vpnserv charon: 13[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
Apr  8 17:10:30 vpnserv charon: 13[NET] sending packet: from ip_servera[4500] to ip_kompa[4500] (92 bytes)
Apr  8 17:10:37 vpnserv charon: 05[NET] received packet: from ip_kompa[500] to ip_servera[500] (408 bytes)
Apr  8 17:10:37 vpnserv charon: 05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Apr  8 17:10:37 vpnserv charon: 05[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Apr  8 17:10:37 vpnserv charon: 05[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Apr  8 17:10:37 vpnserv charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Apr  8 17:10:37 vpnserv charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr  8 17:10:37 vpnserv charon: 05[IKE] received FRAGMENTATION vendor ID
Apr  8 17:10:37 vpnserv charon: 05[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Apr  8 17:10:37 vpnserv charon: 05[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Apr  8 17:10:37 vpnserv charon: 05[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Apr  8 17:10:37 vpnserv charon: 05[IKE] ip_kompa is initiating a Main Mode IKE_SA
Apr  8 17:10:37 vpnserv charon: 05[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr  8 17:10:37 vpnserv charon: 05[NET] sending packet: from ip_servera[500] to ip_kompa[500] (136 bytes)
Apr  8 17:10:37 vpnserv charon: 06[NET] received packet: from ip_kompa[500] to ip_servera[500] (228 bytes)
Apr  8 17:10:37 vpnserv charon: 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr  8 17:10:37 vpnserv charon: 06[IKE] remote host is behind NAT
Apr  8 17:10:37 vpnserv charon: 06[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr  8 17:10:37 vpnserv charon: 06[NET] sending packet: from ip_servera[500] to ip_kompa[500] (212 bytes)
Apr  8 17:10:37 vpnserv charon: 08[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (76 bytes)
Apr  8 17:10:37 vpnserv charon: 08[ENC] parsed ID_PROT request 0 [ ID HASH ]
Apr  8 17:10:37 vpnserv charon: 08[CFG] looking for pre-shared key peer configs matching ip_servera...ip_kompa[192.168.1.100]
Apr  8 17:10:37 vpnserv charon: 08[CFG] selected peer config "L2TP-PSK"
Apr  8 17:10:37 vpnserv charon: 08[IKE] IKE_SA L2TP-PSK[2] established between ip_servera[ip_servera]...ip_kompa[192.168.1.100]
Apr  8 17:10:37 vpnserv charon: 08[IKE] DPD not supported by peer, disabled
Apr  8 17:10:37 vpnserv charon: 08[ENC] generating ID_PROT response 0 [ ID HASH ]
Apr  8 17:10:37 vpnserv charon: 08[NET] sending packet: from ip_servera[4500] to ip_kompa[4500] (76 bytes)
Apr  8 17:10:37 vpnserv charon: 10[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (444 bytes)
Apr  8 17:10:37 vpnserv charon: 10[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Apr  8 17:10:37 vpnserv charon: 10[IKE] no matching CHILD_SA config found
Apr  8 17:10:37 vpnserv charon: 10[ENC] generating INFORMATIONAL_V1 request 703177340 [ HASH N(INVAL_ID) ]
Apr  8 17:10:37 vpnserv charon: 10[NET] sending packet: from ip_servera[4500] to ip_kompa[4500] (76 bytes)
Apr  8 17:10:38 vpnserv charon: 11[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (444 bytes)
Apr  8 17:10:38 vpnserv charon: 11[IKE] received retransmit of request with ID 1, but no response to retransmit
Apr  8 17:10:39 vpnserv charon: 02[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (444 bytes)
Apr  8 17:10:39 vpnserv charon: 02[IKE] received retransmit of request with ID 1, but no response to retransmit
Apr  8 17:10:42 vpnserv charon: 09[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (444 bytes)
Apr  8 17:10:42 vpnserv charon: 09[IKE] received retransmit of request with ID 1, but no response to retransmit
Apr  8 17:10:49 vpnserv charon: 12[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (444 bytes)
Apr  8 17:10:49 vpnserv charon: 12[IKE] received retransmit of request with ID 1, but no response to retransmit
Apr  8 17:11:04 vpnserv charon: 14[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (444 bytes)
Apr  8 17:11:04 vpnserv charon: 14[IKE] received retransmit of request with ID 1, but no response to retransmit
Apr  8 17:11:19 vpnserv charon: 05[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (444 bytes)
Apr  8 17:11:19 vpnserv charon: 05[IKE] received retransmit of request with ID 1, but no response to retransmit
Apr  8 17:11:34 vpnserv charon: 06[NET] received packet: from ip_kompa[4500] to ip_servera[4500] (92 bytes)
Apr  8 17:11:34 vpnserv charon: 06[ENC] parsed INFORMATIONAL_V1 request 2786573942 [ HASH D ]
Apr  8 17:11:34 vpnserv charon: 06[IKE] received DELETE for IKE_SA L2TP-PSK[2]
Apr  8 17:11:34 vpnserv charon: 06[IKE] deleting IKE_SA L2TP-PSK[2] between ip_servera[ip_servera]...ip_kompa[192.168.1.100]
Apr  8 17:11:34 vpnserv charon: 08[NET] received packet: from ip_kompa[500] to ip_servera[500] (408 bytes)
Apr  8 17:11:34 vpnserv charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Apr  8 17:11:34 vpnserv charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Apr  8 17:11:34 vpnserv charon: 08[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Apr  8 17:11:34 vpnserv charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Apr  8 17:11:34 vpnserv charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr  8 17:11:34 vpnserv charon: 08[IKE] received FRAGMENTATION vendor ID
Apr  8 17:11:34 vpnserv charon: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Apr  8 17:11:34 vpnserv charon: 08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Apr  8 17:11:34 vpnserv charon: 08[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Apr  8 17:11:34 vpnserv charon: 08[IKE] ip_kompa is initiating a Main Mode IKE_SA
Apr  8 17:11:34 vpnserv charon: 08[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr  8 17:11:34 vpnserv charon: 08[NET] sending packet: from ip_servera[500] to ip_kompa[500] (136 bytes)
Apr  8 17:12:04 vpnserv charon: 07[JOB] deleting half open IKE_SA after timeout

Подскажите, что делаю не так. Два дня уже бьюсь

Apr 8 17:10:08 vpnserv xl2tpd[2470]: Not looking for kernel support.

lsmod | grep l2tp_ppp

Как вариант, можно попробовать собрать l2tp из исходников

Dob ()
19 июня 2018 г.

DPD

DPD not supported by peer, disabled
DPD не поддерживается одноранговым узлом, отключен

anonymous ()
Ответ на: DPD от anonymous

Re: DPD

Подскажите пожалуйста, как это исправить ? Я подключаюсь с MacOs все работает, а windows 10 выдает DPD not supported by peer, disabled

ineron ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.