Настройка Softether на удаленном сервере.

Добрый день. Проблема с Softether, точнее не столько с ним, сколько с подключением к нему клиентов. Настраивал по описанию. Пробовал ставить на сервер в облаке гугла и в облаке от амазона, на разные дистрибутивы. В всех случаях проблема идентичная. Клиент подключается, но не получает ip адрес. Конфига на примере amazon.

ifconfig
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 172.31.43.171  netmask 255.255.240.0  broadcast 172.31.47.255
        inet6 fe80::4f5:9fff:fea6:b916  prefixlen 64  scopeid 0x20<link>
        ether 06:f5:9f:a6:b9:16  txqueuelen 1000  (Ethernet)
        RX packets 9587  bytes 1833640 (1.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 27678  bytes 4123030 (3.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 64  bytes 5920 (5.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 64  bytes 5920 (5.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap_softether: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::2ac:4fff:fee5:9bc8  prefixlen 64  scopeid 0x20<link>
        ether 00:ac:4f:e5:9b:c8  txqueuelen 1000  (Ethernet)
        RX packets 1981  bytes 162880 (159.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 49  bytes 4038 (3.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     udp  --  10.8.0.0/24          0.0.0.0/0            udp dpt:53
ACCEPT     icmp --  10.8.0.0/24          0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500
syn_flood  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          10.8.0.0/24

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       icmp -- !127.39.95.47        !127.202.17.202       icmptype 3 code 3 connmark match ! 0x49ddb20f
DROP       tcp  -- !127.164.71.136      !127.179.167.180      tcp spts:61001:65535 flags:0x04/0x04 connmark match ! 0x3da56740
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 500/sec burst 2000

В логах dnsmasq ничего нет. Т.е. такое ощущение, что он не пытается даже раздавать адреса.Несмотря на файл конфигурации файл конфигурации

interface=tap_softether
dhcp-range=tap_softether,10.8.0.2,10.8.0.200,12h
dhcp-option=tap_softether,3,10.8.0.1
server=8.8.8.8

Подскажите в какую сторону копать?

ЗЫ. Пробовал оформить пост в соответствиями с описанием разметки LORCODE, почему то не срабатывает тег cut. Прошу прощения за невнятную простыню, я честно пытался.

amazon, softether, vpn

AlexeyMish
(03.08.17 16:34:40 MSK)

2 комментария

не удается настроить IPSec на Debian/OpenSWAN

С администрированием linux-систем сталкивался мало, поэтому разбираюсь со скрипом. Google спрашивал, но ответа не добился. К сути. Схема подключения на клиенте следующая: HomePC<-->Router(NAT)<-->Inet<-->VPN_Server

Хочу настроить на Debian l2tp OpenSWAN ipsec. Действовал так:

root@dtcoalex:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:81:45:c5
          inet addr:91.245.35.34  Bcast:91.245.35.63  Mask:255.255.255.224
          inet6 addr: fe80::250:56ff:fe81:45c5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8235 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7659 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:745378 (727.9 KiB)  TX bytes:2222999 (2.1 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

1) apt-get install openswan xl2tpd

 root@dtcoalex:~# nano /etc/ipsec.conf

version    2.0    # conforms to second version of ipsec.conf specification
config setup
    protostack=netkey
    nat_traversal=yes  virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.7.0/26
    interfaces=%defaultroute
#    plutodebug="all"
    plutostderrlog=/var/log/pluto.log
    oe=off
conn L2TP-PSK-NAT
    authby=secret
    type=transport
    pfs=no
    rekey=no
    keyingtries=3
    left=%defaultroute
    leftprotoport=17/1701
    right=%any
    rightsubnet=vhost:%no,%priv
    rightprotoport=17/%any
    auto=add

 nano /etc/ipsec.secrets
91.245.35.34 %any: PSK "mysecret" #external IP

 nano  /etc/xl2tpd/xl2tpd.conf

ipsec saref = yes
debug tunnel = yes
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
;force userspace =yes

[lns default]
ip range = 10.0.7.40-10.0.7.50
local ip = 10.0.7.2
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

5) nano etc/xl2tpd/l2tp-secrets

*       *       *   # let all , because we use auth with ppp

 nano /etc/ppp/options.xl2tpd 
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
auth
noccp
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/xl2tpd.log

nano  /etc/ppp/chap-secrets
user   l2tpd   pass    *

8) /etc/init.d/ipsec restart && /etc/init.d/xl2tpd restart

ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-4-686-pae (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

        [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Однако получаю ошибку при попытке соединиться с клиента на Windows 7. В логе /var/log/pluto.log

packet from 87.117.185.107:641: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
packet from 87.117.185.107:641: received Vendor ID payload [RFC 3947] method set to=109
packet from 87.117.185.107:641: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
packet from 87.117.185.107:641: ignoring Vendor ID payload [FRAGMENTATION]
packet from 87.117.185.107:641: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
packet from 87.117.185.107:641: ignoring Vendor ID payload [Vid-Initial-Contact]
packet from 87.117.185.107:641: ignoring Vendor ID payload [IKE CGA version 1]
"L2TP-PSK-NAT"[2] 87.117.185.107 #9: responding to Main Mode from unknown peer 87.117.185.107
"L2TP-PSK-NAT"[2] 87.117.185.107 #9: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
"L2TP-PSK-NAT"[2] 87.117.185.107 #9: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
"L2TP-PSK-NAT"[2] 87.117.185.107 #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #9: STATE_MAIN_R1: sent MR1, expecting MI2
packet from 87.117.185.107:641: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
packet from 87.117.185.107:641: received Vendor ID payload [RFC 3947] method set to=109
packet from 87.117.185.107:641: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
packet from 87.117.185.107:641: ignoring Vendor ID payload [FRAGMENTATION]
packet from 87.117.185.107:641: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
packet from 87.117.185.107:641: ignoring Vendor ID payload [Vid-Initial-Contact]
packet from 87.117.185.107:641: ignoring Vendor ID payload [IKE CGA version 1]
"L2TP-PSK-NAT"[2] 87.117.185.107 #10: responding to Main Mode from unknown peer 87.117.185.107
"L2TP-PSK-NAT"[2] 87.117.185.107 #10: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
"L2TP-PSK-NAT"[2] 87.117.185.107 #10: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
"L2TP-PSK-NAT"[2] 87.117.185.107 #10: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #10: STATE_MAIN_R1: sent MR1, expecting MI2
"L2TP-PSK-NAT"[2] 87.117.185.107 #3: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #4: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #5: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #6: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #7: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #8: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #9: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107 #10: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[2] 87.117.185.107: deleting connection "L2TP-PSK-NAT" instance with peer 87.117.185.107 {isakmp=#0/ipsec=#0}

Где искать решение проблемы? Я правильно понимаю, что у меня какой то Double NAT получается? Могут ли проблемы быть связаны с этим?

AlexeyMish
(19.05.14 12:58:54 MSK)

18 комментариев

Сообщения AlexeyMish

Настройка Softether на удаленном сервере.

не удается настроить IPSec на Debian/OpenSWAN