Всем хеллоу.
Есть
Linux - 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 GNU/Linux
xl2tpd version: xl2tpd-1.3.12
Linux strongSwan U5.7.2/K4.19.0-5-amd64
Dnsmasq version 2.80
/etc/ipsec.conf
config setup
charondebug="enc 0, net 0, ike 0, cfg 0, knl 0, lib 0, job 0, dmn 0"
conn vpnserver
authby=secret
auto=add
type=transport
left={ip-2}
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rekey=no
/etc/dnsmasq.conf
dhcp-range=10.1.2.3,static
dhcp-option=option:router
dhcp-option=121,10.1.2.1/32,10.1.2.2,{ip-1}/32,10.1.2.2
dhcp-option=249,10.1.2.1/32,10.1.2.2,{ip-1}/32,10.1.2.2
dhcp-option=vendor:MSFT,2,1i
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.3-10.1.2.25
local ip = 10.1.2.2
require chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/options.xl2tpd
/etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
debug
auth
name vpnserver
proxyarp
mtu 1372
/etc/iptables/rules.v4
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
-A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ppp+ -s 10.1.2.0/24 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 8.8.8.8 -j ACCEPT
-A FORWARD -d 8.8.8.8 -j ACCEPT
-A FORWARD -j REJECT
-A OUTPUT -j ACCEPT
-A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
-A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
-A POSTROUTING -o ens3 -s 10.1.2.0/24 --jump MASQUERADE
#-I POSTROUTING 1 -j LOG
COMMIT
/etc/network/interfaces
auto ens3
iface ens3 inet static
address {ip-1}
netmask 255.255.255.255
gateway 10.0.0.1
pointopoint 10.0.0.1
up ip addr add {ip-2}/32 dev ens3
down ip addr del {ip-2}/32 dev ens3
auto dummy0
iface dummy0 inet static
address 10.1.2.1
netmask 255.255.255.0
pre-up ip link add dummy0 type dummy
/etc/modules
dummy
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.ip_forward = 1
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:57:d7:ec brd ff:ff:ff:ff:ff:ff
inet {ip-1} peer 10.0.0.1/32 brd {ip-1} scope global ens3
valid_lft forever preferred_lft forever
inet {ip-2}/32 scope global ens3
valid_lft forever preferred_lft forever
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether f6:ed:c9:9f:fc:ef brd ff:ff:ff:ff:ff:ff
inet 10.1.2.1/24 brd 10.1.2.255 scope global dummy0
valid_lft forever preferred_lft forever
В результате всего этого имеем
Aug 7 03:46:43 - charon: 00[DMN] signal of type SIGINT received. Shutting down
Aug 7 03:46:43 - ipsec[585]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug 7 03:46:43 - ipsec[585]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug 7 03:46:43 - ipsec[585]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug 7 03:46:43 - ipsec[585]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug 7 03:46:43 - ipsec[585]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug 7 03:46:43 - ipsec[585]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 7 03:46:43 - ipsec[585]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 7 03:46:43 - ipsec[585]: 00[CFG] loaded IKE secret for {ip-2}
Aug 7 03:46:43 - ipsec[585]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug 7 03:46:43 - ipsec[585]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 7 03:46:43 - ipsec[585]: 00[JOB] spawning 16 worker threads
Aug 7 03:46:43 - ipsec[585]: 05[CFG] received stroke: add connection 'vpnserver'
Aug 7 03:46:43 - ipsec[585]: 05[CFG] added configuration 'vpnserver'
Aug 7 03:46:43 - ipsec[585]: 00[DMN] signal of type SIGINT received. Shutting down
Aug 7 03:46:43 - ipsec[585]: charon stopped after 200 ms
Aug 7 03:46:43 - ipsec[585]: ipsec starter stopped
Aug 7 03:46:43 - systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
Aug 7 03:46:43 - systemd[1]: strongswan.service: Succeeded.
Aug 7 03:46:43 - systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Aug 7 03:46:43 - systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Aug 7 03:46:43 - ipsec[684]: Starting strongSwan 5.7.2 IPsec [starter]...
Aug 7 03:46:43 - systemd[1]: Stopping LSB: layer 2 tunelling protocol daemon...
Aug 7 03:46:43 - xl2tpd[613]: death_handler: Fatal signal 15 received
Aug 7 03:46:43 - xl2tpd[694]: Stopping xl2tpd: xl2tpd.
Aug 7 03:46:43 - systemd[1]: xl2tpd.service: Succeeded.
Aug 7 03:46:43 - systemd[1]: Stopped LSB: layer 2 tunelling protocol daemon.
Aug 7 03:46:43 - systemd[1]: Starting LSB: layer 2 tunelling protocol daemon...
Aug 7 03:46:43 - charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug 7 03:46:43 - xl2tpd[711]: Enabling IPsec SAref processing for L2TP transport mode SAs
Aug 7 03:46:43 - xl2tpd[711]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Aug 7 03:46:43 - xl2tpd[711]: setsockopt recvref[30]: Protocol not available
Aug 7 03:46:43 - xl2tpd[711]: Not looking for kernel support.
Aug 7 03:46:43 - xl2tpd[703]: Starting xl2tpd: xl2tpd.
Aug 7 03:46:43 - systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
Aug 7 03:46:43 - xl2tpd[712]: xl2tpd version xl2tpd-1.3.12 started on -.info PID:712
Aug 7 03:46:43 - xl2tpd[712]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 7 03:46:43 - xl2tpd[712]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 7 03:46:43 - xl2tpd[712]: Inherited by Jeff McAdams, (C) 2002
Aug 7 03:46:43 - xl2tpd[712]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Aug 7 03:46:43 - xl2tpd[712]: Listening on IP address 0.0.0.0, port 1701
Aug 7 03:46:43 - charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug 7 03:46:43 - charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug 7 03:46:43 - charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug 7 03:46:43 - charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug 7 03:46:43 - charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 7 03:46:43 - charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 7 03:46:43 - charon: 00[CFG] loaded IKE secret for {ip-2}
Aug 7 03:46:43 - charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug 7 03:46:43 - charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 7 03:46:43 - charon: 00[JOB] spawning 16 worker threads
Aug 7 03:46:43 - systemd[1]: Stopping dnsmasq - A lightweight DHCP and caching DNS server...
Aug 7 03:46:43 - ipsec[684]: charon (710) started after 40 ms
Aug 7 03:46:43 - charon: 05[CFG] received stroke: add connection 'vpnserver'
Aug 7 03:46:43 - charon: 05[CFG] added configuration 'vpnserver'
Aug 7 03:46:43 - dnsmasq[649]: exiting on receipt of SIGTERM
Aug 7 03:46:43 - systemd[1]: dnsmasq.service: Succeeded.
Aug 7 03:46:43 - systemd[1]: Stopped dnsmasq - A lightweight DHCP and caching DNS server.
Aug 7 03:46:43 - systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
Aug 7 03:46:43 - dnsmasq[740]: dnsmasq: syntax check OK.
Aug 7 03:46:43 - dnsmasq[748]: started, version 2.80 cachesize 150
Aug 7 03:46:43 - dnsmasq[748]: DNS service limited to local subnets
Aug 7 03:46:43 - dnsmasq[748]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
Aug 7 03:46:43 - dnsmasq-dhcp[748]: DHCP, static leases only on 10.1.2.3, lease time 1h
Aug 7 03:46:43 - dnsmasq[748]: reading /etc/resolv.conf
Aug 7 03:46:43 - dnsmasq[748]: using nameserver 8.8.8.8#53
Aug 7 03:46:43 - dnsmasq[748]: using nameserver 8.8.4.4#53
Aug 7 03:46:43 - dnsmasq[748]: read /etc/hosts - 5 addresses
Aug 7 03:46:43 - systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Aug 7 03:46:55 - charon: 07[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (408 bytes)
Aug 7 03:46:55 - charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Aug 7 03:46:55 - charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Aug 7 03:46:55 - charon: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Aug 7 03:46:55 - charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Aug 7 03:46:55 - charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 7 03:46:55 - charon: 07[IKE] received FRAGMENTATION vendor ID
Aug 7 03:46:55 - charon: 07[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Aug 7 03:46:55 - charon: 07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Aug 7 03:46:55 - charon: 07[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Aug 7 03:46:55 - charon: 07[IKE] {ip-client} is initiating a Main Mode IKE_SA
Aug 7 03:46:55 - charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
Aug 7 03:46:55 - charon: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug 7 03:46:55 - charon: 07[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (160 bytes)
Aug 7 03:46:55 - charon: 08[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (228 bytes)
Aug 7 03:46:55 - charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 7 03:46:55 - charon: 08[IKE] remote host is behind NAT
Aug 7 03:46:55 - charon: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 7 03:46:55 - charon: 08[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (212 bytes)
Aug 7 03:46:55 - charon: 09[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug 7 03:46:55 - charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug 7 03:46:55 - charon: 09[CFG] looking for pre-shared key peer configs matching {ip-2}...{ip-client}[192.168.98.25]
Aug 7 03:46:55 - charon: 09[CFG] selected peer config "vpnserver"
Aug 7 03:46:55 - charon: 09[IKE] IKE_SA vpnserver[1] established between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug 7 03:46:55 - charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug 7 03:46:55 - charon: 09[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (76 bytes)
Aug 7 03:46:55 - charon: 11[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (444 bytes)
Aug 7 03:46:55 - charon: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 7 03:46:55 - charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 7 03:46:55 - charon: 11[IKE] received 3600s lifetime, configured 0s
Aug 7 03:46:55 - charon: 11[IKE] received 250000000 lifebytes, configured 0
Aug 7 03:46:55 - charon: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 7 03:46:55 - charon: 11[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (204 bytes)
Aug 7 03:46:55 - charon: 12[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (60 bytes)
Aug 7 03:46:55 - charon: 12[ENC] parsed QUICK_MODE request 1 [ HASH ]
Aug 7 03:46:55 - charon: 12[IKE] CHILD_SA vpnserver{1} established with SPIs c14bb892_i 06c946b0_o and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug 7 03:46:56 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug 7 03:46:58 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug 7 03:47:02 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug 7 03:47:10 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug 7 03:47:20 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug 7 03:47:26 - xl2tpd[712]: Maximum retries exceeded for tunnel 35573. Closing.
Aug 7 03:47:26 - xl2tpd[712]: Connection 13 closed to {ip-client}, port 1701 (Timeout)
Aug 7 03:47:30 - charon: 15[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug 7 03:47:30 - charon: 15[ENC] parsed INFORMATIONAL_V1 request 3378750910 [ HASH D ]
Aug 7 03:47:30 - charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI 06c946b0
Aug 7 03:47:30 - charon: 15[IKE] closing CHILD_SA vpnserver{1} with SPIs c14bb892_i (648 bytes) 06c946b0_o (0 bytes) and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug 7 03:47:30 - charon: 16[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (92 bytes)
Aug 7 03:47:30 - ipsec[684]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug 7 03:47:30 - ipsec[684]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug 7 03:47:30 - ipsec[684]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug 7 03:47:30 - ipsec[684]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug 7 03:47:30 - ipsec[684]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug 7 03:47:30 - ipsec[684]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 7 03:47:30 - ipsec[684]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 7 03:47:30 - ipsec[684]: 00[CFG] loaded IKE secret for {ip-2}
Aug 7 03:47:30 - ipsec[684]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug 7 03:47:30 - ipsec[684]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 7 03:47:30 - ipsec[684]: 00[JOB] spawning 16 worker threads
Aug 7 03:47:30 - ipsec[684]: 05[CFG] received stroke: add connection 'vpnserver'
Aug 7 03:47:30 - ipsec[684]: 05[CFG] added configuration 'vpnserver'
Aug 7 03:47:30 - ipsec[684]: 07[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (408 bytes)
Aug 7 03:47:30 - ipsec[684]: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Aug 7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Aug 7 03:47:30 - ipsec[684]: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Aug 7 03:47:30 - ipsec[684]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Aug 7 03:47:30 - ipsec[684]: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 7 03:47:30 - ipsec[684]: 07[IKE] received FRAGMENTATION vendor ID
Aug 7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Aug 7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Aug 7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Aug 7 03:47:30 - ipsec[684]: 07[IKE] {ip-client} is initiating a Main Mode IKE_SA
Aug 7 03:47:30 - ipsec[684]: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
Aug 7 03:47:30 - ipsec[684]: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug 7 03:47:30 - ipsec[684]: 07[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (160 bytes)
Aug 7 03:47:30 - ipsec[684]: 08[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (228 bytes)
Aug 7 03:47:30 - ipsec[684]: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 7 03:47:30 - charon: 16[ENC] parsed INFORMATIONAL_V1 request 1455205357 [ HASH D ]
Aug 7 03:47:30 - ipsec[684]: 08[IKE] remote host is behind NAT
Aug 7 03:47:30 - ipsec[684]: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 7 03:47:30 - ipsec[684]: 08[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (212 bytes)
Aug 7 03:47:30 - ipsec[684]: 09[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug 7 03:47:30 - ipsec[684]: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug 7 03:47:30 - ipsec[684]: 09[CFG] looking for pre-shared key peer configs matching {ip-2}...{ip-client}[192.168.98.25]
Aug 7 03:47:30 - ipsec[684]: 09[CFG] selected peer config "vpnserver"
Aug 7 03:47:30 - ipsec[684]: 09[IKE] IKE_SA vpnserver[1] established between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug 7 03:47:30 - ipsec[684]: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug 7 03:47:30 - ipsec[684]: 09[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (76 bytes)
Aug 7 03:47:30 - ipsec[684]: 11[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (444 bytes)
Aug 7 03:47:30 - ipsec[684]: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 7 03:47:30 - ipsec[684]: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 7 03:47:30 - ipsec[684]: 11[IKE] received 3600s lifetime, configured 0s
Aug 7 03:47:30 - ipsec[684]: 11[IKE] received 250000000 lifebytes, configured 0
Aug 7 03:47:30 - ipsec[684]: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 7 03:47:30 - ipsec[684]: 11[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (204 bytes)
Aug 7 03:47:30 - ipsec[684]: 12[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (60 bytes)
Aug 7 03:47:30 - ipsec[684]: 12[ENC] parsed QUICK_MODE request 1 [ HASH ]
Aug 7 03:47:30 - ipsec[684]: 12[IKE] CHILD_SA vpnserver{1} established with SPIs c14bb892_i 06c946b0_o and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug 7 03:47:30 - ipsec[684]: 15[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug 7 03:47:30 - ipsec[684]: 15[ENC] parsed INFORMATIONAL_V1 request 3378750910 [ HASH D ]
Aug 7 03:47:30 - ipsec[684]: 15[IKE] received DELETE for ESP CHILD_SA with SPI 06c946b0
Aug 7 03:47:30 - ipsec[684]: 15[IKE] closing CHILD_SA vpnserver{1} with SPIs c14bb892_i (648 bytes) 06c946b0_o (0 bytes) and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug 7 03:47:30 - ipsec[684]: 16[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (92 bytes)
Aug 7 03:47:30 - ipsec[684]: 16[ENC] parsed INFORMATIONAL_V1 request 1455205357 [ HASH D ]
Aug 7 03:47:30 - ipsec[684]: 16[IKE] received DELETE for IKE_SA vpnserver[1]
Aug 7 03:47:30 - charon: 16[IKE] received DELETE for IKE_SA vpnserver[1]
Aug 7 03:47:30 - charon: 16[IKE] deleting IKE_SA vpnserver[1] between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug 7 03:47:57 - xl2tpd[712]: Unable to deliver closing message for tunnel 35573. Destroying anyway.
Aug 7 03:48:20 - systemd[1]: Started Session 3 of user root.
Пробовал подключение через двух разных провайдеров - результат идентичный => вряд ли провайдер блокирует что-то.
С этим конфигом всё работало на debian 9 Результат стал таким при применении обозначенных конфигов на debian 10. А может чего-то перепутано... :)
Хелп плз :)