Настройка l2tp + ipsec в debian

0

1

Пытаюсь настроить l2tp + ipsec на VPS (digitalocean), в качестве системы debian. Настраиваю по статье из вики - https://wiki.debian.org/ru/xl2tpd/Server

Вот конфиги: /etc/ipsec.conf

config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
# значение должно содержать список всех приватных сетей, которые
# допускаются в качестве подсетей для удалённых VPN-клиентов.
# Другими словами, это диапазон IP-адресов, который находиться
# за маршрутизатором и NAT, которым является наш VPN-сервер, через который подключаются VPN-клиенты.
        oe=off
        protostack=netkey
 
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
# Устанавливаем значения параметров ikelifetime и keylife
# в соответсвующие значения по-умолчанию для Windows
        ikelifetime=8h
        keylife=1h
        type=transport
# Replace IP address with your local IP (private, behind NAT IP is okay as well)
        left=IP_ВПСа
# Для новых VPN-клиентов под операционными системами Windows 2000/XP,
# то есть для поддержки VPN-клиентов под устаревшими операционными системами
# используйте leftprotoport=17/%any
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
#force all to be nat'ed. because of iOS
        forceencaps=yes

/etc/ipsec.secrets

IP_ВПСа   %any:  PSK "длиныйпароль"

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = no
 
[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

/etc/ppp/chap-secrets

логин1 l2tpd пароль1 *
логин2 l2tpd пароль2 *

+ скрипт (добавлен в rc.local)

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

ipsec verify выдает:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-4-amd64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

В логах:

Oct 18 10:05:16 VPN kernel: [    1.100238] psmouse: Unknown symbol dmi_check_system_2 (err 0)
Oct 18 10:05:16 VPN kernel: [    1.100662] psmouse: Unknown symbol dmi_first_match_2 (err 0)
Oct 18 10:05:16 VPN kernel: [    1.124378] Error: Driver 'pcspkr' is already registered, aborting...
Oct 18 10:05:16 VPN kernel: [    1.137230] processor: Unknown symbol dmi_check_system_2 (err 0)
Oct 18 10:05:16 VPN kernel: [    1.165217] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni)
Oct 18 10:05:16 VPN kernel: [    1.312071] Refined TSC clocksource calibration: 2399.938 MHz.
Oct 18 10:05:16 VPN kernel: [    1.374170] EXT4-fs (vda1): re-mounted. Opts: (null)
Oct 18 10:05:16 VPN kernel: [    1.400829] EXT4-fs (vda1): re-mounted. Opts: errors=remount-ro
Oct 18 10:05:16 VPN anacron[1875]: Anacron 2.3 started on 2014-10-18
Oct 18 10:05:16 VPN acpid: starting up with netlink and the input layer
Oct 18 10:05:16 VPN acpid: 1 rule loaded
Oct 18 10:05:16 VPN acpid: waiting for events: event logging is off
Oct 18 10:05:16 VPN anacron[1875]: Normal exit (0 jobs run)
Oct 18 10:05:16 VPN /usr/sbin/cron[1956]: (CRON) INFO (pidfile fd = 3)
Oct 18 10:05:16 VPN /usr/sbin/cron[1957]: (CRON) STARTUP (fork ok)
Oct 18 10:05:16 VPN /usr/sbin/cron[1957]: (CRON) INFO (Running @reboot jobs)
Oct 18 10:05:16 VPN xl2tpd[2043]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Oct 18 10:05:16 VPN xl2tpd[2043]: setsockopt recvref[30]: Protocol not available
Oct 18 10:05:16 VPN xl2tpd[2043]: This binary does not support kernel L2TP.
Oct 18 10:05:16 VPN xl2tpd[2045]: xl2tpd version xl2tpd-1.3.1 started on VPN PID:2045
Oct 18 10:05:16 VPN xl2tpd[2045]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Oct 18 10:05:16 VPN xl2tpd[2045]: Forked by Scott Balmos and David Stipp, (C) 2001
Oct 18 10:05:16 VPN xl2tpd[2045]: Inherited by Jeff McAdams, (C) 2002
Oct 18 10:05:16 VPN xl2tpd[2045]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Oct 18 10:05:16 VPN xl2tpd[2045]: Listening on IP address 0.0.0.0, port 1701
Oct 18 10:05:16 VPN kernel: [    2.769857] ip_tables: (C) 2000-2006 Netfilter Core Team
Oct 18 10:05:16 VPN kernel: [    2.773101] nf_conntrack version 0.5.0 (3976 buckets, 15904 max)
Oct 18 10:05:16 VPN ipsec_setup: Stopping Openswan IPsec...
Oct 18 10:05:16 VPN ipsec_setup: stop ordered, but IPsec appears to be already stopped!
Oct 18 10:05:16 VPN ipsec_setup: doing cleanup anyway...
Oct 18 10:05:16 VPN ipsec_setup: ...Openswan IPsec stopped
Oct 18 10:05:16 VPN kernel: [    2.812934] NET: Registered protocol family 15
Oct 18 10:05:16 VPN ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-4-amd64...
Oct 18 10:05:16 VPN ipsec_setup: Using NETKEY(XFRM) stack
Oct 18 10:05:16 VPN kernel: [    2.847237] Initializing XFRM netlink socket
Oct 18 10:05:16 VPN ipsec_setup: ...Openswan IPsec started
Oct 18 10:05:16 VPN ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Oct 18 10:05:16 VPN pluto: adjusting ipsec.d to /etc/ipsec.d
Oct 18 10:05:17 VPN kernel: [    2.932580] alg: No test for cipher_null (cipher_null-generic)
Oct 18 10:05:17 VPN kernel: [    2.932857] alg: No test for ecb(cipher_null) (ecb-cipher_null)
Oct 18 10:05:17 VPN kernel: [    2.933099] alg: No test for digest_null (digest_null-generic)
Oct 18 10:05:17 VPN kernel: [    2.933334] alg: No test for compress_null (compress_null-generic)
Oct 18 10:05:17 VPN kernel: [    2.939305] sha1_ssse3: Using AVX optimized SHA-1 implementation
Oct 18 10:05:17 VPN ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Oct 18 10:05:17 VPN ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Oct 18 10:05:25 VPN ntpdate[1593]: step time server 131.211.8.244 offset 0.390206 sec
Oct 18 10:05:26 VPN kernel: [   12.440064] eth0: no IPv6 routers present
Oct 18 10:05:40 VPN ntpdate[2610]: adjust time server 82.94.235.106 offset 0.000009 sec
Oct 18 10:06:59 VPN dbus[1981]: [system] Activating service name='org.freedesktop.ConsoleKit' (using servicehelper)
Oct 18 10:06:59 VPN dbus[1981]: [system] Successfully activated service 'org.freedesktop.ConsoleKit'

Пугает Oct 18 10:05:16 VPN xl2tpd[2043]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes

Ни один из клиентов подключится не может, вот логи:

Oct 18 10:09:06 VPN xl2tpd[2045]: "/dev/pts/1"
Oct 18 10:09:06 VPN xl2tpd[2045]: Call established with 83.149.9.94, Local: 9867, Remote: 42309, Serial: -1956188090
Oct 18 10:09:06 VPN pppd[2768]: pppd 2.4.5 started by root, uid 0
Oct 18 10:09:06 VPN kernel: [  232.244837] PPP generic driver version 2.4.2
Oct 18 10:09:06 VPN pppd[2768]: using channel 1
Oct 18 10:09:06 VPN pppd[2768]: Using interface ppp0
Oct 18 10:09:06 VPN pppd[2768]: Connect: ppp0 <--> /dev/pts/1
Oct 18 10:09:06 VPN pppd[2768]: sent [LCP ConfReq id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MD5> <magic 0x16c088b6> <pcomp> <accomp>]
Oct 18 10:09:06 VPN pppd[2768]: rcvd [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x678aa1c0> <pcomp> <accomp>]
Oct 18 10:09:06 VPN pppd[2768]: sent [LCP ConfAck id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x678aa1c0> <pcomp> <accomp>]
Oct 18 10:09:06 VPN pppd[2768]: rcvd [LCP ConfAck id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MD5> <magic 0x16c088b6> <pcomp> <accomp>]
Oct 18 10:09:06 VPN pppd[2768]: sent [LCP EchoReq id=0x0 magic=0x16c088b6]
Oct 18 10:09:06 VPN pppd[2768]: sent [CHAP Challenge id=0xcf <f72943dea7dce4dc7ec129957a258a90e96a5c>, name = "l2tpd"]
Oct 18 10:09:06 VPN pppd[2768]: rcvd [LCP EchoRep id=0x0 magic=0x678aa1c0]
Oct 18 10:09:07 VPN pppd[2768]: rcvd [CHAP Response id=0xcf <d1b439e092a28482c44371f807f305af>, name = "nexus"]
Oct 18 10:09:07 VPN pppd[2768]: sent [CHAP Success id=0xcf "Access granted"]
Oct 18 10:09:07 VPN pppd[2768]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 18 10:09:07 VPN pppd[2768]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.152.2.1>]
Oct 18 10:09:07 VPN kernel: [  232.540382] PPP BSD Compression module registered
Oct 18 10:09:07 VPN kernel: [  232.541895] PPP Deflate Compression module registered
Oct 18 10:09:07 VPN pppd[2768]: rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 18 10:09:07 VPN pppd[2768]: sent [CCP ConfAck id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 18 10:09:07 VPN pppd[2768]: rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Oct 18 10:09:07 VPN pppd[2768]: sent [IPCP ConfNak id=0x1 <addr 10.152.2.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Oct 18 10:09:07 VPN pppd[2768]: rcvd [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr 10.152.2.1>]
Oct 18 10:09:07 VPN pppd[2768]: rcvd [CCP ConfAck id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 18 10:09:07 VPN pppd[2768]: Deflate (15) compression enabled
Oct 18 10:09:07 VPN pppd[2768]: rcvd [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr 10.152.2.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Oct 18 10:09:07 VPN pppd[2768]: sent [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr 10.152.2.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Oct 18 10:09:07 VPN pppd[2768]: Cannot determine ethernet address for proxy ARP
Oct 18 10:09:07 VPN pppd[2768]: local  IP address 10.152.2.1
Oct 18 10:09:07 VPN pppd[2768]: remote IP address 10.152.2.2
Oct 18 10:09:07 VPN pppd[2768]: Script /etc/ppp/ip-up started (pid 2779)
Oct 18 10:09:07 VPN pppd[2768]: Script /etc/ppp/ip-up finished (pid 2779), status = 0x0
Oct 18 10:09:07 VPN pppd[2768]: rcvd [LCP TermReq id=0x2 "User request"]
Oct 18 10:09:07 VPN pppd[2768]: LCP terminated by peer (User request)
Oct 18 10:09:07 VPN pppd[2768]: Connect time 0.0 minutes.
Oct 18 10:09:07 VPN pppd[2768]: Sent 0 bytes, received 0 bytes.
Oct 18 10:09:07 VPN pppd[2768]: Script /etc/ppp/ip-down started (pid 2786)
Oct 18 10:09:07 VPN pppd[2768]: sent [LCP TermAck id=0x2]
Oct 18 10:09:07 VPN pppd[2768]: Script /etc/ppp/ip-down finished (pid 2786), status = 0x0
Oct 18 10:09:07 VPN xl2tpd[2045]: result_code_avp: avp is incorrect size.  8 < 10
Oct 18 10:09:07 VPN xl2tpd[2045]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Oct 18 10:09:07 VPN xl2tpd[2045]: Terminating pppd: sending TERM signal to pid 2768
Oct 18 10:09:07 VPN xl2tpd[2045]: Connection 51089 closed to 83.149.9.94, port 40900 (Result Code: expected at least 10, got 8)
Oct 18 10:09:07 VPN pppd[2768]: Terminating on signal 15
Oct 18 10:09:07 VPN pppd[2768]: Modem hangup
Oct 18 10:09:07 VPN pppd[2768]: Connection terminated.
Oct 18 10:09:07 VPN pppd[2768]: Exit.

Oct 18 11:14:13 VPN pluto[2455]: packet from 83.149.9.94:36982: received Vendor ID payload [RFC 3947] method set to=109
Oct 18 11:14:13 VPN pluto[2455]: packet from 83.149.9.94:36982: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Oct 18 11:14:13 VPN pluto[2455]: packet from 83.149.9.94:36982: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Oct 18 11:14:13 VPN pluto[2455]: packet from 83.149.9.94:36982: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 18 11:14:13 VPN pluto[2455]: packet from 83.149.9.94:36982: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Oct 18 11:14:13 VPN pluto[2455]: packet from 83.149.9.94:36982: received Vendor ID payload [Dead Peer Detection]
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[1] 83.149.9.94 #2: responding to Main Mode from unknown peer 83.149.9.94
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[1] 83.149.9.94 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[1] 83.149.9.94 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[1] 83.149.9.94 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[1] 83.149.9.94 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[1] 83.149.9.94 #2: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[1] 83.149.9.94 #2: Main mode peer ID is ID_IPV4_ADDR: '10.187.247.244'
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[1] 83.149.9.94 #2: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: new NAT mapping for #2, was 83.149.9.94:36982, now 83.149.9.94:47433
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: Dead Peer Detection (RFC 3706): enabled
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Oct 18 11:14:13 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: received and ignored informational message
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: the peer proposed: IP_ВПСа/32:17/1701 -> 10.187.247.244/32:17/0
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #3: responding to Quick Mode proposal {msgid:fa11d881}
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #3:     us: IP_ВПСа<IP_ВПСа>[+S=C]:17/1701
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #3:   them: 83.149.9.94[10.187.247.244,+S=C]:17/0===10.187.247.244/32
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #3: Dead Peer Detection (RFC 3706): enabled
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 18 11:14:14 VPN pluto[2455]: "L2TP-PSK-NAT"[2] 83.149.9.94 #3: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0b557582 <0x59ab2b41 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=83.149.9.94:47433 DPD=enabled}

Подскажите, в чем проблема может быть? Спасибо.

Ссылка

Похожие темы