Ipsec + l2tp, Strongswan не раздает маршруты

Добрый день. Есть настроенный и рабочий ipsec+l2tp на xl2tpd и strongswan. При добавлении опции leftsubnet в ipsec.conf виндовые клиенты перестают подключаться вообще(ошибка 789), на ubuntu маршрут так и не приходит.

IP_CLIENT_LOCAL - ip клиента до свича

IP_CLIENT - ip свича

ipsec.conf:

version 2 # conforms to second version of ipsec.conf specification

config setup

conn L2TP-PSK
    authby=secret
    auto=add
    type=transport
    left=IP_VPNSERVER
    leftsubnet=10.11.0.0/18
    right=%any
    rightprotoport=17/%any

/etc/xl2tpd/xl2tpd.conf:

[global]
ipsec saref = yes
saref refinfo = 30

debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes

[lns default]
ip range = 10.10.4.2-10.10.7.254
local ip = 10.10.4.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

syslog:

May 13 14:58:45 charon-custom: 12[NET] received packet: from IP_CLIENT[500] to IP_VPNSERVER[500] (384 bytes)
May 13 14:58:45 charon-custom: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
May 13 14:58:45 charon-custom: 12[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
May 13 14:58:45 charon-custom: 12[IKE] received NAT-T (RFC 3947) vendor ID
May 13 14:58:45 charon-custom: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 13 14:58:45 charon-custom: 12[IKE] received FRAGMENTATION vendor ID
May 13 14:58:45 charon-custom: 12[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
May 13 14:58:45 charon-custom: 12[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
May 13 14:58:45 charon-custom: 12[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
May 13 14:58:45 charon-custom: 12[IKE] IP_CLIENT is initiating a Main Mode IKE_SA
May 13 14:58:45 charon-custom: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
May 13 14:58:45 charon-custom: 12[NET] sending packet: from IP_VPNSERVER[500] to IP_CLIENT[500] (136 bytes)
May 13 14:58:45 charon-custom: 11[NET] received packet: from IP_CLIENT[500] to IP_VPNSERVER[500] (228 bytes)
May 13 14:58:45 charon-custom: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
May 13 14:58:45 charon-custom: 11[IKE] remote host is behind NAT
May 13 14:58:45 charon-custom: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 13 14:58:45 charon-custom: 11[NET] sending packet: from IP_VPNSERVER[500] to IP_CLIENT[500] (212 bytes)
May 13 14:58:45 charon-custom: 13[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (76 bytes)
May 13 14:58:45 charon-custom: 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
May 13 14:58:45 charon-custom: 13[CFG] looking for pre-shared key peer configs matching IP_VPNSERVER...IP_CLIENT[IP_CLIENT_LOCAL]
May 13 14:58:45 charon-custom: 13[CFG] selected peer config "L2TP-PSK"
May 13 14:58:45 charon-custom: 13[IKE] IKE_SA L2TP-PSK[12] established between IP_VPNSERVER[IP_VPNSERVER]...IP_CLIENT[IP_CLIENT_LOCAL]
May 13 14:58:45 charon-custom: 13[IKE] scheduling reauthentication in 9772s
May 13 14:58:45 charon-custom: 13[IKE] maximum IKE_SA lifetime 10312s
May 13 14:58:45 charon-custom: 13[ENC] generating ID_PROT response 0 [ ID HASH ]
May 13 14:58:45 charon-custom: 13[NET] sending packet: from IP_VPNSERVER[4500] to IP_CLIENT[4500] (76 bytes)
May 13 14:58:45 charon-custom: 16[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (332 bytes)
May 13 14:58:45 charon-custom: 16[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
May 13 14:58:45 charon-custom: 16[IKE] no matching CHILD_SA config found
May 13 14:58:45 charon-custom: 16[ENC] generating INFORMATIONAL_V1 request 1133790156 [ HASH N(INVAL_ID) ]
May 13 14:58:45 charon-custom: 16[NET] sending packet: from IP_VPNSERVER[4500] to IP_CLIENT[4500] (76 bytes)
May 13 14:58:46 charon-custom: 06[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (332 bytes)
May 13 14:58:46 charon-custom: 06[IKE] received retransmit of request with ID 1, but no response to retransmit
May 13 14:58:48 charon-custom: 15[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (332 bytes)
May 13 14:58:48 charon-custom: 15[IKE] received retransmit of request with ID 1, but no response to retransmit
May 13 14:58:52 charon-custom: 08[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (332 bytes)
May 13 14:58:52 charon-custom: 08[IKE] received retransmit of request with ID 1, but no response to retransmit
May 13 14:59:00 charon-custom: 09[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (332 bytes)
May 13 14:59:00 charon-custom: 09[IKE] received retransmit of request with ID 1, but no response to retransmit
May 13 14:59:16 charon-custom: 11[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (332 bytes)
May 13 14:59:16 charon-custom: 11[IKE] received retransmit of request with ID 1, but no response to retransmit
May 13 14:59:33 charon-custom: 13[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (332 bytes)
May 13 14:59:33 charon-custom: 13[IKE] received retransmit of request with ID 1, but no response to retransmit
May 13 14:59:49 charon-custom: 06[NET] received packet: from IP_CLIENT[4500] to IP_VPNSERVER[4500] (92 bytes)
May 13 14:59:49 charon-custom: 05[NET] received packet: from IP_CLIENT[500] to IP_VPNSERVER[500] (384 bytes)
May 13 14:59:49 charon-custom: 05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
May 13 14:59:49 charon-custom: 05[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
May 13 14:59:49 charon-custom: 05[IKE] received NAT-T (RFC 3947) vendor ID
May 13 14:59:49 charon-custom: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 13 14:59:49 charon-custom: 05[IKE] received FRAGMENTATION vendor ID
May 13 14:59:49 charon-custom: 05[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
May 13 14:59:49 charon-custom: 05[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
May 13 14:59:49 charon-custom: 05[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
May 13 14:59:49 charon-custom: 06[ENC] parsed INFORMATIONAL_V1 request 673427866 [ HASH D ]
May 13 14:59:49 charon-custom: 05[IKE] IP_CLIENT is initiating a Main Mode IKE_SA
May 13 14:59:49 charon-custom: 06[IKE] received DELETE for IKE_SA L2TP-PSK[12]
May 13 14:59:49 charon-custom: 06[IKE] deleting IKE_SA L2TP-PSK[12] between IP_VPNSERVER[IP_VPNSERVER]...IP_CLIENT[IP_CLIENT_LOCAL]
May 13 14:59:49 charon-custom: 05[ENC] generating ID_PROT response 0 [ SA V V V ]
May 13 14:59:49 charon-custom: 05[NET] sending packet: from IP_VPNSERVER[500] to IP_CLIENT[500] (136 bytes)
May 13 15:00:19 charon-custom: 10[JOB] deleting half open IKE_SA after timeout

ipsec, l2tp, strongswan

VegaRus
(13.05.15 15:25:46 MSK)

11 комментариев

Сообщения VegaRus

Ipsec + l2tp, Strongswan не раздает маршруты