Настройка IPSec сервера
Так сложилось, что поступило задание поставить на linux(fedora) L2TP over IPSec впн сервер.
Начал с того что прочитал несколько статей (ибо их не так много) и начал с настройки IPSec.
В качестве IPSec сервера выбрал openswan.
Вначале пробовал заходить на него с венды, но по неизвествной причине канекта не было (только оптом обнаружил что клиент в венде плохой). В итоге захожу туда (тестю) на маковском клиенте (Mac OS X v10.5.5).
Вначале соединение не устанавливалось совсем, но после несоклкьих дней тестов в итоге я получил следующую ошибку, и вот уже неделю не могу её одолеть:
pluto[5077]: packet from 89.113.48.112:26133: received Vendor ID payload [RFC 3947] method set to=109
pluto[5077]: packet from 89.113.48.112:26133: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
pluto[5077]: packet from 89.113.48.112:26133: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[5077]: packet from 89.113.48.112:26133: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[5077]: packet from 89.113.48.112:26133: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[5077]: packet from 89.113.48.112:26133: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[5077]: packet from 89.113.48.112:26133: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[5077]: packet from 89.113.48.112:26133: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
pluto[5077]: packet from 89.113.48.112:26133: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
pluto[5077]: packet from 89.113.48.112:26133: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
pluto[5077]: packet from 89.113.48.112:26133: received Vendor ID payload [Dead Peer Detection]
pluto[5077]: "roadwarrior-net"[1] 89.113.48.112 #1: responding to Main Mode from unknown peer 89.113.48.112
pluto[5077]: "roadwarrior-net"[1] 89.113.48.112 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[5077]: "roadwarrior-net"[1] 89.113.48.112 #1: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[5077]: "roadwarrior-net"[1] 89.113.48.112 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
pluto[5077]: "roadwarrior-net"[1] 89.113.48.112 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[5077]: "roadwarrior-net"[1] 89.113.48.112 #1: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[5077]: "roadwarrior-net"[1] 89.113.48.112 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
pluto[5077]: "roadwarrior-net"[1] 89.113.48.112 #1: switched from "roadwarrior-net" to "roadwarrior-net"
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: deleting connection "roadwarrior-net" instance with peer 89.113.48.112 {isakmp=#0/ipsec=#0}
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: new NAT mapping for #1, was 89.113.48.112:26133, now 89.113.48.112:26173
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: received and ignored informational message
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: the peer proposed: *.*.*.*/32:0/0 -> 192.168.1.2/32:0/0
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: cannot respond to IPsec SA request because no connection is known for *.*.*.*/32===10.254.185.206<10.254.185.206>[S=C]:17/1701...89.113.48.112[192.16 8.1.2,S=C]:17/49241===192.168.1.2/32
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: sending encrypted notification INVALID_ID_INFORMATION to 89.113.48.112:26173
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: the peer proposed: *.*.*.*/32:0/0 -> 192.168.1.2/32:0/0
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: cannot respond to IPsec SA request because no connection is known for *.*.*.*/32===10.254.185.206<10.254.185.206>[S=C]:17/1701...89.113.48.112[192.16 8.1.2,S=C]:17/49241===192.168.1.2/32
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: sending encrypted notification INVALID_ID_INFORMATION to 89.113.48.112:26173
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: the peer proposed: *.*.*.*/32:0/0 -> 192.168.1.2/32:0/0
pluto[5077]: "roadwarrior-net"[2] 89.113.48.112 #1: cannot respond to IPsec SA request because no connection is known for *.*.*.*/32===10.254.185.206<10.254.185.206>[S=C]:17/1701...89.113.48.112[192.16 8.1.2,S=C]:17/49241===192.168.1.2/32
*.*.*.* - внешний ip моего сервера, к которому я осуществляю конект из дома
Текст этой ошибки выскакивает при ЛЮБОЙ (!!!) конфигурации, какую бы я не использовал. В данный момент стоит вот эта:
ipsec.conf
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=secret
conn roadwarrior-net
leftsubnet=10.254.185.0/24
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior
left=10.254.185.206
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn roadwarrior-l2tp
type=transport
left=10.254.185.206
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
pfs=no
auto=add
conn roadwarrior-l2tp-oldwin
left=10.254.185.206
leftprotoport=17/0
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
pfs=no
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
ipsec.secrets
10.254.185.206 %any : PSK "12345"
10.254.185.206 - внутренний ip моего сервера.
Что я пробовал:
Проблем с портами нету. Все разрешено.
Отключал nat-travesal все тоже самое только без строчки в логах о нате.
Пробовал разные конфиги, с использованием подсетей и всякой прочей лабуды, которую на форумах советуют постааивть для решения проблемы.