ipsec (openswan) + l2tp (xl2tpd) + win клиент = проблема
Форум — Admin
День добрый. Помогите решить проблему, ибо сам уже не знаю куда копать, гуглил-перегуглил, маны и прочее, в большинстве случаев конфиги везде одинаковые. Нуждаюсь в подсказке или указании направления. Имеется: Centos 6.3, iptables + маскарад, ipsec (пакет openswan-2.6.32-18.el6_3.i686 - вместе с осью) и l2tp (пакет xl2tpd-1.3.1-4.el6.i686 - ставил из реп через yum), ppp (ppp-2.4.5-5.el6.i686 - вместе с осью при установке). Обновлений yum не находит. Задача заставить это все работать с вин клиентом. Про nat-t в курсе, про ключ в реестре вин в курсе. Самое интересное, что судя по логам ipsec канал создается без проблем (в этом, как я понимаю, вся сложность из за ната), а дальше тишина, l2tp как будто и не пытается устанавливать свой канал. По локалке все работает. Порты 500, 4500 и -p 50 открыты. В логах я не вижу ничего от l2tp, потому и говорю что «тишина». В линухах я, в общем то, нуб, недели 3 как на домашнем серве поставил эту ось и настроил, система очень нравиться :)
Конфиги и логи прилагаются.
Схема сети:
LAN (10.0.7.0/26) ---- [10.0.7.1 CentOS nat ppp0 (шлюз)] ------ интернет ---- [nat] ----win l2tp client (ип любой)
cat /var/log/secure
Sep 3 17:54:01 server pluto[31126]: packet from 178.127.118.208:64464: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Sep 3 17:54:01 server pluto[31126]: packet from 178.127.118.208:64464: received Vendor ID payload [RFC 3947] method set to=109
Sep 3 17:54:01 server pluto[31126]: packet from 178.127.118.208:64464: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Sep 3 17:54:01 server pluto[31126]: packet from 178.127.118.208:64464: ignoring Vendor ID payload [FRAGMENTATION]
Sep 3 17:54:01 server pluto[31126]: packet from 178.127.118.208:64464: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Sep 3 17:54:01 server pluto[31126]: packet from 178.127.118.208:64464: ignoring Vendor ID payload [Vid-Initial-Contact]
Sep 3 17:54:01 server pluto[31126]: packet from 178.127.118.208:64464: ignoring Vendor ID payload [IKE CGA version 1]
Sep 3 17:54:01 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: responding to Main Mode from unknown peer 178.127.118.208
Sep 3 17:54:01 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Sep 3 17:54:01 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Sep 3 17:54:01 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 3 17:54:01 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 3 17:54:01 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Sep 3 17:54:01 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 3 17:54:01 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.7'
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[12] 178.127.118.208 #12: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: deleting connection "L2TP-PSK-NAT" instance with peer 178.127.118.208 {isakmp=#0/ipsec=#0}
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: new NAT mapping for #12, was 178.127.118.208:64464, now 178.127.118.208:62687
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: the peer proposed: 178.127.57.89/32:17/1701 -> 192.168.0.7/32:17/0
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: peer proposal was reject in a virtual connection policy because:
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: peer proposal was reject in a virtual connection policy because:
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #13: responding to Quick Mode proposal {msgid:01000000}
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #13: us: 178.127.57.89[+S=C]:17/1701
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #13: them: 178.127.118.208[192.168.0.7,+S=C]:17/1701===192.168.0.7/32
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #13: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #13: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #13: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 3 17:54:02 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #13: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x96537d66 <0x5a8cfa2f xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.7 NATD=178.127.118.208:62687 DPD=none}
Sep 3 17:54:09 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: received Delete SA(0x96537d66) payload: deleting IPSEC State #13
Sep 3 17:54:09 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Sep 3 17:54:09 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: received and ignored informational message
Sep 3 17:54:09 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208 #12: received Delete SA payload: deleting ISAKMP State #12
Sep 3 17:54:09 server pluto[31126]: "L2TP-PSK-NAT"[13] 178.127.118.208: deleting connection "L2TP-PSK-NAT" instance with peer 178.127.118.208 {isakmp=#0/ipsec=#0}
Sep 3 17:54:09 server pluto[31126]: packet from 178.127.118.208:62687: received and ignored informational message
cat /var/log/xl2tpd.log
using channel 2
Using interface ppp1
Connect: ppp1 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MD5> <magic 0xa73090bc> <pcomp> <accomp>]
rcvd [LCP ConfNak id=0x1 <auth chap MS-v2>]
sent [LCP ConfReq id=0x2 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0xa73090bc> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x2 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0xa73090bc> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x53a923ea> <pcomp> <accomp> <callback CBCP>]
sent [LCP ConfRej id=0x1 <callback CBCP>]
rcvd [LCP ConfReq id=0x2 <mru 1400> <magic 0x53a923ea> <pcomp> <accomp>]
sent [LCP ConfAck id=0x2 <mru 1400> <magic 0x53a923ea> <pcomp> <accomp>]
sent [CHAP Challenge id=0x8f <4c9a7e6904d4f2cf2e487ee51e5e9521>, name = "OpenswanVPN"]
rcvd [LCP Ident id=0x3 magic=0x53a923ea "MSRASV5.20"]
rcvd [LCP Ident id=0x4 magic=0x53a923ea "MSRAS-0-BENDER"]
rcvd [LCP Ident id=0x5 magic=0x53a923ea "\001\37777777651\37777777727\37777777700\377777776435JC\37777777654\37777777607\37777777762=v\37777777737&="]
rcvd [CHAP Response id=0x8f <3eb30aa3c11c83e5816e2a00b9fc41e70000000000000000a2f36a8b01a7e8f30b804c94a8456d7cf24188c4483285be00>, name = "user"]
sent [CHAP Success id=0x8f "S=41512281923BEC6C11E35D732D9720A038F846E6 M=Access granted"]
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.0.7.9>]
rcvd [CCP ConfReq id=0x6 <mppe +H -M -S -L -D -C>]
Unsupported protocol 'Compression Control Protocol' (0x80fd) received
sent [LCP ProtRej id=0x3 80 fd 01 06 00 0a 12 06 01 00 00 00]
rcvd [IPCP ConfReq id=0x7 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns2 0.0.0.0> <ms-wins 0.0.0.0>]
sent [IPCP ConfRej id=0x7 <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns2 0.0.0.0> <ms-wins 0.0.0.0>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 10.0.7.9>]
rcvd [IPCP ConfReq id=0x8 <addr 0.0.0.0>]
sent [IPCP ConfNak id=0x8 <addr 10.0.7.40>]
rcvd [IPCP ConfAck id=0x2 <addr 10.0.7.9>]
rcvd [IPCP ConfReq id=0x9 <addr 10.0.7.40>]
sent [IPCP ConfAck id=0x9 <addr 10.0.7.40>]
found interface eth1 for proxy arp
local IP address 10.0.7.9
remote IP address 10.0.7.40
Script /etc/ppp/ip-up started (pid 20404)
Script /etc/ppp/ip-up finished (pid 20404), status = 0x0
rcvd [LCP TermReq id=0xa "S\37777777651#\37777777752\000<\37777777715t\000\000\000\000"]
LCP terminated by peer (SM-)#M-j^@<M-Mt^@^@^@^@)
Connect time 1.9 minutes.
Sent 0 bytes, received 29620 bytes.
Script /etc/ppp/ip-down started (pid 20416)
sent [LCP TermAck id=0xa]
using channel 3
Using interface ppp1
Connect: ppp1 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MD5> <magic 0xe0248135> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x42144065> <pcomp> <accomp> <callback CBCP>]
sent [LCP ConfRej id=0x0 <callback CBCP>]
rcvd [LCP ConfNak id=0x1 <auth chap MS-v2>]
sent [LCP ConfReq id=0x2 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0xe0248135> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x42144065> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x42144065> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x2 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0xe0248135> <pcomp> <accomp>]
sent [CHAP Challenge id=0x97 <715d61f11dfab46bd1e3abf458384962>, name = "OpenswanVPN"]
rcvd [LCP Ident id=0x2 magic=0x42144065 "MSRASV5.20"]
rcvd [LCP Ident id=0x3 magic=0x42144065 "MSRAS-0-BENDER"]
rcvd [LCP Ident id=0x4 magic=0x42144065 "E\37777777675\37777777634)\37777777725&\37777777764N\37777777646\37777777663\37777777666j\37777777606JtM"]
rcvd [CHAP Response id=0x97 <4623b7ac0df9acf7a7b89fd4643938820000000000000000c1d14fa3858edbe84c9487f04eb64644e70479286b9fb40900>, name = "user"]
sent [CHAP Success id=0x97 "S=208A98485ECC66496BD0668A3CA870DD6541637B M=Access granted"]
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.0.7.2>]
rcvd [CCP ConfReq id=0x5 <mppe +H -M -S -L -D -C>]
Unsupported protocol 'Compression Control Protocol' (0x80fd) received
sent [LCP ProtRej id=0x3 80 fd 01 05 00 0a 12 06 01 00 00 00]
rcvd [IPCP ConfReq id=0x6 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns2 0.0.0.0> <ms-wins 0.0.0.0>]
sent [IPCP ConfRej id=0x6 <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns2 0.0.0.0> <ms-wins 0.0.0.0>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 10.0.7.2>]
rcvd [IPCP ConfReq id=0x7 <addr 0.0.0.0>]
sent [IPCP ConfNak id=0x7 <addr 10.0.7.40>]
rcvd [IPCP ConfAck id=0x2 <addr 10.0.7.2>]
rcvd [IPCP ConfReq id=0x8 <addr 10.0.7.40>]
sent [IPCP ConfAck id=0x8 <addr 10.0.7.40>]
found interface eth1 for proxy arp
local IP address 10.0.7.2
remote IP address 10.0.7.40
Script /etc/ppp/ip-up started (pid 20461)
Script /etc/ppp/ip-up finished (pid 20461), status = 0x0
rcvd [LCP TermReq id=0x9 "B\024@e\000<\37777777715t\000\000\000\000"]
LCP terminated by peer (B^T@e^@<M-Mt^@^@^@^@)
Connect time 16.7 minutes.
Sent 0 bytes, received 45566 bytes.
Script /etc/ppp/ip-down started (pid 20579)
sent [LCP TermAck id=0x9]
Modem hangup
Connection terminated.
cat /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.7.0/26
protostack=netkey
interfaces=%defaultroute
oe=off
conn L2TP-PSK-NAT
authby=secret
type=transport
pfs=no
rekey=no
keyingtries=3
left=%defaultroute
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/%any
auto=add
cat /etc/ipsec.d/ip
10.0.7.1 %any: PSK "myipsecpass"
cat /etc/xl2tpd/xl2tpd.conf
ipsec saref = yes
debug tunnel = yes
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
;force userspace =yes
[lns default]
ip range = 10.0.7.40-10.0.7.50
local ip = 10.0.7.2
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
cat /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
auth
noccp
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/xl2tpd.log
"user" l2tpVPN "mypass" *