Настройка l2tp + ipsec

[Komonec]

Пытаюсь настроить l2tp + ipsec на VPS (digitalocean).

/etc/ipsec.conf

Код: [Выделить]

config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
# значение должно содержать список всех приватных сетей, которые
# допускаются в качестве подсетей для удалённых VPN-клиентов.
# Другими словами, это диапазон IP-адресов, который находиться
# за маршрутизатором и NAT, которым является наш VPN-сервер, через который подключаются VPN-клиенты.
        oe=off
        protostack=netkey
 
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
# Устанавливаем значения параметров ikelifetime и keylife
# в соответсвующие значения по-умолчанию для Windows
        ikelifetime=8h
        keylife=1h
        type=transport
# Replace IP address with your local IP (private, behind NAT IP is okay as well)
        left=IP_ВПСа
# Для новых VPN-клиентов под операционными системами Windows 2000/XP,
# то есть для поддержки VPN-клиентов под устаревшими операционными системами
# используйте leftprotoport=17/%any
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
#force all to be nat'ed. because of iOS
        forceencaps=yes
/etc/ipsec.secrets

Код: [Выделить]

IP_ВПСа   %any:  PSK "длиныйпароль"
/etc/xl2tpd/xl2tpd.conf

Код: [Выделить]

[global]
ipsec saref = no
 
[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd

Код: [Выделить]

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
/etc/ppp/chap-secrets

Код: [Выделить]

логин1 l2tpd пароль1 *
логин2 l2tpd пароль2 *
+ скрипт (добавлен в rc.local)

Код: [Выделить]

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
ipsec verify выдает:

Код: [Выделить]

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-36-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
Логи:

Код: [Выделить]

Oct 18 13:14:36 VPN kernel: [    3.850673] cirrus 0000:00:02.0: registered panic notifier
Oct 18 13:14:36 VPN kernel: [    3.880161] [drm] Initialized cirrus 1.0.0 20110418 for 0000:00:02.0 on minor 0
Oct 18 13:14:36 VPN kernel: [    5.241825] init: failsafe main process (657) killed by TERM signal
Oct 18 13:14:36 VPN rsyslogd-2039: Could no open output pipe '/dev/xconsole': No such file or directory [try http://www.rsyslog.com/e/2039 ]
Oct 18 13:14:36 VPN kernel: [    5.551077] type=1400 audit(1413652476.715:8): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/sbin/dhclient" pid=789 comm="apparmor_parser"
Oct 18 13:14:36 VPN kernel: [    5.551086] type=1400 audit(1413652476.715:9): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=789 comm="apparmor_parser"
Oct 18 13:14:36 VPN kernel: [    5.551090] type=1400 audit(1413652476.715:10): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=789 comm="apparmor_parser"
Oct 18 13:14:36 VPN acpid: starting up with netlink and the input layer
Oct 18 13:14:36 VPN acpid: 1 rule loaded
Oct 18 13:14:36 VPN acpid: waiting for events: event logging is off
Oct 18 13:14:36 VPN cron[820]: (CRON) INFO (pidfile fd = 3)
Oct 18 13:14:36 VPN cron[859]: (CRON) STARTUP (fork ok)
Oct 18 13:14:36 VPN cron[859]: (CRON) INFO (Running @reboot jobs)
Oct 18 13:14:37 VPN kernel: [    5.880179] NET: Registered protocol family 15
Oct 18 13:14:37 VPN /usr/sbin/irqbalance: Balancing is ineffective on systems with a single cache domain.  Shutting down
Oct 18 13:14:37 VPN ipsec_setup: Starting Openswan IPsec U2.6.38/K3.13.0-36-generic...
Oct 18 13:14:37 VPN ipsec_setup: Using NETKEY(XFRM) stack
Oct 18 13:14:37 VPN kernel: [    6.184053] Initializing XFRM netlink socket
Oct 18 13:14:37 VPN ipsec_setup: ...Openswan IPsec started
Oct 18 13:14:37 VPN xl2tpd[1016]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Oct 18 13:14:37 VPN xl2tpd[1016]: setsockopt recvref[30]: Protocol not available
Oct 18 13:14:37 VPN xl2tpd[1016]: This binary does not support kernel L2TP.
Oct 18 13:14:37 VPN xl2tpd[1017]: xl2tpd version xl2tpd-1.3.6 started on VPN PID:1017
Oct 18 13:14:37 VPN xl2tpd[1017]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Oct 18 13:14:37 VPN xl2tpd[1017]: Forked by Scott Balmos and David Stipp, (C) 2001
Oct 18 13:14:37 VPN xl2tpd[1017]: Inherited by Jeff McAdams, (C) 2002
Oct 18 13:14:37 VPN xl2tpd[1017]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Oct 18 13:14:37 VPN xl2tpd[1017]: Listening on IP address 0.0.0.0, port 1701
Oct 18 13:14:37 VPN pluto: adjusting ipsec.d to /etc/ipsec.d
Oct 18 13:14:37 VPN ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Oct 18 13:14:37 VPN kernel: [    6.548230] ip_tables: (C) 2000-2006 Netfilter Core Team
Oct 18 13:14:37 VPN kernel: [    6.558386] nf_conntrack version 0.5.0 (7925 buckets, 31700 max)
Oct 18 13:14:37 VPN ipsec_setup: Stopping Openswan IPsec...
Oct 18 13:14:37 VPN ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Oct 18 13:14:37 VPN ipsec__plutorun: whack: read() failed (104 Connection reset by peer)
Oct 18 13:14:37 VPN ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Oct 18 13:14:38 VPN kernel: [    7.789282] NET: Unregistered protocol family 15
Oct 18 13:14:38 VPN ipsec_setup: ...Openswan IPsec stopped
Oct 18 13:14:39 VPN kernel: [    7.828808] NET: Registered protocol family 15
Oct 18 13:14:39 VPN ipsec_setup: Starting Openswan IPsec U2.6.38/K3.13.0-36-generic...
Oct 18 13:14:39 VPN ipsec_setup: Using NETKEY(XFRM) stack
Oct 18 13:14:39 VPN kernel: [    7.969326] Initializing XFRM netlink socket
Oct 18 13:14:39 VPN ipsec_setup: ...Openswan IPsec started
Oct 18 13:14:39 VPN ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Oct 18 13:14:39 VPN pluto: adjusting ipsec.d to /etc/ipsec.d
Oct 18 13:14:39 VPN kernel: [    8.128779] init: plymouth-upstart-bridge main process ended, respawning
Oct 18 13:14:39 VPN ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Oct 18 13:14:39 VPN ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Oct 18 13:14:41 VPN ntpdate[454]: step time server 91.189.89.199 offset 0.143457 sec
Oct 18 13:14:47 VPN ntpdate[1456]: adjust time server 91.189.89.199 offset 0.000012 sec


Код: [Выделить]

Oct 18 13:14:39 VPN pluto[1395]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Oct 18 13:14:39 VPN pluto[1395]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Oct 18 13:14:39 VPN pluto[1395]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Oct 18 13:14:39 VPN pluto[1395]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Oct 18 13:14:39 VPN pluto[1395]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Oct 18 13:14:39 VPN pluto[1395]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Oct 18 13:14:39 VPN pluto[1395]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Oct 18 13:14:39 VPN pluto[1395]: added connection description "L2TP-PSK-NAT"
Oct 18 13:14:39 VPN pluto[1395]: added connection description "L2TP-PSK-noNAT"
Oct 18 13:14:39 VPN pluto[1395]: listening for IKE messages
Oct 18 13:14:39 VPN pluto[1395]: adding interface eth0/eth0 IP_ВПСа:500
Oct 18 13:14:39 VPN pluto[1395]: adding interface eth0/eth0 IP_ВПСа:4500
Oct 18 13:14:39 VPN pluto[1395]: adding interface lo/lo 127.0.0.1:500
Oct 18 13:14:39 VPN pluto[1395]: adding interface lo/lo 127.0.0.1:4500
Oct 18 13:14:39 VPN pluto[1395]: adding interface lo/lo ::1:500
Oct 18 13:14:39 VPN pluto[1395]: loading secrets from "/etc/ipsec.secrets"
Oct 18 13:14:39 VPN pluto[1395]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Oct 18 13:14:51 VPN sshd[1461]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Oct 18 13:14:59 VPN sshd[1461]: Accepted password for root from 95.183.77.49 port 6815 ssh2
Oct 18 13:14:59 VPN sshd[1461]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 18 13:15:10 VPN pluto[1395]: packet from 83.149.9.94:54672: received Vendor ID payload [RFC 3947] method set to=115
Oct 18 13:15:10 VPN pluto[1395]: packet from 83.149.9.94:54672: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Oct 18 13:15:10 VPN pluto[1395]: packet from 83.149.9.94:54672: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Oct 18 13:15:10 VPN pluto[1395]: packet from 83.149.9.94:54672: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 18 13:15:10 VPN pluto[1395]: packet from 83.149.9.94:54672: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Oct 18 13:15:10 VPN pluto[1395]: packet from 83.149.9.94:54672: received Vendor ID payload [Dead Peer Detection]
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[1] 83.149.9.94 #1: responding to Main Mode from unknown peer 83.149.9.94
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[1] 83.149.9.94 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[1] 83.149.9.94 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[1] 83.149.9.94 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[1] 83.149.9.94 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[1] 83.149.9.94 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[1] 83.149.9.94 #1: Main mode peer ID is ID_IPV4_ADDR: '10.187.247.244'
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[1] 83.149.9.94 #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #1: deleting connection "L2TP-PSK-NAT" instance with peer 83.149.9.94 {isakmp=#0/ipsec=#0}
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #1: new NAT mapping for #1, was 83.149.9.94:54672, now 83.149.9.94:64708
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #1: Dead Peer Detection (RFC 3706): enabled
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Oct 18 13:15:10 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #1: received and ignored informational message
Oct 18 13:15:11 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #1: the peer proposed: IP_ВПСа/32:17/1701 -> 10.187.247.244/32:17/0
Oct 18 13:15:11 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: responding to Quick Mode proposal {msgid:a2889b90}
Oct 18 13:15:11 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2:     us: IP_ВПСа<IP_ВПСа>:17/1701
Oct 18 13:15:11 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2:   them: 83.149.9.94[10.187.247.244]:17/0===10.187.247.244/32
Oct 18 13:15:11 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 18 13:15:11 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 18 13:15:12 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: Dead Peer Detection (RFC 3706): enabled
Oct 18 13:15:12 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 18 13:15:12 VPN pluto[1395]: "L2TP-PSK-NAT"[2] 83.149.9.94 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0bac6d0c <0x2eaf07f5 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=83.149.9.94:64708 DPD=enabled}

Ни один из клиентов подключится не может.
Подскажите, в чем проблема может быть? Спасибо.

[DDDstart]

Я тут не увидел одной вещи: ipsec.secrets с парольной фразой, надеюсь, существует?
Пользователь решил продолжить мысль 31 Октября 2014, 14:51:03:Да, и

Код: [Выделить]

service ipsec restartа потом

Код: [Выделить]

service xl2tpd restart