Добрый день! Поделитесь пожалуйста опытом внедрения L2TP over IPSec на базе Openswan – есть ли у кого удачные решения?
Я решил дома поднять VPN сервер, чтоб можно было извне подключаться. Конфигурация такая – Ubuntu 10.04.3 Desktop, Openswan 2.6.38, сервер спрятан за NAT'ом, внешний IP постоянный. Удаленные клиенты: Mac OS X 10.7, iPad. Клиенты могут подключаться или с другой сети (на работе) или с публичного IP через сотового 3G оператора.
В целом все работает, но до поры до времени.
Через несколько часов работы (или наоборот от частого подключения-отключения) обрывается коннект. И заново подключиться уже невозможно, пока не зайдешь на сервак по ssh и не передернешь IPSec. Самое интересное, что можно сменить точку выхода в интернет – и соединение установится! Например, если через сеть в офисе произошел обрыв, я беру iPad подключаю через сотовый 3G и все работает. Но через некоторое время будет сбой, и уже переподключаться не будет.
То есть оно как-бы запоминает старое соединение, и новое такое-же создавать не хочет. Dead Peer Detection включен и работает (я проверял), так что дело здесь не в этом.
Дабы не быть голословным, приведу логи
Вот /var/log/auth.log удачного подключения:May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [RFC 3947] method set to=115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
May 4 13:58:31 Atom pluto[12712]: packet from 12.34.56.78:891: received Vendor ID payload [Dead Peer Detection]
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: responding to Main Mode from unknown peer 12.34.56.78
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: STATE_MAIN_R1: sent MR1, expecting MI2
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: STATE_MAIN_R2: sent MR2, expecting MI3
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.32.87'
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[1] 12.34.56.78 #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #1: deleting connection "L2TP-PSK-NAT" instance with peer 12.34.56.78 {isakmp=#0/ipsec=#0}
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #1: new NAT mapping for #1, was 12.34.56.78:891, now 12.34.56.78:51484
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
May 4 13:58:31 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #1: Dead Peer Detection (RFC 3706): enabled
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #1: the peer proposed: 11.22.33.44/32:17/1701 -> 192.168.32.87/32:17/0
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: responding to Quick Mode proposal {msgid:f59ff489}
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: us: 10.0.0.0/24===10.0.0.2<10.0.0.2>:17/1701---10.0.0.1
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: them: 12.34.56.78[192.168.32.87]:17/0===192.168.32.87/32
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: netlink_raw_eroute: WARNING: that_client port 51228 and that_host port 51484 don't match. Using that_client port.
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: Dead Peer Detection (RFC 3706): enabled
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 4 13:58:32 Atom pluto[12712]: "L2TP-PSK-NAT"[2] 12.34.56.78 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0c34faa3 <0xfed74628 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.32.87 NATD=12.34.56.78:51484 DPD=enabled}
Здесь 11.22.33.44 – внешний IP моего сервера, 12.34.56.78 – внешний IP сети из которой подключается клиент.
А вот /var/log/auth.log неудачного подключения:May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [RFC 3947] method set to=115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
May 4 13:56:41 Atom pluto[12092]: packet from 12.34.56.78:891: received Vendor ID payload [Dead Peer Detection]
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: responding to Main Mode from unknown peer 12.34.56.78
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: STATE_MAIN_R1: sent MR1, expecting MI2
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: STATE_MAIN_R2: sent MR2, expecting MI3
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: Main mode peer ID is ID_IPV4_ADDR: '192.168.32.87'
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[18] 12.34.56.78 #21: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: deleting connection "L2TP-PSK-NAT" instance with peer 12.34.56.78 {isakmp=#0/ipsec=#0}
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: new NAT mapping for #21, was 12.34.56.78:891, now 12.34.56.78:39196
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
May 4 13:56:41 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: Dead Peer Detection (RFC 3706): enabled
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: the peer proposed: 11.22.33.44/32:17/1701 -> 192.168.32.87/32:17/0
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: responding to Quick Mode proposal {msgid:fad503af}
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: us: 10.0.0.0/24===10.0.0.2<10.0.0.2>:17/1701---10.0.0.1
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: them: 12.34.56.78[192.168.32.87]:17/0===192.168.32.87/32
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: netlink_raw_eroute: WARNING: that_client port 51832 and that_host port 39196 don't match. Using that_client port.
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: Dead Peer Detection (RFC 3706): enabled
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 4 13:56:42 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #22: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x089f8308 <0xd29fb1ca xfrm=AES_256-HMAC_SHA1 NATOA=192.168.32.87 NATD=12.34.56.78:39196 DPD=enabled}
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: received Delete SA(0x089f8308) payload: deleting IPSEC State #22
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: received and ignored informational message
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: received Delete SA payload: deleting ISAKMP State #21
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78: deleting connection "L2TP-PSK-NAT" instance with peer 12.34.56.78 {isakmp=#0/ipsec=#0}
May 4 13:57:02 Atom pluto[12092]: packet from 12.34.56.78:39196: received and ignored informational message
Здесь 11.22.33.44 – внешний IP моего сервера, 12.34.56.78 – внешний IP сети из которой подключается клиент.
Чтобы было проще, приведу только последние строки, которыми эти логи отличаются. Эти строки есть в логе неудачного подключения в конце:
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: received Delete SA(0x089f8308) payload: deleting IPSEC State #22
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: received and ignored informational message
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78 #21: received Delete SA payload: deleting ISAKMP State #21
May 4 13:57:02 Atom pluto[12092]: "L2TP-PSK-NAT"[19] 12.34.56.78: deleting connection "L2TP-PSK-NAT" instance with peer 12.34.56.78 {isakmp=#0/ipsec=#0}
May 4 13:57:02 Atom pluto[12092]: packet from 12.34.56.78:39196: received and ignored informational message
Пробовал я гуглить, что-то находится, но ничего способного помочь в решении проблемы.
Поэтому прошу сообщество поделиться своими наблюдениями, наверняка у многих Openswan успешно работает, все-таки проект развивающийся, известный.
Напоследок еще конфиг-файл IPSec (/etc/ipsec.conf):version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16,%v4:192.168.1.0/24,%v4:172.16.0.0/12,%$
oe=off
protostack=netkey
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
# type=transport
type=tunnel
# esp=aes128-sha1
# ike=aes128-sha-modp1024
left=10.0.0.2
leftsubnet=10.0.0.0/24
leftnexthop=10.0.0.1
leftprotoport=17/1701
right=%any
rightprotoport=17/0
#added dead peer detection
dpddelay=10
dpdtimeout=90
dpdaction=clear