Добрый день. Пытаюсь произвести client-to-site подключение к VPN по L2TP, шифрование ipSec PSK.
С мобильника (Андроид) подключаюсь стоковым клиентом к этой VPN через тот же шлюз, с тем же psk, юзером и паролем без всяких проблем.
Уставки в Network Manager по данному подключению следующие:
phase1 = 3des-sha1-modp1024
phase2 = 3des-sha1
enforce UDP encapsulation = OFF
MPPE (Encryption) = OFF
echo PPP = пробовал и ON, и OFF - влияния не оказывает
Разговор клиента со шлюзом начинается и успешно идёт, но потом ломается. Ниже - лог. Самое интересное я выделил ЦВЕТОМ - это происходит, как я понимаю, при создании виртуального сетевого адаптера - система отказывается это делать.
Есть ли идеи? Буду крайне благодарен за подсказку.
Apr 27 12:51:24 manofproperty NetworkManager[733]: Starting strongSwan 5.5.1 IPsec [starter]...
Apr 27 12:51:24 manofproperty NetworkManager[733]: Loading config setup
Apr 27 12:51:24 manofproperty NetworkManager[733]: Loading conn 'c1467ec0-80e6-45ac-91f2-290e12cfb3b2'
Apr 27 12:51:24 manofproperty NetworkManager[733]: found netkey IPsec stack
Apr 27 12:51:24 manofproperty charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.13.0-21-generic, x86_64)
Apr 27 12:51:24 manofproperty charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 27 12:51:24 manofproperty charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 27 12:51:24 manofproperty charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 27 12:51:24 manofproperty charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 27 12:51:24 manofproperty charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 27 12:51:24 manofproperty charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 27 12:51:24 manofproperty charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-c1467ec0-80e6-45ac-91f2-290e12cfb3b2.secrets'
Apr 27 12:51:24 manofproperty charon: 00[CFG] loaded IKE secret for %any
Apr 27 12:51:24 manofproperty charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
Apr 27 12:51:24 manofproperty charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 27 12:51:24 manofproperty charon: 00[JOB] spawning 16 worker threads
Apr 27 12:51:24 manofproperty charon: 05[CFG] received stroke: add connection 'c1467ec0-80e6-45ac-91f2-290e12cfb3b2'
Apr 27 12:51:24 manofproperty charon: 05[CFG] added configuration 'c1467ec0-80e6-45ac-91f2-290e12cfb3b2'
Apr 27 12:51:25 manofproperty charon: 07[CFG] rereading secrets
Apr 27 12:51:25 manofproperty charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 27 12:51:25 manofproperty charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-c1467ec0-80e6-45ac-91f2-290e12cfb3b2.secrets'
Apr 27 12:51:25 manofproperty charon: 07[CFG] loaded IKE secret for %any
Apr 27 12:51:25 manofproperty charon: 09[CFG] received stroke: initiate 'c1467ec0-80e6-45ac-91f2-290e12cfb3b2'
Apr 27 12:51:25 manofproperty charon: 11[IKE] initiating Main Mode IKE_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2[1] to 52.29.140.207
Apr 27 12:51:25 manofproperty charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Apr 27 12:51:25 manofproperty charon: 11[NET] sending packet: from 192.168.43.196[500] to 52.29.140.207[500] (236 bytes)
Apr 27 12:51:25 manofproperty charon: 12[NET] received packet: from 52.29.140.207[500] to 192.168.43.196[500] (120 bytes)
Apr 27 12:51:25 manofproperty charon: 12[ENC] parsed ID_PROT response 0 [ SA V V ]
Apr 27 12:51:25 manofproperty charon: 12[IKE] received FRAGMENTATION vendor ID
Apr 27 12:51:25 manofproperty charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 27 12:51:25 manofproperty charon: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 27 12:51:25 manofproperty charon: 12[NET] sending packet: from 192.168.43.196[500] to 52.29.140.207[500] (244 bytes)
Apr 27 12:51:26 manofproperty charon: 13[NET] received packet: from 52.29.140.207[500] to 192.168.43.196[500] (232 bytes)
Apr 27 12:51:26 manofproperty charon: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 27 12:51:26 manofproperty charon: 13[IKE] local host is behind NAT, sending keep alives
Apr 27 12:51:26 manofproperty charon: 13[IKE] remote host is behind NAT
Apr 27 12:51:26 manofproperty charon: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
Apr 27 12:51:26 manofproperty charon: 13[NET] sending packet: from 192.168.43.196[4500] to 52.29.140.207[4500] (68 bytes)
Apr 27 12:51:26 manofproperty charon: 14[NET] received packet: from 52.29.140.207[4500] to 192.168.43.196[4500] (68 bytes)
Apr 27 12:51:26 manofproperty charon: 14[ENC] parsed ID_PROT response 0 [ ID HASH ]
Apr 27 12:51:26 manofproperty charon: 14[IKE] IKE_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2[1] established between 192.168.43.196[192.168.43.196]...52.29.140.207[52.29.140.207]
Apr 27 12:51:26 manofproperty charon: 14[IKE] scheduling reauthentication in 10032s
Apr 27 12:51:26 manofproperty charon: 14[IKE] maximum IKE_SA lifetime 10572s
Apr 27 12:51:26 manofproperty charon: 14[ENC] generating QUICK_MODE request 1598312113 [ HASH SA No ID ID NAT-OA NAT-OA ]
Apr 27 12:51:26 manofproperty charon: 14[NET] sending packet: from 192.168.43.196[4500] to 52.29.140.207[4500] (220 bytes)
Apr 27 12:51:26 manofproperty charon: 15[NET] received packet: from 52.29.140.207[4500] to 192.168.43.196[4500] (156 bytes)
Apr 27 12:51:26 manofproperty charon: 15[ENC] parsed QUICK_MODE response 1598312113 [ HASH SA No ID ID ]
Apr 27 12:51:26 manofproperty charon: 15[IKE] CHILD_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2{1} established with SPIs c4ae0709_i 39c1858e_o and TS 192.168.43.196/32[udp] === 52.29.140.207/32[udp/l2f]
Apr 27 12:51:26 manofproperty NetworkManager[733]: initiating Main Mode IKE_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2[1] to 52.29.140.207
Apr 27 12:51:26 manofproperty NetworkManager[733]: generating ID_PROT request 0 [ SA V V V V V ]
Apr 27 12:51:26 manofproperty NetworkManager[733]: sending packet: from 192.168.43.196[500] to 52.29.140.207[500] (236 bytes)
Apr 27 12:51:26 manofproperty NetworkManager[733]: received packet: from 52.29.140.207[500] to 192.168.43.196[500] (120 bytes)
Apr 27 12:51:26 manofproperty NetworkManager[733]: parsed ID_PROT response 0 [ SA V V ]
Apr 27 12:51:26 manofproperty NetworkManager[733]: received FRAGMENTATION vendor ID
Apr 27 12:51:26 manofproperty NetworkManager[733]: received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 27 12:51:26 manofproperty NetworkManager[733]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 27 12:51:26 manofproperty NetworkManager[733]: sending packet: from 192.168.43.196[500] to 52.29.140.207[500] (244 bytes)
Apr 27 12:51:26 manofproperty NetworkManager[733]: received packet: from 52.29.140.207[500] to 192.168.43.196[500] (232 bytes)
Apr 27 12:51:26 manofproperty NetworkManager[733]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 27 12:51:26 manofproperty NetworkManager[733]: local host is behind NAT, sending keep alives
Apr 27 12:51:26 manofproperty NetworkManager[733]: remote host is behind NAT
Apr 27 12:51:26 manofproperty NetworkManager[733]: generating ID_PROT request 0 [ ID HASH ]
Apr 27 12:51:26 manofproperty NetworkManager[733]: sending packet: from 192.168.43.196[4500] to 52.29.140.207[4500] (68 bytes)
Apr 27 12:51:26 manofproperty NetworkManager[733]: received packet: from 52.29.140.207[4500] to 192.168.43.196[4500] (68 bytes)
Apr 27 12:51:26 manofproperty NetworkManager[733]: parsed ID_PROT response 0 [ ID HASH ]
Apr 27 12:51:26 manofproperty NetworkManager[733]: IKE_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2[1] established between 192.168.43.196[192.168.43.196]...52.29.140.207[52.29.140.207]
Apr 27 12:51:26 manofproperty NetworkManager[733]: scheduling reauthentication in 10032s
Apr 27 12:51:26 manofproperty NetworkManager[733]: maximum IKE_SA lifetime 10572s
Apr 27 12:51:26 manofproperty NetworkManager[733]: generating QUICK_MODE request 1598312113 [ HASH SA No ID ID NAT-OA NAT-OA ]
Apr 27 12:51:26 manofproperty NetworkManager[733]: sending packet: from 192.168.43.196[4500] to 52.29.140.207[4500] (220 bytes)
Apr 27 12:51:26 manofproperty NetworkManager[733]: received packet: from 52.29.140.207[4500] to 192.168.43.196[4500] (156 bytes)
Apr 27 12:51:26 manofproperty NetworkManager[733]: parsed QUICK_MODE response 1598312113 [ HASH SA No ID ID ]
Apr 27 12:51:26 manofproperty NetworkManager[733]: CHILD_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2{1} established with SPIs c4ae0709_i 39c1858e_o and TS 192.168.43.196/32[udp] === 52.29.140.207/32[udp/l2f]
Apr 27 12:51:26 manofproperty NetworkManager[733]: connection 'c1467ec0-80e6-45ac-91f2-290e12cfb3b2' established successfully
Apr 27 12:51:26 manofproperty charon: 15[ENC] generating QUICK_MODE request 1598312113 [ HASH ]
Apr 27 12:51:26 manofproperty charon: 15[NET] sending packet: from 192.168.43.196[4500] to 52.29.140.207[4500] (60 bytes)
Apr 27 12:51:26 manofproperty nm-l2tp-service[29448]: xl2tpd started with pid 29524
Apr 27 12:51:26 manofproperty NetworkManager[733]: <info> [1524815486.9410] vpn-connection[0x55892f8ea6a0,c1467ec0-80e6-45ac-91f2-290e12cfb3b2,"Amazon",0]: VPN plugin: state changed: starting (3)
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: setsockopt recvref[30]: Protocol not available
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: Using l2tp kernel support.
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: xl2tpd version xl2tpd-1.3.8 started on manofproperty PID:29524
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: Forked by Scott Balmos and David Stipp, (C) 2001
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: Inherited by Jeff McAdams, (C) 2002
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: Listening on IP address 0.0.0.0, port 39109
Apr 27 12:51:26 manofproperty NetworkManager[733]: xl2tpd[29524]: Connecting to host 52.29.140.207, port 1701
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: Connection established to 52.29.140.207, 1701. Local: 48691, Remote: 53182 (ref=0/0).
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: Calling on tunnel 48691
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: Call established with 52.29.140.207, Local: 24322, Remote: 60360, Serial: 1 (ref=0/0)
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: start_pppd: I'm running:
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "/usr/sbin/pppd"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "plugin"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "pppol2tp.so"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "pppol2tp"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "7"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "passive"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "nodetach"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: ":"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "file"
Apr 27 12:51:27 manofproperty NetworkManager[733]: xl2tpd[29524]: "/var/run/nm-l2tp-ppp-options-c1467ec0-80e6-45ac-91f2-290e12cfb3b2"
Apr 27 12:51:27 manofproperty pppd[29525]: Plugin pppol2tp.so loaded.
Apr 27 12:51:27 manofproperty pppd[29525]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
Apr 27 12:51:27 manofproperty pppd[29525]: pppd 2.4.7 started by root, uid 0
Apr 27 12:51:27 manofproperty systemd-udevd[29528]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Apr 27 12:51:27 manofproperty NetworkManager[733]: ((src/devices/nm-device.c:1452)): assertion '<dropped>' failed
Apr 27 12:51:27 manofproperty pppd[29525]: Using interface ppp0
Apr 27 12:51:27 manofproperty pppd[29525]: Connect: ppp0 <-->
Apr 27 12:51:27 manofproperty NetworkManager[733]: <info> [1524815487.4101] manager: (ppp0): new Generic device (/org/freedesktop/NetworkManager/Devices/8)
Apr 27 12:51:27 manofproperty pppd[29525]: Overriding mtu 1500 to 1400
Apr 27 12:51:27 manofproperty pppd[29525]: Overriding mru 1500 to mtu value 1400
Apr 27 12:51:27 manofproperty NetworkManager[733]: <info> [1524815487.4594] devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Apr 27 12:51:27 manofproperty NetworkManager[733]: <info> [1524815487.4595] device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
Apr 27 12:51:27 manofproperty pppd[29525]: Overriding mtu 1500 to 1400
Apr 27 12:51:27 manofproperty pppd[29525]: Overriding mru 1500 to mtu value 1400
Apr 27 12:51:28 manofproperty pppd[29525]: EAP: peer reports authentication failure
Apr 27 12:51:28 manofproperty pppd[29525]: Overriding mtu 1500 to 1400
Apr 27 12:51:28 manofproperty pppd[29525]: Overriding mru 1500 to mtu value 1400
Apr 27 12:51:28 manofproperty pppd[29525]: Connection terminated.
Apr 27 12:51:28 manofproperty charon: 08[KNL] interface ppp0 deleted
Apr 27 12:51:28 manofproperty NetworkManager[733]: xl2tpd[29524]: death_handler: Fatal signal 15 received
Apr 27 12:51:28 manofproperty NetworkManager[733]: xl2tpd[29524]: Terminating pppd: sending TERM signal to pid 29525
Apr 27 12:51:28 manofproperty NetworkManager[733]: xl2tpd[29524]: Connection 53182 closed to 52.29.140.207, port 1701 (Server closing)
Apr 27 12:51:28 manofproperty NetworkManager[733]: <warn> [1524815488.4145] vpn-connection[0x55892f8ea6a0,c1467ec0-80e6-45ac-91f2-290e12cfb3b2,"Amazon",0]: VPN plugin: failed: connect-failed (1)
Apr 27 12:51:28 manofproperty NetworkManager[733]: <info> [1524815488.4197] vpn-connection[0x55892f8ea6a0,c1467ec0-80e6-45ac-91f2-290e12cfb3b2,"Amazon",0]: VPN plugin: state changed: stopping (5)
Apr 27 12:51:28 manofproperty pppd[29525]: Exit.
Apr 27 12:51:28 manofproperty gnome-shell[812]: Removing a network device that was not added
Apr 27 12:51:28 manofproperty NetworkManager[733]: Stopping strongSwan IPsec...
Apr 27 12:51:28 manofproperty charon: 00[DMN] signal of type SIGINT received. Shutting down
Apr 27 12:51:28 manofproperty gnome-shell[1560]: Removing a network device that was not added
Apr 27 12:51:28 manofproperty charon: 00[IKE] closing CHILD_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2{1} with SPIs c4ae0709_i (388 bytes) 39c1858e_o (585 bytes) and TS 192.168.43.196/32[udp] === 52.29.140.207/32[udp/l2f]
Apr 27 12:51:28 manofproperty charon: 00[IKE] sending DELETE for ESP CHILD_SA with SPI c4ae0709
Apr 27 12:51:28 manofproperty charon: 00[ENC] generating INFORMATIONAL_V1 request 251354041 [ HASH D ]
Apr 27 12:51:28 manofproperty charon: 00[NET] sending packet: from 192.168.43.196[4500] to 52.29.140.207[4500] (76 bytes)
Apr 27 12:51:28 manofproperty charon: 00[IKE] deleting IKE_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2[1] between 192.168.43.196[192.168.43.196]...52.29.140.207[52.29.140.207]
Apr 27 12:51:28 manofproperty charon: 00[IKE] sending DELETE for IKE_SA c1467ec0-80e6-45ac-91f2-290e12cfb3b2[1]
Apr 27 12:51:28 manofproperty charon: 00[ENC] generating INFORMATIONAL_V1 request 3602110137 [ HASH D ]
Apr 27 12:51:28 manofproperty charon: 00[NET] sending packet: from 192.168.43.196[4500] to 52.29.140.207[4500] (84 bytes)
Apr 27 12:51:28 manofproperty NetworkManager[733]: <info> [1524815488.4671] devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Apr 27 12:51:28 manofproperty nm-l2tp-service[29448]: ipsec shut down
Apr 27 12:51:28 manofproperty NetworkManager[733]: <info> [1524815488.5643] vpn-connection[0x55892f8ea6a0,c1467ec0-80e6-45ac-91f2-290e12cfb3b2,"Amazon",0]: VPN plugin: state changed: stopped (6)
Apr 27 12:51:28 manofproperty NetworkManager[733]: <info> [1524815488.5746] vpn-connection[0x55892f8ea6a0,c1467ec0-80e6-45ac-91f2-290e12cfb3b2,"Amazon",0]: VPN service disappeared