Forum Debian Users Gang

Nicram · 2011-03-16 21:34:22

witam
Męczę się z zestawieniem klienta do vpn ipsec/l2tp na debianie.
O ile klient z windowsa się łączy to z debianem mam problem.
jestem za natem. przed sobą dwa komputery:
172.10.0.3 - Windows XP - łączy się bez problemu
172.10.0.5 -Debian. nie łączy l2tp, tunel ipsec jest zestawiany. w logu mam Establisshed, ale:

jak łączę się z windy to NATOA i NATD mam wypełnione:

Kod:

Mar 16 21:00:58 sat pluto[22785]: "roadwarrior-l2tp"[2] 8.8.8.8 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4eb26bdb <0x61b5daf9 xfrm=3DES_0-HMAC_MD5 NATOA=172.10.0.3 NATD=8.8.8.8:18858 DPD=none}

jak się łącze z debiana to te wartości mam na none

Kod:

Mar 16 21:02:02 sat pluto[22785]: "roadwarrior-l2tp"[4] 8.8.8.8 #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xcf388152 <0x26cb17a3 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

czy to wogóle jest prawidłowo???

1.1.1.1 - adres servera vpn na ktorym słucha ipsec
8.8.8.8 - moje publiczne ip

w logu serwera podczas połączenia klienta mam:

Kod:

Mar 16 21:12:46 sat pluto[23109]: packet from 8.8.8.8:18868: ignoring unknown Vendor ID payload [4f45504b7e7a764d4e645f57]
Mar 16 21:12:46 sat pluto[23109]: packet from 8.8.8.8:18868: received Vendor ID payload [Dead Peer Detection]
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[1] 8.8.8.8 #1: responding to Main Mode from unknown peer 8.8.8.8
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[1] 8.8.8.8 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[1] 8.8.8.8 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[1] 8.8.8.8 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[1] 8.8.8.8 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[1] 8.8.8.8 #1: Main mode peer ID is ID_IPV4_ADDR: '172.10.0.5'
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[1] 8.8.8.8 #1: switched from "roadwarrior-l2tp" to "roadwarrior-l2tp"
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #1: deleting connection "roadwarrior-l2tp" instance with peer 8.8.8.8 {isakmp=#0/ipsec=#0}
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #1: the peer proposed: 1.1.1.1/32:17/1701 -> 172.10.0.5/32:17/1701
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #2: responding to Quick Mode proposal {msgid:1345ee89}
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #2:     us: 1.1.1.1<1.1.1.1>[+S=C]:17/1701---193.59.33.1
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #2:   them: 8.8.8.8[172.10.0.5,+S=C]:17/1701===172.10.0.5/32
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 16 21:12:46 sat pluto[23109]: "roadwarrior-l2tp"[2] 8.8.8.8 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x19aff31e <0x789c4611 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

oto config ipsec

Kod:

conn L2TP-PSK
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.10.0.5
    leftprotoport=17/1701
    right=1.1.1.1
    rightprotoport=17/1701

xl2pd.conf

Kod:

[lac L2TPserver]
lns = 1.1.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = marcin
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client

Kod:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
connect-delay 5000

po "zestawieniu" ipsec i restarcie xlt2pd nic sie nie dzieje
log mowi:

Kod:

Mar 16 20:56:19 dragon xl2tpd[6268]: setsockopt recvref[22]: Protocol not available
Mar 16 20:56:19 dragon xl2tpd[6268]: This binary does not support kernel L2TP.
Mar 16 20:56:19 dragon xl2tpd[6269]: xl2tpd version xl2tpd-1.2.6 started on dragon PID:6269
Mar 16 20:56:19 dragon xl2tpd[6269]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Mar 16 20:56:19 dragon xl2tpd[6269]: Forked by Scott Balmos and David Stipp, (C) 2001
Mar 16 20:56:19 dragon xl2tpd[6269]: Inherited by Jeff McAdams, (C) 2002
Mar 16 20:56:19 dragon xl2tpd[6269]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Mar 16 20:56:19 dragon xl2tpd[6269]: Listening on IP address 0.0.0.0, port 1701
Mar 16 20:56:23 dragon xl2tpd[6269]: Session 'L2TPserver' not up
Mar 16 20:56:31 dragon xl2tpd[6269]: Connecting to host 1.1.1.1, port 1701
Mar 16 20:56:36 dragon xl2tpd[6269]: Maximum retries exceeded for tunnel 6713.  Closing.

Pytanie. czy wogóle ten tunel ipsec poprawnie się zestawia?
jeśli tak, to w którym miejscu mam błąd w xl2tpd?

Będe wdzięczny za podpowiedzi.
Pozdrawiam.

------

Jeszcze tak na marginesie. W wielu manualach widzę, że jak ipsec zestawia tunel to tworzony jest nowy interface przeważnie o nazwi ipsec0.
Niestety nie zauważyłe u siebie gdzie to ustawić, żeby taki interfejs mi się zestawił. Nie musiałbym wówczas korzystać z l2tp tylko zrobić gre w ipsecu.
Gdzie w ipsecu muszę to ustawić by mieć interfejs ipsec?

Ostatnio edytowany przez Nicram (2011-03-17 09:46:21)

Forum Debian Users Gang

Ogłoszenie

#1 2011-03-16 21:34:22

Nicram - Użytkownik

Ipsec/l2tpd

Kod:

Kod:

Kod:

Kod:

Kod:

Kod:

Kod:

Stopka forum