Задать вопрос
ProRunner
@ProRunner
сети

IPSEC/L2TP VPN на Ubuntu 12.04.1 на AWS

Проблема решилась использованием этого скрипта специально для настройки на aws.

Без проблем настроил PPTP VPN на облаке Амазона — всё работает.
Сейчас пытаюсь настроить IPSEC/L2TP подключение по этому топику (потом нашёл ещё одну инструкцию)

Сначала при попытку перезагрузить настройки консоль мне писала (с пустой строкой на месте ошибки):

Segmentation fault (core dumped)
failed to start openswan IKE daemon - the following error occured:
Опытным путём выяснилось, что причина в строке rightprotoport=17/%any в /etc/ipsec.conf. Заменил её на rightprotoport=17/0 (понятия не имею, что это значит). Перезагрузка настроек стала проходить без ошибок. Поменял обратно, магия, но все работает. Возможна причина была в отсутствии перевода строки в файле конфигурации. В общем, уже неважно.

sudo ipsec verify сейчас пишет:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-31-virtual (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Вроде всё должно работать, но попытки подключиться не удаются. Win7 пишет: «Ошибка 789. Попытка L2TP-подключения не удалась из-за ошибки, произошедшей на уровне безопасности во время согласований с удаленным компьютером».
Айфон подключиться тоже не может.

Вот файлы настроек (собранные уже откуда только можно):

/etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
exit 0


/etc/ipsec.conf
config setup
    dumpdir=/var/run/pluto/ 
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret    
    pfs=no
    auto=add
    keyingtries=3   
    ikelifetime=8h
    keylife=1h
    type=transport   
    left=ELASTIC IP ADDRESS    
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/0


/etc/ipsec.secret
ELASTIC IP   %any:  PSK "Passphrase"


/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = ELASTIC IP
port = 1701                                                     ; * Bind to port 1701
auth file = /etc/ppp/chap-secrets       ; * Where our challenge secrets are

[lns default]
ip range = 172.16.1.30-172.16.1.100     ; ip range = range of IPs to give to the connecting clients
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = no                          ; yes for testing
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx


/etc/ppp/chap-secrets
  user1        pptpd   Pass       *
  user2        l2tpd   Pass       *


Вроде бы всё. У кого-то есть идеи, в чем причина того, что всё это не работает?
А, да, в security group для инстанса открыты все tcp и udp порты на время экспериментов. Ubuntu 64 битная.

Вот что пишет auth.log о попытке подключения:
Скрытый текст
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: received Vendor ID payload [RFC 3947] method set to=109 
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [FRAGMENTATION]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [IKE CGA version 1]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: initial Main Mode message received on (instance local ip):500 but no connection has been authorized with policy=PSK


UPD: в общем, первая проблема заключалась в том, что на месте Elastic IP необходимо было прописывать Private IP 10.xxxx. Но пока всё равно не подключается.

Лог auth.log сейчас:
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: responding to Main Mode from unknown peer (my ip)
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.135'
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: deleting connection "L2TP-PSK-NAT" instance with peer (my ip) {isakmp=#0/ipsec=#0}
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: new NAT mapping for #8, was (my ip):500, now (my ip):4500
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: responding to Quick Mode proposal {msgid:01000000}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x35ff6b7f <0xa773bf4b xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: responding to Quick Mode proposal {msgid:02000000}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: keeping refhim=4294901761 during rekey
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xef37b4d9 <0xfe15824a xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0x35ff6b7f) payload: deleting IPSEC State #9
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: responding to Quick Mode proposal {msgid:03000000}
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: keeping refhim=4294901761 during rekey
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xa91336d8 <0xa61d7729 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0xef37b4d9) payload: deleting IPSEC State #10
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: responding to Quick Mode proposal {msgid:04000000}
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: keeping refhim=4294901761 during rekey
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x3bde910e <0x6886459f xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0xa91336d8) payload: deleting IPSEC State #11
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:13 (instance local ip) sshd[9247]: Accepted publickey for root from (my ip) port 6131 ssh2
Dec 21 22:28:13 (instance local ip) sshd[9247]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 21 22:28:14 (instance local ip) sshd[9247]: subsystem request for sftp by user root
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: responding to Quick Mode proposal {msgid:05000000}
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: keeping refhim=4294901761 during rekey
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xb3583b07 <0x5aad44cc xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0x3bde910e) payload: deleting IPSEC State #12
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
  • Вопрос задан
  • 14705 просмотров
Комментировать
Подписаться 7 Оценить Комментировать
Пригласить эксперта
Ответы на вопрос 2
Toy
@Toy
Front-end Developer @ Starbucks
Посмотрите конфиг здесь. Мне помогло :-)

Правда айфон почему-то не может скачивать приложения из AppStore, может сталкивались с подобным?
Ответ написан
Комментировать
Комментировать
@Rengenius
Также настраивал по этому мауналу на 14.04, проблема однозначно в переводе строки в конце конфига.
Ответ написан
Комментировать
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы
Вакансии с Хабр Карьеры
Senior ML Engineer (Computer Vision)
Gradient
от 450 000 ₽
Агент поддержки
PulseGPT
от 25 000 до 35 000 ₽
 Computer vision developer
TQB - хай-тек рекрутмент по-хардкору Москва
от 300 000 ₽
Ещё вакансии
Заказы с Хабр Фриланса
Подобрать картинки для каталога
27 апр. 2024, в 06:40
2000 руб./за проект
Подключить сервер к сети
27 апр. 2024, в 02:39
2500 руб./за проект
Необходимо сверстать приложение согласно макету Figma используя React
26 апр. 2024, в 22:22
1500 руб./за проект
Ещё заказы