VPN - 通过 IPSec 连接进行 L2TP

VPN - 通过 IPSec 连接进行 L2TP

我正在使用 Ubuntu 18.10。VPN 在 Win10 上运行,我无法与 MikroTik 路由器建立 VPN。

我尝试过这个阶段的算法,但是它们都不适用于任何一个。

1.

Phase1 aes-sha1
Phase2 aes-sha1

2.

Phase1 3des-sha1-modp1024
Phase2 3des-sha1

3.

Phase1 3des-sha1;modp1024
Phase2 3des-sha1

4.

Phase1 aes256-sha1-modp1536
Phase2 aes256-sha1

4) 正在与 DraytekRouter 合作。

我以前sudo tail -f /var/log/syslog收到过日志,现在将其附加上。有人能帮我吗?

日志:

Jan 21 11:21:20 11e dbus-daemon[1193]: [session uid=1000 pid=1193] Activating via systemd: service name='org.gnome.Terminal' unit='gnome-terminal-server.service' requested by ':1.88' (uid=1000 pid=3161 comm="/usr/bin/gnome-terminal.real --window " label="unconfined")
Jan 21 11:21:20 11e systemd[1125]: Starting GNOME Terminal Server...
Jan 21 11:21:20 11e dbus-daemon[1193]: [session uid=1000 pid=1193] Successfully activated service 'org.gnome.Terminal'
Jan 21 11:21:20 11e systemd[1125]: Started GNOME Terminal Server.
Jan 21 11:21:20 11e org.gnome.Shell.desktop[1565]: # watch_fast: "/org/gnome/terminal/legacy/" (establishing: 0, active: 0)
Jan 21 11:21:20 11e org.gnome.Shell.desktop[1565]: # unwatch_fast: "/org/gnome/terminal/legacy/" (active: 0, establishing: 1)
Jan 21 11:21:20 11e org.gnome.Shell.desktop[1565]: # watch_established: "/org/gnome/terminal/legacy/" (establishing: 0)
Jan 21 11:21:34 11e NetworkManager[939]: <info>  [1548066094.3542] audit: op="connection-activate" uuid="33a76ea6-0d47-46a5-8310-01a80de375db" name="VPN" pid=1565 uid=1000 result="success"
Jan 21 11:21:34 11e NetworkManager[939]: <info>  [1548066094.3729] vpn-connection[0x55e2429c4330,33a76ea6-0d47-46a5-8310-01a80de375db,"VPN",0]: Started the VPN service, PID 3194
Jan 21 11:21:34 11e NetworkManager[939]: <info>  [1548066094.3941] vpn-connection[0x55e2429c4330,33a76ea6-0d47-46a5-8310-01a80de375db,"VPN",0]: Saw the service appear; activating connection
Jan 21 11:21:34 11e NetworkManager[939]: <info>  [1548066094.7926] vpn-connection[0x55e2429c4330,33a76ea6-0d47-46a5-8310-01a80de375db,"VPN",0]: VPN connection: (ConnectInteractive) reply received
Jan 21 11:21:34 11e nm-l2tp-service[3194]: Check port 1701
Jan 21 11:21:34 11e NetworkManager[939]: Stopping strongSwan IPsec failed: starter is not running
Jan 21 11:21:36 11e NetworkManager[939]: Starting strongSwan 5.6.3 IPsec [starter]...
Jan 21 11:21:36 11e NetworkManager[939]: Loading config setup
Jan 21 11:21:36 11e NetworkManager[939]: Loading conn '33a76ea6-0d47-46a5-8310-01a80de375db'
Jan 21 11:21:36 11e NetworkManager[939]: found netkey IPsec stack
Jan 21 11:21:36 11e charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.18.0-13-generic, x86_64)
Jan 21 11:21:36 11e charon: 00[CFG] PKCS11 module '<name>' lacks library path
Jan 21 11:21:37 11e charon: 00[CFG] disabling load-tester plugin, not configured
Jan 21 11:21:37 11e charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Jan 21 11:21:37 11e charon: 00[CFG] dnscert plugin is disabled
Jan 21 11:21:37 11e charon: 00[CFG] ipseckey plugin is disabled
Jan 21 11:21:37 11e charon: 00[CFG] attr-sql plugin: database URI not set
Jan 21 11:21:37 11e charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 21 11:21:37 11e charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 21 11:21:37 11e charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 21 11:21:37 11e charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 21 11:21:37 11e charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 21 11:21:37 11e charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 21 11:21:37 11e charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-33a76ea6-0d47-46a5-8310-01a80de375db.secrets'
Jan 21 11:21:37 11e charon: 00[CFG]   loaded IKE secret for %any
Jan 21 11:21:37 11e charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-63c18717-e10e-4777-ba96-60bf94bb42c8.secrets'
Jan 21 11:21:37 11e charon: 00[CFG]   loaded IKE secret for %any
Jan 21 11:21:37 11e charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-8c0ee4b9-835c-4872-874f-a39d33fe68bd.secrets'
Jan 21 11:21:37 11e charon: 00[CFG]   loaded IKE secret for %any
Jan 21 11:21:37 11e charon: 00[CFG] sql plugin: database URI not set
Jan 21 11:21:37 11e charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Jan 21 11:21:37 11e charon: 00[CFG] eap-simaka-sql database URI missing
Jan 21 11:21:37 11e charon: 00[CFG] loaded 0 RADIUS server configurations
Jan 21 11:21:37 11e charon: 00[CFG] HA config misses local/remote address
Jan 21 11:21:37 11e charon: 00[CFG] no threshold configured for systime-fix, disabled
Jan 21 11:21:37 11e charon: 00[CFG] coupling file path unspecified
Jan 21 11:21:37 11e charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Jan 21 11:21:37 11e charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jan 21 11:21:37 11e charon: 00[JOB] spawning 16 worker threads
Jan 21 11:21:37 11e charon: 06[CFG] received stroke: add connection '33a76ea6-0d47-46a5-8310-01a80de375db'
Jan 21 11:21:37 11e charon: 06[CFG] a DH group is mandatory in IKE proposals
Jan 21 11:21:37 11e charon: 06[CFG] skipped invalid proposal string: aes-sha1
Jan 21 11:21:37 11e charon: 07[CFG] rereading secrets
Jan 21 11:21:37 11e charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 21 11:21:37 11e charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-33a76ea6-0d47-46a5-8310-01a80de375db.secrets'
Jan 21 11:21:37 11e charon: 07[CFG]   loaded IKE secret for %any
Jan 21 11:21:37 11e charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-63c18717-e10e-4777-ba96-60bf94bb42c8.secrets'
Jan 21 11:21:37 11e charon: 07[CFG]   loaded IKE secret for %any
Jan 21 11:21:37 11e charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-8c0ee4b9-835c-4872-874f-a39d33fe68bd.secrets'
Jan 21 11:21:37 11e charon: 07[CFG]   loaded IKE secret for %any
Jan 21 11:21:38 11e charon: 09[CFG] received stroke: initiate '33a76ea6-0d47-46a5-8310-01a80de375db'
Jan 21 11:21:38 11e charon: 09[CFG] no config named '33a76ea6-0d47-46a5-8310-01a80de375db'
Jan 21 11:21:38 11e NetworkManager[939]: no config named '33a76ea6-0d47-46a5-8310-01a80de375db'
Jan 21 11:21:38 11e NetworkManager[939]: Stopping strongSwan IPsec...
Jan 21 11:21:38 11e charon: 00[DMN] signal of type SIGINT received. Shutting down
Jan 21 11:21:38 11e nm-l2tp-service[3194]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Jan 21 11:21:38 11e NetworkManager[939]: <info>  [1548066098.4190] vpn-connection[0x55e2429c4330,33a76ea6-0d47-46a5-8310-01a80de375db,"VPN",0]: VPN plugin: state changed: stopped (6)
Jan 21 11:21:38 11e NetworkManager[939]: <info>  [1548066098.4266] vpn-connection[0x55e2429c4330,33a76ea6-0d47-46a5-8310-01a80de375db,"VPN",0]: VPN service disappeared
Jan 21 11:21:38 11e NetworkManager[939]: <warn>  [1548066098.4286] vpn-connection[0x55e2429c4330,33a76ea6-0d47-46a5-8310-01a80de375db,"VPN",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
Jan 21 11:21:41 11e NetworkManager[939]: <info>  [1548066101.4689] manager: NetworkManager state is now CONNECTED_SITE
Jan 21 11:21:41 11e whoopsie[1461]: [11:21:41] offline
Jan 21 11:21:41 11e dbus-daemon[907]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.16' (uid=0 pid=939 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
Jan 21 11:21:41 11e systemd[1]: Starting Network Manager Script Dispatcher Service...
Jan 21 11:21:41 11e dbus-daemon[907]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jan 21 11:21:41 11e systemd[1]: Started Network Manager Script Dispatcher Service.
Jan 21 11:21:41 11e nm-dispatcher: req:1 'connectivity-change': new request (1 scripts)
Jan 21 11:21:41 11e nm-dispatcher: req:1 'connectivity-change': start running ordered scripts...
Jan 21 11:21:42 11e NetworkManager[939]: <info>  [1548066102.8242] manager: NetworkManager state is now CONNECTED_GLOBAL
Jan 21 11:21:42 11e nm-dispatcher: req:2 'connectivity-change': new request (1 scripts)
Jan 21 11:21:42 11e nm-dispatcher: req:2 'connectivity-change': start running ordered scripts...
Jan 21 11:21:42 11e whoopsie[1461]: [11:21:42] The default IPv4 route is: /org/freedesktop/NetworkManager/ActiveConnection/2
Jan 21 11:21:42 11e whoopsie[1461]: [11:21:42] Not a paid data plan: /org/freedesktop/NetworkManager/ActiveConnection/2
Jan 21 11:21:42 11e whoopsie[1461]: [11:21:42] Found usable connection: /org/freedesktop/NetworkManager/ActiveConnection/2
Jan 21 11:21:44 11e whoopsie[1461]: [11:21:44] online
Jan 21 11:21:44 11e PackageKit: get-updates transaction /353_bdeecdcb from uid 1000 finished with success after 1991ms
Jan 21 11:21:46 11e PackageKit: get-updates transaction /354_bebcbabc from uid 1000 finished with success after 1864ms
Jan 21 11:21:48 11e PackageKit: get-updates transaction /355_cbeeacae from uid 1000 finished with success after 1878ms
Jan 21 11:21:50 11e PackageKit: get-updates transaction /356_bbecbebe from uid 1000 finished with success after 1847ms
Jan 21 11:21:52 11e PackageKit: get-updates transaction /357_bebedaba from uid 1000 finished with success after 1877ms

在此处输入图片描述

答案1

我建议删除以下由于某种原因未被删除的生成文件:

/etc/ipsec.d/nm-l2tp-ipsec-33a76ea6-0d47-46a5-8310-01a80de375db.secrets
/etc/ipsec.d/nm-l2tp-ipsec-63c18717-e10e-4777-ba96-60bf94bb42c8.secrets
/etc/ipsec.d/nm-l2tp-ipsec-8c0ee4b9-835c-4872-874f-a39d33fe68bd.secrets

错误消息表明您没有为第 1 阶段指定 DH 组。

从屏幕截图中可以看出,它并没有说明 AES 密钥的大小(除非 aes 是 aes128 的别名),也没有说明 Diffie Hellman (DH) 组是什么。

运行ike-scan.sh以下页面中的脚本来帮助确定第 1 阶段所需的内容:

发出如下内容:

sudo ipsec stop
chmod a+rx ./ike-scan.sh
sudo ./ike-scan.sh 10.10.10.250 | grep SA=

然后让我们知道输出是什么。

!您可能需要在第 1 阶段和第 2 阶段末尾添加感叹号 ( )。

strongswan 算法列表可以在这里找到:

相关内容