Debian 10 上使用 L2TP 和 IPSEC PSK 的 VPN 服务器无法正常工作

我正在尝试在 Debian 10 服务器上创建一个 VPN 服务器，以使 Windows 10 和 Android 客户端能够使用带有预共享密钥 (PSK) 的 IPSEC 上的 L2TP 进行连接。

经 Windows 10 和 Android Samsung Galaxy A12 以及 Samsung Galaxy Tab S6 Lite 测试，相同的客户端可以成功地与具有简单 GUI 配置的 Ubiquity UDM-Pro Dream Machine 的 VPS 服务器配合使用。

我是 libreswan 的新手。我使用的版本是默认的 3.27-6+deb10u1。

我正在尝试从我们现有的 DHCP 池中在 eth1 上分配一个范围在 192.168.100.10-192.168.100.253 之间的 IP 地址，该地址可通过 NAT 访问，并且主机显示为 161.53.235.3（对外界而言）和 192.168.100.1（对 NAT 后面的主机而言）。

（这很方便，因为经过身份验证的客户端可以“看到”他们的商务电脑并通过 RDP 连接，这是基本思想。）

谢谢您考虑这个请求。

NAT配置如下：

root@domac:/home/admin/mtodorov# iptables-save -t nat
# Generated by xtables-save v1.8.2 on Mon Nov 22 14:26:47 2021
*nat
:PREROUTING ACCEPT [17288678:2026230352]
:INPUT ACCEPT [10182155:755518594]
:POSTROUTING ACCEPT [2533708:173476436]
:OUTPUT ACCEPT [9707250:822554753]
-A POSTROUTING -o eth0 -j SNAT --to-source 161.53.235.3
COMMIT
# Completed on Mon Nov 22 14:26:47 2021
root@domac:/home/admin/mtodorov#

我的配置如下：

# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/

config setup
    # Normally, pluto logs via syslog.
    logfile=/var/log/pluto.log
    #
    # Do not enable debug options to debug configuration issues!
    #
    # plutodebug="control parsing"
    plutodebug="all crypt"
    # plutodebug=none
    #
    # NAT-TRAVERSAL support
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their wireless networks.
    # This range has never been announced via BGP (at least up to 2015)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%v4:192.198.186.218/32

# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf

我/etc/ipsec.d/l2tp-psk.conf的如下：

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    # Use a Preshared Key. Disable Perfect Forward Secrecy.
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    # we cannot rekey for %any, let client rekey
    rekey=no
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=10
    dpdtimeout=30
    dpdaction=clear
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    # l2tp-over-ipsec is transport mode
    type=transport
    #
    # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
    left=%defaultroute
    #
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/1701
    #
    # The remote user.
    #
    right=%any
    # Using the magic port of "%any" means "any one single port". This is
    # a work around required for Apple OSX clients that use a randomly
    # high port.
    rightprotoport=17/%any

我的/etc/ipsec.d/domac-alu.secrets是：

%any : PSK "<mysecret>"

我/etc/ppp/chap-secrets的是

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
mtodorov * <mypasswd> *
# end.

我的/etc/xl2tpd/xl2tpd.conf是：

[global]
listen-addr = 161.53.235.3
ipsec saref = no
access control = no
debug network = yes
debug tunnel = yes

[lns default]
ip range = 192.168.100.10-192.168.100.253
local ip = 192.168.100.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes

我的/etc/ppp/xl2tpd-options是：

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4

Windows 10 的错误信息如下：

/var/log/pluto.log 中该事件的错误日志是：

会话日志 1

这是一个加密调试已关闭：

会话日志 2

请帮忙？我没办法了，但这个必须行得通……在这种 COVID 情况下，我们需要为在家工作的人建立 VPN……

（同行193.198.186.218在日志中也是我的客户端电脑。）

xl2tpd日志如下：

Nov 22 14:48:57 domac xl2tpd[26982]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Nov 22 14:48:57 domac xl2tpd[26982]: Not looking for kernel SAref support.
Nov 22 14:48:57 domac xl2tpd[26979]: Starting xl2tpd: xl2tpd.
Nov 22 14:48:57 domac xl2tpd[26982]: Not looking for kernel support.
Nov 22 14:48:57 domac xl2tpd[26983]: xl2tpd version xl2tpd-1.3.12 started on domac PID:26983
Nov 22 14:48:57 domac xl2tpd[26983]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Nov 22 14:48:57 domac xl2tpd[26983]: Forked by Scott Balmos and David Stipp, (C) 2001
Nov 22 14:48:57 domac xl2tpd[26983]: Inherited by Jeff McAdams, (C) 2002
Nov 22 14:48:57 domac xl2tpd[26983]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Nov 22 14:48:57 domac xl2tpd[26983]: Listening on IP address 161.53.235.3, port 1701

非常感谢您的转发。