Debian 11:设置 L2TP + IPSec - IPSec 失败?

Debian 11:设置 L2TP + IPSec - IPSec 失败?

我正在尝试在运行 Debian 11 且没有桌面的小型 AWS EC2 系统上配置新的 VPN 客户端(L2TP 和 IPSec)。我已经让 NetworkManager 正常工作了,但 VPN 连接无法启动,显然是因为 IPSec 出现错误。这就是我所做的 - 在一个终端窗口中(IP 地址等已更改):

root@client# /run/network/interfaces.d# /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[13017] <debug> nm-l2tp-service (version 1.2.18) starting...
nm-l2tp[13017] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[13017] <info>  ipsec enable flag: yes
** Message: 13:01:51.414: Check port 1701
** Message: 13:01:51.414: Can't bind to port 1701
nm-l2tp[13017] <warn>  L2TP port 1701 is busy, using ephemeral.
connection
        autoconnect : false
        id : 'vpnname'
        interface-name : '--'
        permissions : []
        type : 'vpn'
        uuid : '542b35f3-fadc-4df1-b340-a68eec3a9c3f'

proxy

ipv6
        address-data : []
        dns : []
        dns-search : []
        method : 'auto'
        route-data : []

vpn
        data : {'gateway': '123.456.789.012', 'ipsec-enabled': 'yes', 'ipsec-psk': '0sTiFSU190ZWNobjBsMGczCg==', 'mru': '1400', 'mtu': '1400', 'password-flags': '0', 'refuse-chap': 'yes', 'refuse-mschap': 'yes', 'refuse-pap': 'yes', 'require-mppe': 'yes', 'user': 'vpntest'}
        secrets : {'password': 'vPnt35t'}
        service-type : 'org.freedesktop.NetworkManager.l2tp'

ipv4
        address-data : []
        dns : []
        dns-search : []
        method : 'auto'
        route-data : []

nm-l2tp[13017] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.9.1 IPsec [starter]...
Loading config setup
Loading conn '542b35f3-fadc-4df1-b340-a68eec3a9c3f'
nm-l2tp[13017] <info>  Spawned ipsec up script with PID 13126.
initiating Main Mode IKE_SA 542b35f3-fadc-4df1-b340-a68eec3a9c3f[1] to 123.456.789.012
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 111.222.333.444[500] to 123.456.789.012[500] (532 bytes)
received packet: from 123.456.789.012[500] to 111.222.333.444[500] (132 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 111.222.333.444[500] to 123.456.789.012[500] (244 bytes)
received packet: from 123.456.789.012[500] to 111.222.333.444[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 111.222.333.444[4500] to 123.456.789.012[4500] (68 bytes)
received packet: from 123.456.789.012[500] to 111.222.333.444[500] (68 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 1308603116 processing failed
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 111.222.333.444[4500] to 123.456.789.012[4500] (68 bytes)
received packet: from 123.456.789.012[500] to 111.222.333.444[500] (68 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 3696528349 processing failed
nm-l2tp[13017] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[13017] <info>  Terminating ipsec script with PID 13126.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
nm-l2tp[13017] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:13017): GLib-GIO-CRITICAL **: 13:02:04.565: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

在另一个窗口中:

root@client# nmcli c up vpnname
Error: Connection activation failed: Unknown reason
Hint: use 'journalctl -xe NM_CONNECTION=542b35f3-fadc-4df1-b340-a68eec3a9c3f + NM_DEVICE=eth0' to get more details.

不幸的是,我对 IPSec 不太了解,而且我通过谷歌和这个网站找到的内容似乎已经有好几年了,并且与我所看到的不太相符。我需要改变什么?

编辑

因此,投了反对票,但没有发表评论。很高兴知道为什么;我并没有简单地将我的问题扔在这里,因为我不能被要求尝试自己解决它或进行搜索。即使在从事 Linux 开发和系统管理大约 25 年之后,仍然有很多东西我从未使用过。

可以找到大量低质量的“解决方案”,其中提到 ipsec、l2tp 和其他内容,通常带有一些 GUI 的图片;但涉及命令行的内容很少,而且大多数似乎都是旧的且无关紧要的。

相关内容