我正在尝试将 Debian squeeze 配置为适用于 Android 设备的 L2TP/IPSec VPN,但没有取得很大成功。
到目前为止我已经做了以下事情:
已成功配置 Debian 并使用 openswan 实现 IPSec。我可以从搭载 Android 2.3 的设备进行连接,但无法从搭载 Android 4 的设备进行连接,因为 Android 4 中存在错误(此处提到:http://code.google.com/p/android/issues/detail?id=23124)
将 openswan 替换为 racoon 后,我发现:
- 我可以使用 IPSec Xauth PSK 从 Android 4 进行连接(但只能从使用 Android ICS 的笔记本电脑进行连接,而不能从使用 ICS 的真实平板电脑进行连接。从平板电脑连接时,我的服务器显示用户已通过身份验证,一切似乎都正常,但平板电脑显示“连接失败” - 但这是使用 sausagemod 的廉价中国设备,所以也许这样没问题)
- 我可以使用 Cisco VPN 客户端连接
- 但我无法使用 L2TP/IPSec PSK 从任何 Android 设备连接(我更喜欢这种协议,因为这可能是所有 Android 客户端唯一支持的选择,无论版本如何)
我的配置如下:
racoon.conf:
path pre_shared_key "/etc/racoon/psk.txt";
log info;
listen
{
isakmp 172.31.251.122[500];
isakmp_natt 172.31.251.122[4500];
}
timer
{
natt_keepalive 10sec;
}
remote anonymous {
exchange_mode aggressive;
my_identifier fqdn "mydomain.com.pl";
doi ipsec_doi;
generate_policy on;
situation_identity_only;
lifetime time 28800 sec;
passive on;
initial_contact off;
nat_traversal on;
proposal_check obey;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method xauth_psk_server;
dh_group 2;
}
}
mode_cfg {
auth_source system;
network4 100.99.99.1;
netmask4 255.255.255.0;
pool_size 254;
dns4 172.16.0.10;
wins4 172.16.0.10;
default_domain "mydomain.com.pl";
split_network include 172.16.0.0/16;
split_dns "mydomain.com.pl";
save_passwd on;
pfs_group 2;
}
sainfo anonymous {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
x2ltpd.conf:
[global] ; Global parameters:
port = 1701 ; * Bind to port 1701
auth file = /etc/ppp/chap-secrets ; * Where our challenge secrets are
access control = no ; * Refuse connections without IP match
rand source = dev ; Source for entropy for random
#debug avp = yes
#debug network = yes
debug state = yes
debug tunnel = yes
[lns default] ; Our fallthrough LNS definition
exclusive = no ; * Only permit one tunnel per host
ip range = 100.99.99.1-100.99.99.254
local ip = 172.16.116.202
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tp
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/xl2tpd-options
一个重要提示:我的 Debian 机箱位于 NAT 后面,因此地址 172.16.116.202 是它的 LAN 地址,而 172.31.251.122 是它的“公共”地址。
有什么线索或建议吗?
-- 编辑 --- @SmalllClanger:
在 x2ltpd.conf 中打开所有调试选项后,我收到以下日志:
Apr 22 12:22:07 l2tp racoon: INFO: respond new phase 1 negotiation: private_ip_of_my_server[500]<=>public_ip_of_adnroid_client[500]
Apr 22 12:22:07 l2tp racoon: INFO: begin Aggressive mode.
Apr 22 12:22:07 l2tp racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: RFC 3947
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: DPD
Apr 22 12:22:07 l2tp racoon: INFO: Selected NAT-T version: RFC 3947
Apr 22 12:22:07 l2tp racoon: INFO: Adding remote and local NAT-D payloads.
Apr 22 12:22:07 l2tp racoon: INFO: Hashing public_ip_of_adnroid_client[500] with algo #1
Apr 22 12:22:07 l2tp racoon: INFO: Hashing private_ip_of_my_server[500] with algo #1
Apr 22 12:22:07 l2tp racoon: INFO: NAT-T: ports changed to: public_ip_of_adnroid_client[4500]<->private_ip_of_my_server[4500]
Apr 22 12:22:07 l2tp racoon: INFO: Hashing private_ip_of_my_server[4500] with algo #1
Apr 22 12:22:07 l2tp racoon: INFO: NAT-D payload #0 doesn't match
Apr 22 12:22:07 l2tp racoon: INFO: Hashing public_ip_of_adnroid_client[4500] with algo #1
Apr 22 12:22:07 l2tp racoon: INFO: NAT-D payload #1 doesn't match
Apr 22 12:22:07 l2tp racoon: INFO: NAT detected: ME PEER
Apr 22 12:22:07 l2tp racoon: INFO: ISAKMP-SA established private_ip_of_my_server[4500]-public_ip_of_adnroid_client[4500] spi:2ea51a231acb960b:e21a79f71e04b7e2
Apr 22 12:22:08 l2tp racoon: INFO: respond new phase 2 negotiation: private_ip_of_my_server[4500]<=>public_ip_of_adnroid_client[4500]
Apr 22 12:22:08 l2tp racoon: INFO: no policy found, try to generate the policy : private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in
Apr 22 12:22:08 l2tp racoon: INFO: Adjusting my encmode UDP-Transport->Transport
Apr 22 12:22:08 l2tp racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Apr 22 12:22:08 l2tp racoon: INFO: IPsec-SA established: ESP/Transport public_ip_of_adnroid_client[4500]->private_ip_of_my_server[4500] spi=35407234(0x21c4582)
Apr 22 12:22:08 l2tp racoon: INFO: IPsec-SA established: ESP/Transport private_ip_of_my_server[4500]->public_ip_of_adnroid_client[4500] spi=41649440(0x27b8520)
Apr 22 12:22:08 l2tp racoon: ERROR: such policy does not already exist: "private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in"
Apr 22 12:22:08 l2tp racoon: ERROR: such policy does not already exist: "public_ip_of_my_server/32[1701] private_ip_of_adnroid_client/32[0] proto=udp dir=out"
我已经注意到以下几行说明:
ERROR: such policy does not already exist: "private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in"
ERROR: such policy does not already exist: "public_ip_of_my_server/32[1701] private_ip_of_adnroid_client/32[0] proto=udp dir=out"
这显然表明 SA 策略是错误的(服务器和客户端都位于 NAT 之后,目前我无法在任何一方进行更改)
因此我对 /etc/ipsec-tools.conf 文件做了适当的修改,如下所示:
spdadd public_ip_of_my_server[l2tp] 0.0.0.0/0 udp -P out ipsec
esp/transport//require;
spdadd 0.0.0.0/0 public_ip_of_my_server[l2tp] udp -P in ipsec
esp/transport//require;
但没有帮助。
PS 还有一个小问题。我的配置要求客户端同时指定 PSK 用户名和 PSK 密钥,但 PSK 用户名(IPSec 标识符)只能在 Android 4 设备上指定。在 Android 2.x 设备上没有这样的选项。我曾尝试在 racoon psk.txt 文件中用 ***** 替换此值,但仍然没有成功。我如何才能指定 PSK 密钥而不强制客户端使用 IPSec 标识符?