Centos 上的 L2TP 和 IPSec（OpenSwan）连接时超时

我在设置一个非常简单的 VPN 时遇到了很大的麻烦。使用 Centos 6。

我的服务器地址：61.34.26.32（虚构）

每当我尝试连接（从 iPhone5 或 MacOS X）时，我都会遇到连接超时。

我还没有在 Windows 上尝试过，但至少在 Mac 上应该可以满足我的需求。

我快抓狂了！已经花了 4 个多小时，肯定是忽略了一些非常明显的东西，但又不知道是什么。

这是我的错误日志：

Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [RFC 3947] method set to=109 
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [Dead Peer Detection]
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: responding to Main Mode from unknown peer 178.197.232.17
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: Main mode peer ID is ID_IPV4_ADDR: '10.131.32.219'
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: deleting connection "L2TP-PSK-NAT" instance with peer 178.197.232.17 {isakmp=#0/ipsec=#0}
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: new NAT mapping for #19, was 178.197.232.17:229, now 178.197.232.17:24818
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: the peer proposed: 61.34.26.32/32:17/1701 -> 10.131.32.219/32:17/0
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: responding to Quick Mode proposal {msgid:fcf22de5}
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20:     us: 61.34.26.32<61.34.26.32>[+S=C]:17/1701
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20:   them: 178.197.232.17[10.131.32.219,+S=C]:17/54977===10.131.32.219/32
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x020bc811 <0x4fd90791 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=178.197.232.17:24818 DPD=none}
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received Delete SA(0x020bc811) payload: deleting IPSEC State #20
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received and ignored informational message
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received Delete SA payload: deleting ISAKMP State #19
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17: deleting connection "L2TP-PSK-NAT" instance with peer 178.197.232.17 {isakmp=#0/ipsec=#0}
Jan 21 16:15:46 isis pluto[9793]: packet from 178.197.232.17:24818: received and ignored informational message

ipsec.conf：

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=61.34.26.32        
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

iptables：

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [420453:322899972]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A INPUT -j LOG --log-prefix REJECTEDINPUT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
-A FORWARD -j LOG --log-prefix REJECTEDFORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -p udp --sport 500 -j ACCEPT
-A OUTPUT -p udp --sport 4500 -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [180037:54564759]
:POSTROUTING ACCEPT [149:12428]
:OUTPUT ACCEPT [12263:921919]
-I POSTROUTING 1 -p 50 -j ACCEPT
-A POSTROUTING -o eth0 -d ! 10.1.2.0/24 -j MASQUERADE
COMMIT

最后是 xl2tpd.conf

[global]
ipsec saref = yes
listen-addr = 61.34.26.32
[lns default]
ip range = 10.1.2.2-10.1.2.254   
local ip = 10.1.2.1   
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes