我检查了很多其他 L2TP/IPsec VPN 帖子,但似乎没有一个与我遇到的问题完全吻合,所以这就是发生的事情。
我正在尝试在我的 Arch Linux 服务器上设置 VPN,以便从我的本地设备(其中大多数运行 Windows 8.1)连接到它。对于整个帖子,我将使用 123.1.1.1 和 ff:ff:ff:ff 作为 Arch 服务器的虚假外部 IP,并使用 123.2.2.2 作为我尝试连接的 Windows 8.1 桌面的 IP。
我已经设置好一切并运行此配置设置。Arch 服务器上的端口 1701 TCP、4500 UDP 和 500 UDP 已正确打开,并且它不是 ARM 服务器,而是 64 位服务器。当我尝试从 Windows 8 设备连接时,出现以下错误:
Error 789: The L2TP connection attempt failed because the security error encountered a processing error during the initial negotions with the remote computer.
ipsec 自动 --状态(我尝试连接后)
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface eth0/eth0 ff:ff:ff:ff::1
000 interface eth0/eth0 123.1.1.1
000 interface eth0/eth0 123.1.1.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 5 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "L2TP-PSK-noNAT": 123.1.1.1<123.1.1.1>:17/1701...%any:17/%any; unrouted; eroute owner: #0
000 "L2TP-PSK-noNAT": myip=unset; hisip=unset;
000 "L2TP-PSK-noNAT": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-noNAT": policy: PSK+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "L2TP-PSK-noNAT": dpd: action:clear; delay:10; timeout:20;
000 "L2TP-PSK-noNAT": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-noNAT"[2]: 123.1.1.1<123.1.1.1>:17/1701...123.2.2.2[10.0.0.231]:17/1701; unrouted; eroute owner: #0
000 "L2TP-PSK-noNAT"[2]: myip=unset; hisip=unset;
000 "L2TP-PSK-noNAT"[2]: ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-noNAT"[2]: policy: PSK+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "L2TP-PSK-noNAT"[2]: dpd: action:clear; delay:10; timeout:20;
000 "L2TP-PSK-noNAT"[2]: newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "L2TP-PSK-noNAT"[2]: IKE algorithm newest: AES_CBC_256-SHA1-MODP2048
000
000 #2: "L2TP-PSK-noNAT"[2] 123.2.2.2:55371 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 286s; nodpd; idle; import:not set
000 #1: "L2TP-PSK-noNAT"[2] 123.2.2.2:55371 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28516s; newest ISAKMP; nodpd; idle; import:not set
000
ipsec 验证
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.41/K3.14.12-1-lts (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
ipsec verify: encountered errors
配置:
/etc/ipsec.conf
version 2
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
protostack=netkey
plutoopts="--interface=eth0"
force_keepalive=yes
keep_alive=60
conn L2TP-PSK-noNAT
authby=secret
pfs=yes
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
type=transport
left=123.1.1.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=10
dpdtimeout=20
dpdaction=clear
/etc/ipsec.secrets(出于安全原因,值更改为虚假内容,但预共享密钥已在客户端上得到验证)
: RSA {
# RSA 2192 bits mydomain.net Thu Jul 17 09:16:05 2014
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0xf1f1f1
Modulus: 0xf1f1f1
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0xf1f1f1
Prime1: 0xf1f1f1
Prime2: 0xf1f1f1
Exponent1: 0xf1f1f1
Exponent2: 0xf1f1f1
Coefficient: 0xf1f1f1
}
# do not change the indenting of that "}"
123.1.1.1 %any: PSK "somereallylongstring"
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
saref refinfo = 30
[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
unix authentication = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
login
ms-dns 208.67.222.222
ms-dns 208.67.220.220
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
/etc/ppp/pap 机密
# Secrets for authentication using PAP
# client server secret IP addresses
* l2tpd "" *
/etc/pam.d/ppp
auth required pam_nologin.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so