无法连接到 IPSEC/L2TP VPN Arch Linux/Windows 8

无法连接到 IPSEC/L2TP VPN Arch Linux/Windows 8

我检查了很多其他 L2TP/IPsec VPN 帖子,但似乎没有一个与我遇到的问题完全吻合,所以这就是发生的事情。

我正在尝试在我的 Arch Linux 服务器上设置 VPN,以便从我的本地设备(其中大多数运行 Windows 8.1)连接到它。对于整个帖子,我将使用 123.1.1.1 和 ff:ff:ff:ff 作为 Arch 服务器的虚假外部 IP,并使用 123.2.2.2 作为我尝试连接的 Windows 8.1 桌面的 IP。

我已经设置好一切并运行此配置设置。Arch 服务器上的端口 1701 TCP、4500 UDP 和 500 UDP 已正确打开,并且它不是 ARM 服务器,而是 64 位服务器。当我尝试从 Windows 8 设备连接时,出现以下错误:

Error 789: The L2TP connection attempt failed because the security error encountered a processing error during the initial negotions with the remote computer. 

ipsec 自动 --状态(我尝试连接后)

000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface eth0/eth0 ff:ff:ff:ff::1
000 interface eth0/eth0 123.1.1.1
000 interface eth0/eth0 123.1.1.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 5 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "L2TP-PSK-noNAT": 123.1.1.1<123.1.1.1>:17/1701...%any:17/%any; unrouted; eroute owner: #0
000 "L2TP-PSK-noNAT":     myip=unset; hisip=unset;
000 "L2TP-PSK-noNAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-noNAT":   policy: PSK+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "L2TP-PSK-noNAT":   dpd: action:clear; delay:10; timeout:20;
000 "L2TP-PSK-noNAT":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-noNAT"[2]: 123.1.1.1<123.1.1.1>:17/1701...123.2.2.2[10.0.0.231]:17/1701; unrouted; eroute owner: #0
000 "L2TP-PSK-noNAT"[2]:     myip=unset; hisip=unset;
000 "L2TP-PSK-noNAT"[2]:   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-noNAT"[2]:   policy: PSK+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "L2TP-PSK-noNAT"[2]:   dpd: action:clear; delay:10; timeout:20;
000 "L2TP-PSK-noNAT"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "L2TP-PSK-noNAT"[2]:   IKE algorithm newest: AES_CBC_256-SHA1-MODP2048
000
000 #2: "L2TP-PSK-noNAT"[2] 123.2.2.2:55371 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 286s; nodpd; idle; import:not set
000 #1: "L2TP-PSK-noNAT"[2] 123.2.2.2:55371 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28516s; newest ISAKMP; nodpd; idle; import:not set
000

ipsec 验证

Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]
Openswan U2.6.41/K3.14.12-1-lts (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Hardware random device check                            [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)           [OK]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]

ipsec verify: encountered errors

配置:

/etc/ipsec.conf

version 2
config setup
    dumpdir=/var/run/pluto/
    nat_traversal=yes    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    protostack=netkey
    plutoopts="--interface=eth0"
    force_keepalive=yes
    keep_alive=60

conn L2TP-PSK-noNAT
    authby=secret
    pfs=yes
    auto=add
    keyingtries=3
    ikelifetime=8h
    keylife=1h
    type=transport
    left=123.1.1.1
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear

/etc/ipsec.secrets(出于安全原因,值更改为虚假内容,但预共享密钥已在客户端上得到验证)

: RSA   {
        # RSA 2192 bits   mydomain.net   Thu Jul 17 09:16:05 2014
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0xf1f1f1
        Modulus: 0xf1f1f1
        PublicExponent: 0x03
        # everything after this point is secret
        PrivateExponent: 0xf1f1f1
        Prime1: 0xf1f1f1
        Prime2: 0xf1f1f1
        Exponent1: 0xf1f1f1
        Exponent2: 0xf1f1f1
        Coefficient: 0xf1f1f1
        }
# do not change the indenting of that "}"

123.1.1.1  %any:   PSK "somereallylongstring"

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
saref refinfo = 30

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
unix authentication = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd

login
ms-dns 208.67.222.222
ms-dns 208.67.220.220
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

/etc/ppp/pap 机密

# Secrets for authentication using PAP
# client        server  secret                  IP addresses
*       l2tpd           ""              *

/etc/pam.d/ppp

auth    required        pam_nologin.so
auth    required        pam_unix.so
account required        pam_unix.so
session required        pam_unix.so

相关内容