我已经在 FreeBSD 服务器上配置了 VPN 服务器,一切似乎都在运行,但 VPN 流量没有路由到本地 VPN 服务器,我不知道为什么。所以我的问题是,我当前的设置有什么问题?请注意,出于测试目的,防火墙已禁用。
我的服务器 IP 是 172.10.10.240,DNS 是 192.168.155.2,最后我希望 VPN 可用的 IP 地址范围是“172.10.10.150 --> 172.10.10.199”
因此,我尝试从 Android 手机(IPV6 地址屏蔽)连接到我的服务器,我连接了,这是 wireshark 转储
13:33:16.467067 IP XXX-XXX-h-15-6.XXX.02.XXX.54600 > 172.10.10.240.l2f: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(35359) *RECV_WIN_SIZE(1)
13:33:16.467162 IP XXX-XXX-h-15-6.XXX.02.XXX.54600 > 172.10.10.240.l2f: l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(35359) *RESULT_CODE(6)
在这里您可以看到服务器正在从设备获取连接,但没有其他任何内容。
我的 racoon.log
2014-12-23 12:07:22: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
2014-12-23 12:07:22: INFO: @(#)This product linked OpenSSL 1.0.1j-freebsd 15 Oct 2014 (http://www.openssl.org/)
2014-12-23 12:07:22: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2014-12-23 12:07:22: INFO: 172.10.10.240[4500] used for NAT-T
2014-12-23 12:07:22: INFO: 172.10.10.240[4500] used as isakmp port (fd=4)
2014-12-23 12:07:22: INFO: 172.10.10.240[500] used for NAT-T
2014-12-23 12:07:22: INFO: 172.10.10.240[500] used as isakmp port (fd=5)
这里什么也没有,让我们看看我的 racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
listen
{
isakmp 172.10.10.240 [500];
isakmp_natt 172.10.10.240 [4500];
strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
mpd配置文件
startup:
# configure mpd users
set user super adminpassword admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load l2tp_server
l2tp_server:
# Define dynamic IP address pool.
set ippool add pool_l2tp 172.10.10.150 172.10.10.199
# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 172.10.10.0/24 ippool pool_l2tp
set ipcp dns 192.168.155.2
# Create clonable link template named L_l2tp
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link mtu 1230
set link keep-alive 0 0
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap
# Configure L2TP
set l2tp self 172.10.10.240
set l2tp disable dataseq
# Allow to accept calls
set link enable incoming
设置密钥配置文件
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
系统配置参数
net.link.tap.up_on_open=1
net.inet.tcp.tso=0
net.inet.ipsec.filtertunnel=0
net.inet6.ipsec6.filtertunnel=0
自定义内核选项
device crypto
options IPSEC_DEBUG
options IPSEC_NAT_T
/etc/rc.conf
gateway_enable="YES"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
最后进行一些调试
# setkey -D
No SAD entries.
/usr/local/etc/racoon/psk.txt
cat /usr/local/etc/racoon/psk.txt
* testpsk