浣熊 IPSec/L2TP 客户端

tag-icon tag-icon windows vpn ipsec
浣熊 IPSec/L2TP 客户端

我正在尝试配置 racoon IPSec/L2TP 客户端来连接 Windows 2003 服务器。该服务器最初旨在与 Windows XP 客户端一起使用(已在 Windows XP SP3 上成功测试,但它不适用于 XP SP1 或 Windows 7)。更复杂的是,同时使用预共享密钥和 x509 证书。我从工作客户端推断出以下内容,并尝试在 racoon 上复制配置:

  • 无 NAT-T(自 Windows XP SP2 起已删除)
  • tunneling mode(Windows XP 不支持)
  • AH(Windows XP 不支持)
  • 3des用于加密算法
  • sha1对于哈希算法
  • dh_group 2
  • 我不确定身份验证模式并尝试了pre_shared_key两者rsasig

我的racoon.conf

log debug2;

path certificate "/home/ipsec/out/etc/certs";
path pre_shared_key "/etc/psk.txt";
path script "/etc/racoon/scripts";

remote 10.0.1.2 {

       exchange_mode main;

       my_identifier user_fqdn "[email protected]";
       certificate_type x509 "client.example.crt" "client.example.key";
       ca_type x509 "ca.crt";

       passive off;
       generate_policy on;
       dpd_delay 20;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
}

sainfo anonymous {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

我的setkey.conf

# Flush the SAD and SPD
flush;
spdflush;


spdadd 0.0.0.0/0 vpn.example.com[1701] any -P out ipsec
        esp/transport//require;


spdadd vpn.example.com [1701] 0.0.0.0/0 any -P in ipsec
        esp/transport//require;

我跑了setkey -f /etc/setkey.conf又跑racoon -F。以下是我的浣熊日志:

Foreground mode.
2015-07-18 17:25:25: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
2015-07-18 17:25:25: INFO: @(#)This product linked OpenSSL 1.0.0a 1 Jun 2010 (http://www.openssl.org/)
2015-07-18 17:25:25: INFO: Reading configuration from "/home/ipsec/out/etc/racoon.conf"
2015-07-18 17:25:26: DEBUG: filename: /home/ipsec/out/etc/certs/client.example.crt
2015-07-18 17:25:26: DEBUG: filename: /home/ipsec/out/etc/certs/ca.crt
2015-07-18 17:25:26: DEBUG2: lifetime = 28800
2015-07-18 17:25:26: DEBUG2: lifebyte = 0
2015-07-18 17:25:26: DEBUG2: encklen=0
2015-07-18 17:25:26: DEBUG2: p:1 t:1
2015-07-18 17:25:26: DEBUG2: 3DES-CBC(5)
2015-07-18 17:25:26: DEBUG2: SHA(2)
2015-07-18 17:25:26: DEBUG2: 1024-bit MODP group(2)
2015-07-18 17:25:26: DEBUG2: pre-shared key(1)
2015-07-18 17:25:26: DEBUG2: 
2015-07-18 17:25:26: DEBUG2: Etype mismatch: got 2, expected 4.
2015-07-18 17:25:26: DEBUG: no check of compression algorithm; not supported in sadb message.
2015-07-18 17:25:26: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0
2015-07-18 17:25:26: DEBUG2: parse successed.
2015-07-18 17:25:26: DEBUG: open /home/ipsec/out/var/racoon/racoon.sock as racoon management.
2015-07-18 17:25:26: DEBUG: Netlink: address 192.168.110.57 added
2015-07-18 17:25:26: INFO: 192.168.110.57[500] used as isakmp port (fd=7)
2015-07-18 17:25:26: DEBUG: Netlink: address 127.0.0.1 added
2015-07-18 17:25:26: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
2015-07-18 17:25:26: DEBUG: Netlink: address 127.0.0.0 added
2015-07-18 17:25:26: INFO: 127.0.0.0[500] used as isakmp port (fd=9)
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 01000000 2d0d0000 03000500 ff200000 020006a5 d401c161
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4a10aa55 00000000 00000000 00000000
04001200 02000300 7a010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 02000000 2d0d0000 03000500 ff200000 020006a5 d401c161
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4a10aa55 00000000 00000000 00000000
04001200 02000100 70010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 03000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff200000 020006a5 d401c161 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4410aa55 00000000 00000000 00000000
04001200 02000200 69010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 04000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 2c000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 05000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 23000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 06000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 1c000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 07000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 13000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 08000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 0c000000 00000000
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:27: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:27: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:27: DEBUG2: 
02120000 16000100 00000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 03000000 00000000
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out

此后,没有流量通过已建立的VPN(我什至不确定是否建立了连接)并且setkey -D没有报告SAD。

编辑:

我发现主要问题是路由。虽然这里是 L2TP 模式transport,但服务器应充当服务器后面网络的网关,但没有流量通过 l2tp 到达服务器。因此隧道不会启动。我尝试添加路线但没有成功。

相关内容