xl2tp + strongswan ipsec -- xl2tp 超时

xl2tp + strongswan ipsec -- xl2tp 超时

我正在尝试从 nat-router 后面的私有网络连接到 ipsec/l2tp vpn。它可以从不同的 Windows 客户端运行,但从我的 Linux 机器(openSuSE 12.3、strongswan 5.1.3、xl2tp 1.3.0)我无法连接。第一个问题是服务器似乎只处理 IKE v1 协议。ipsec.conf 中的“keyexchange = ikev1”解决了这个问题。现在“ipsec statusall”显示:

Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-53-desktop, x86_64):
  uptime: 6 minutes, since Dec 20 01:08:01 2016
  malloc: sbrk 2838528, mmap 0, used 652816, free 2185712
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
  client_ip
Connections:
    L2TP-PSK:  %any...server_ip  IKEv1
    L2TP-PSK:   local:  [client_ip] uses pre-shared key authentication
    L2TP-PSK:   remote: [server_ip] uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp] === dynamic[udp/l2f] TRANSPORT
Security Associations (1 up, 0 connecting):
    L2TP-PSK[1]: ESTABLISHED 6 minutes ago, client_ip[client_ip]...server_ip[server_ip]
    L2TP-PSK[1]: IKEv1 SPIs: a505b49c4edac068_i* 829bf572900386be_r, pre-shared key reauthentication in 7 hours
    L2TP-PSK[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

因此,在 ipsec 方面一切似乎都很好当使用“echo “c connection_name” > /var/run/xl2tpd/l2tp-control”启动 l2tp 协议时,我只在系统日志中看到一些超时:

    xl2tpd[16779]: get_call: allocating new tunnel for host server_ip, port 1701.
    xl2tpd[16779]: Connecting to host server_ip, port 1701
    xl2tpd[16779]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.

xl2tpd[16779]: control_finish: sending SCCRQ
    xl2tpd[16779]: network_thread: select timeout
    ... (5x)
    Maximum retries exceeded for tunnel 55245.  Closing.
    network_thread: select timeout
    ... (5x)
    Unable to deliver closing message for tunnel 55245. Destroying anyway.

使用

tcpdump 主机服务器 IP 和端口 l2tp

仅显示以下内容:

12:58:39.221494 IP client_ip.l2f > server_ip.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(my_site) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(49091) *RECV_WIN_SIZE(4)

重复 5 次,然后重复 3 次:

12:58:44.226892 IP client_ip.l2f > server_ip.l2f:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49091) *RESULT_CODE(1/0 Timeout)

显然服务器没有对 l2tp 包做出响应。但如前所述,它可以与多个 Windows 客户端配合使用。可能出了什么问题?

我该怎么做才能获取有关 l2tp 连接的更多信息?

我已经在 xl2tp.conf 中打开了所有调试选项。以下是我的配置文件:

ipsec配置文件

conn L2TP-PSK
        keyexchange = ikev1
        authby=secret
        auto=start
        keying=1
        rekey=yes
        ikelifetime=8h
        keylife=1h
        type=transport
        left=%any
        leftprotoport=udp/%any
        right=server_ip
        rightprotoport=udp/l2tp

xl2tp配置文件

[global]
access control = yes
auth file = /etc/xl2tpd/l2tp-secrets
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes

[lac connection_name]
lns = server-ip
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.connection_name
length bit = yes
require authentication = yes
require chap = yes
refuse pap = yes
name = my_loginname

答案1

在我的环境中(Ubuntu),我可以通过使用 NetworkManager L2TP 插件并强制使用服务器支持的特定加密算法来实现这一点。

要发现服务器支持的算法,您可以使用ike-scan可能位于软件包存储库中的算法,或者您可以找到等效的脚本这里

sudo apt-get install ike-scan
sudo ike-scan <address.of.server>

然后,一旦您知道支持的协议,您就可以将它们放入配置文件中,或者通过安装以下内容来使用 GUI。

sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp  
sudo apt-get update  
# leave off gnome if using Unity/KDE
sudo apt-get install network-manager-l2tp-gnome 

http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/

http://disq.us/p/1jcput9

相关内容