基于 Libreswan 的 VPN 在 IPSEC 认证后未建立 L2TP 隧道

基于 Libreswan 的 VPN 在 IPSEC 认证后未建立 L2TP 隧道

过去几天,我一直尝试在 CentOS 机器上设置 libreswan VPN 客户端以连接到 libreswan VPN 服务器(也是 CentOS),但没有成功。

问题如下: - VPN 服务器已启动并正在运行,我可以从 Windows 计算机连接到它,一切正常 - Libreswan VPN 客户端与服务器进行身份验证,但之后什么都没有。客户端和服务器都没有正在运行的 VPN 接口,日志在 IPSEC 之后没有显示任何一方的活动。

我的最终目标是连接到一个配置过时、我无法控制的 VPN,所以我能做的就是配置一个 libreswan 客户端。我现在尝试连接的 VPN 服务器是我为测试客户端而设置的。

服务器和客户端都是CentOS 7 KVM,共享同一物理主机。

因为我怀疑问题出在客户端,所以我只会发布客户端的配置而不是服务器的配置,但如果需要的话我会发布所有内容。

客户端 ipsec.conf:

config setup

conn vpnpsk
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=yes
     ikelifetime=8h
     keylife=1h
     type=transport
     left=%defaultroute
     leftprotoport=17/1701
     right=<ServerIP>
     rightprotoport=17/1701
     rightid=<ServerIP>

客户端ipsec.secrets:

[root@localhost ~]# vim /etc/ipsec.secrets
%any <ServerIP> : PSK "SECRET"

客户端xl2tpd.conf:

[lac vpn-connection]
lns = <ServerIP>
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

/etc/ppp/options.l2tpd.client:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name <user>
password <password>

当启动连接时这是输出:

[root@localhost ~]# ipsec auto --up vpnpsk
002 "vpnpsk" #1: initiating Main Mode
104 "vpnpsk" #1: STATE_MAIN_I1: initiate
003 "vpnpsk" #1: received Vendor ID payload [Dead Peer Detection]
003 "vpnpsk" #1: received Vendor ID payload [FRAGMENTATION]
003 "vpnpsk" #1: received Vendor ID payload [RFC 3947]
002 "vpnpsk" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "vpnpsk" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "vpnpsk" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpnpsk" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "vpnpsk" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "vpnpsk" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vpnpsk" #1: Main mode peer ID is ID_IPV4_ADDR: '<ServerIP>'
002 "vpnpsk" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "vpnpsk" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "vpnpsk" #1: Dead Peer Detection (RFC 3706): enabled
002 "vpnpsk" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:6305f4b0 proposal=defaults pfsgroup=no-pfs}
117 "vpnpsk" #2: STATE_QUICK_I1: initiate
002 "vpnpsk" #2: Dead Peer Detection (RFC 3706): enabled
002 "vpnpsk" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "vpnpsk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xad2a86a6 <0xcf8adbd0 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}

此后没有更多输出。ip addr:

[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether a6:6a:06:d0:03:80 brd ff:ff:ff:ff:ff:ff
    inet <ClientIP>/24 brd <broadcast> scope global ens18
       valid_lft forever preferred_lft forever
    inet6 fe80::eb5b:83d6:e0aa:940e/64 scope link
       valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0

在服务器端:

Mar 22 17:17:28 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received and ignored empty informational notification payload
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [Dead Peer Detection]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [FRAGMENTATION]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [RFC 3947]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: responding to Main Mode from unknown peer <ClientIP>
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: Main mode peer ID is ID_IPV4_ADDR: '<ClientIP>'
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: Dead Peer Detection (RFC 3706): enabled
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: the peer proposed: <ServerIP>/32:17/1701 -> <ClientIP>/32:17/0
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: responding to Quick Mode proposal {msgid:6305f4b0}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135:     us: <ServerIP><<ServerIP>>:17/1701
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135:   them: <ClientIP>:17/1701
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP=>0xcf8adbd0 <0xad2a86a6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: Dead Peer Detection (RFC 3706): enabled
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xcf8adbd0 <0xad2a86a6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}

并且不再记录。

客户端iptables -L:

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  <ServerIP>       anywhere
ACCEPT     udp  --  <ServerIP>       anywhere
ACCEPT     tcp  --  10.0.0.0/24          anywhere
ACCEPT     udp  --  10.0.0.0/24          anywhere
ACCEPT     tcp  --  <other_peer>  anywhere
ACCEPT     udp  --  <other_peer>  anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             <ServerIP>
ACCEPT     udp  --  anywhere             <ServerIP>
ACCEPT     tcp  --  anywhere             10.0.0.0/24
ACCEPT     udp  --  anywhere             10.0.0.0/24
ACCEPT     tcp  --  anywhere             <other_peer>
ACCEPT     udp  --  anywhere             <other_peer>

10.0.0.0/24 是 VPN 网络。

感谢您阅读所有这些内容。

答案1

您可能在客户端的输入链中遗漏了 ESP 接受规则。另外,请将 L2TP 端口添加到规则列表中。

iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m multiport --dports 1701,500,4500 -j ACCEPT

而且,如果我读得正确的话,您的 INPUT 链中在 ACCEPT 规则之前有一个 REJECT 规则 - 请删除它!

相关内容