诊断 CentOS 7 中的 L2TP VPN 连接失败

诊断 CentOS 7 中的 L2TP VPN 连接失败

我的本地计算机CentOS Linux release 7.7.1908 (Core)使用带 PSK 的 LT2P IPSec 连接到我的工作场所 VPN。我有两个网关,但由于它们都生成类似的日志,因此我将在此处发布其中一个。

当我尝试连接到我的 VPN(网关 IP 103.7.249.66)时,连接失败(奇怪的是,几天前曾经连接过)这是我得到的/var/log/messages

May 10 11:42:49 nid2_mig NetworkManager[1100]: <info>  [1589089369.6288] audit: op="connection-activate" uuid="20249836-0604-4082-b028-ec61462c2a8e" name="TigerIT1" pid=2653 uid=1002 result="success"
May 10 11:42:49 nid2_mig NetworkManager[1100]: <info>  [1589089369.6321] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: Started the VPN service, PID 6949
May 10 11:42:49 nid2_mig NetworkManager[1100]: <info>  [1589089369.6379] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: Saw the service appear; activating connection
May 10 11:42:49 nid2_mig NetworkManager[1100]: <info>  [1589089369.6811] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: VPN connection: (ConnectInteractive) reply received
May 10 11:42:49 nid2_mig journal: Check port 1701
May 10 11:42:49 nid2_mig NetworkManager: Redirecting to: systemctl restart ipsec.service
May 10 11:42:49 nid2_mig systemd: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
May 10 11:42:49 nid2_mig whack: 002 shutting down
May 10 11:42:49 nid2_mig ipsec: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig libipsecconf[6977]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig systemd: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
May 10 11:42:49 nid2_mig systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
May 10 11:42:49 nid2_mig addconn: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig libipsecconf[6983]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig _stackmanager: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig libipsecconf[6989]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig _stackmanager: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig libipsecconf[6994]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:50 nid2_mig ipsec: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:50 nid2_mig libipsecconf[7254]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:50 nid2_mig ipsec: nflog ipsec capture disabled
May 10 11:42:50 nid2_mig systemd: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
May 10 11:42:50 nid2_mig libipsecconf[7299]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:50 nid2_mig NetworkManager: 002 listening for IKE messages
May 10 11:42:50 nid2_mig NetworkManager: 002 forgetting secrets
May 10 11:42:50 nid2_mig NetworkManager: 002 loading secrets from "/etc/ipsec.secrets"
May 10 11:42:50 nid2_mig NetworkManager: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
May 10 11:42:50 nid2_mig NetworkManager: debugging mode enabled
May 10 11:42:50 nid2_mig NetworkManager: end of file /var/run/nm-l2tp-20249836-0604-4082-b028-ec61462c2a8e/ipsec.conf
May 10 11:42:50 nid2_mig NetworkManager: Loading conn 20249836-0604-4082-b028-ec61462c2a8e
May 10 11:42:50 nid2_mig NetworkManager: starter: left is KH_DEFAULTROUTE
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" labeled_ipsec=0
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" modecfgdns=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" modecfgdomains=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" modecfgbanner=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" mark=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" mark-in=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" mark-out=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" vti_iface=(null)
May 10 11:42:50 nid2_mig NetworkManager: opening file: /var/run/nm-l2tp-20249836-0604-4082-b028-ec61462c2a8e/ipsec.conf
May 10 11:42:50 nid2_mig NetworkManager: loading named conns: 20249836-0604-4082-b028-ec61462c2a8e
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 1, seeking_gateway = 1, has_peer = 1
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 0, seeking_gateway = 1, has_dst = 1
May 10 11:42:50 nid2_mig NetworkManager: dst  via 192.168.68.1 dev wlp2s0 src  table 254
May 10 11:42:50 nid2_mig NetworkManager: set nexthop: 192.168.68.1
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.0 via  dev wlp2s0 src 192.168.68.108 table 254
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254
May 10 11:42:50 nid2_mig NetworkManager: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.0 via  dev wlp2s0 src 192.168.68.108 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.108 via  dev wlp2s0 src 192.168.68.108 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.255 via  dev wlp2s0 src 192.168.68.108 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 1, seeking_gateway = 0, has_peer = 1
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 1, seeking_gateway = 0, has_dst = 1
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.1 via  dev wlp2s0 src 192.168.68.108 table 254
May 10 11:42:50 nid2_mig NetworkManager: set addr: 192.168.68.108
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 0, seeking_gateway = 0, has_peer = 1
May 10 11:42:50 nid2_mig NetworkManager: 002 "20249836-0604-4082-b028-ec61462c2a8e" #1: initiating Main Mode
May 10 11:42:50 nid2_mig NetworkManager: 104 "20249836-0604-4082-b028-ec61462c2a8e" #1: STATE_MAIN_I1: initiate
May 10 11:42:50 nid2_mig NetworkManager: 106 "20249836-0604-4082-b028-ec61462c2a8e" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May 10 11:42:50 nid2_mig NetworkManager: 108 "20249836-0604-4082-b028-ec61462c2a8e" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May 10 11:42:50 nid2_mig NetworkManager: 002 "20249836-0604-4082-b028-ec61462c2a8e" #1: Peer ID is ID_IPV4_ADDR: '103.7.249.66'
May 10 11:42:50 nid2_mig NetworkManager: 004 "20249836-0604-4082-b028-ec61462c2a8e" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1024}
May 10 11:42:50 nid2_mig NetworkManager: 002 "20249836-0604-4082-b028-ec61462c2a8e" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:a6c5fe68 proposal=AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP1024}
May 10 11:42:50 nid2_mig NetworkManager: 117 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: initiate
May 10 11:42:50 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
May 10 11:42:51 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
May 10 11:42:52 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
May 10 11:42:54 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
May 10 11:42:58 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
May 10 11:43:00 nid2_mig journal: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
May 10 11:43:00 nid2_mig NetworkManager[1100]: <info>  [1589089380.2142] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: VPN plugin: state changed: stopped (6)
May 10 11:43:00 nid2_mig NetworkManager[1100]: <info>  [1589089380.2161] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: VPN service disappeared
May 10 11:43:00 nid2_mig NetworkManager[1100]: <warn>  [1589089380.2168] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

我的系统中没有.conf这个文件。/etc/ipsec.d/

IP 上的跟踪路由:

traceroute to 103.7.249.66 (103.7.249.66), 30 hops max, 60 byte packets
 1  gateway (192.168.68.1)  6.709 ms  6.734 ms  6.703 ms
 2  192.168.0.1 (192.168.0.1)  7.331 ms  7.401 ms  7.390 ms
 3  10.0.0.1 (10.0.0.1)  10.848 ms  10.834 ms  10.811 ms
 4  228.51.103-1-baninetworks.com (103.51.228.1)  10.786 ms  10.765 ms  10.739 ms
 5  220.152.112.213 (220.152.112.213)  8.062 ms  8.091 ms  10.269 ms
 6  103.7.248.109 (103.7.248.109)  15.651 ms  14.175 ms  14.188 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
.........

本地 IP 路由表:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.68.1    0.0.0.0         UG    600    0        0 wlp2s0
192.168.68.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp2s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

我用它nm-connection-editor来创建/更新 VPN 连接。我没有对 IPSec 或 PPP 设置进行任何改动。当前配置如下所示:

L2TP IPsec 设置 L2TP PPP 选项

我尝试删除并创建连接几次。有时在 Windows 上重新配置连接有效,但在 CentOS 上却无济于事。

我的机器通过 WiFi 网状路由器连接到互联网,但是,我的另一台机器(Windows)和我的手机(Android)也连接到同一个网络,我可以从这些设备连接到 VPN。我没有更改任何与 IP 转发或 MTU 相关的内容。尝试联系我的网络管理员,但他们无法提供太多信息,因为无法建立连接。但是,如果我知道该问什么,我可以问他们任何具体的问题。

我不认为这与我的 ISP 有关,因为我可以从其他操作系统连接。

我想调查一下到底出了什么问题。我对网络通信接口知之甚少,但在尝试从互联网上随机修复之前,我想了解更多。如果我可以提供更多信息,请告诉我。

答案1

从日志来看,IPsec 第 1 阶段(主模式)成功,但第 2 阶段(快速模式)失败。

VPN 服务器可能未在第 2 阶段(快速模式)使用完美前向保密 (PFS)。因此,请尝试选中“禁用 PFS”复选框。

相关内容