配置 VPN L2TP/Ipsec

tag-icon tag-icon linux vpn ipsec l2tp
配置 VPN L2TP/Ipsec

在工作中,它们需要通过 L2TP/Ipsec VPN 进行连接,并且它们仅提供对 Windows 的支持。我有一份关于如何在 Windows 中配置它的手册,并且我已经验证了它是否有效。但是,当我尝试将该配置传输到 Linux 时,它失败了。

在 Windows 10 中,配置包括使用以下数据创建 VPN(我输入斜体“发明的”值以避免泄露真实值):

  • 连接名称:我的VPN
  • 服务器名称或地址:vpn.ssl.域名.com
  • VPN 类型:带预共享密钥的 L2TP/Ipsec
  • 预共享密钥:共享密钥
  • 登录信息类型:用户名和密码
  • 用户名:我的用户名(匹配 Windows 用户)
  • 密码:我的密码(与 Windows 用户的密码匹配)

然后,您需要转到创建的连接并编辑“安全”选项卡来设置这些数据:

  • VPN 类型:带有 IPsec 的第 2 层隧道协议 (L2TP/IPsec)
  • 数据加密:✓ 可选加密(无加密也可连接)
  • 身份验证:✓ 允许这些协议:✓ 未加密的密码 (PAP)

就是这样,它与这些设置连接起来了。如果我在连接时检查 Windows 事件,我会看到以下内容:

User *DOMAIN\myusername* started a VPN connection attempt with the per-user connection profile named *My VPN*. Connection configuration:
Dial-in User = *myusername*
VpnStrategy = L2TP
DataEncryption = Requested
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = PAP
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
IPsec authentication for L2TP = Pre-shared key.

User *DOMAIN\myusername* is trying to establish a link to the remote access server for the connection named *My VPN* using the following device:
Server address/Phone Number = *XX.XXX.XX.XXX*
Device = WAN Miniport (L2TP)
Port = VPN4-1
MediaType = VPN.

User *DOMAIN\myusername* successfully established a link to the remote access server using the following device:
Server address/Phone Number = *XX.XXX.XX.XXX*
Device = WAN Miniport (L2TP)
Port = VPN4-1
MediaType = VPN.

User *DOMAIN\myusername* established the link to the remote access server.

User *DOMAIN\myusername* dialed a connection named *My VPN* to the remote access server, which connected successfully. Connection parameters:
TunnelIpAddress = *YY.Y.YYY.YYY*
TunnelIpv6Address = *yyyy::*
Dial-in User = *myusername*

我在 Linux Mint 21.3 XFCE 上尝试过的操作如下:

sudo apt-get install network-manager-l2tp network-manager-l2tp-gnome

然后,我使用以下数据创建一个新的 VPN:

  • 类型:第 2 层隧道协议 (L2TP)
  • 连接名称:我的VPN
  • VPN 选项卡:
    • 常规 -> 网关:vpn.ssl.域名.com
    • 用户认证:
      • 类型:密码
      • 用户名:我的用户名(匹配 Windows 用户)
      • 密码:我的密码(与 Windows 用户的密码匹配)
  • IPsec 设置...
    • ✓启用 IPsec 隧道到 L2TP 主机
    • 机器身份验证:
    • 类型:预共享密钥 (PSK)
    • 预共享密钥:共享密钥
  • PPP 设置...
    • 身份验证:允许以下身份验证方法:✓ PAP

但是当我尝试连接时,它失败了:

$ nmcli con up id "*My VPN*"
Error: failed to activate connection: Unknown reason
Hint: use 'journalctl -xe NM_CONNECTION=8703dc6b-780e-47c5-8216-6f4dbbbf05f4 + NM_DEVICE=5a5d37f8-253a-4cd3-a398-3c5b50cf0022' for more details.

$ grep -iE "strongSwan|ipsec|charon|NetworkManager" /var/log/syslog 
17:50 NetworkManager[685]: <debug> [1712081870.0917] connectivity: (enp0s31f6,IPv4,155) skip connectivity check due to no carrier
17:50 NetworkManager[685]: <debug> [1712081870.0918] connectivity: (enp0s31f6,IPv6,156) skip connectivity check due to no carrier
17:50 NetworkManager[685]: <debug> [1712081870.0919] connectivity: (enp0s31f6,IPv4,155) check completed: NONE; no carrier
17:50 NetworkManager[685]: <debug> [1712081870.0919] connectivity: (enp0s31f6,IPv6,156) check completed: NONE; no carrier
17:57 NetworkManager[685]: <debug> [1712081877.2376] connectivity: (docker0,IPv4,157) skip connectivity check due to no carrier
17:57 NetworkManager[685]: <debug> [1712081877.2377] connectivity: (docker0,IPv6,158) skip connectivity check due to no carrier
17:57 NetworkManager[685]: <debug> [1712081877.2378] connectivity: (docker0,IPv4,157) check completed: NONE; no carrier
17:57 NetworkManager[685]: <debug> [1712081877.2378] connectivity: (docker0,IPv6,158) check completed: NONE; no carrier
18:48 NetworkManager[685]: <debug> [1712081928.4839] agent-manager: agent[58dc3361ebb74f61,:1.166/nmcli-connect/1000]: requesting permissions
18:48 NetworkManager[685]: <info>  [1712081928.4875] agent-manager: agent[58dc3361ebb74f61,:1.166/nmcli-connect/1000]: agent registered
18:48 NetworkManager[685]: <debug> [1712081928.4876] policy: re-enabling autoconnect for all connections (only clear no-secrets flag)
18:48 NetworkManager[685]: <debug> [1712081928.4887] active-connection[0x55dac9a88250]: set device "wlp4s0" [0x55dac999c530]
18:48 NetworkManager[685]: <debug> [1712081928.4887] device[70bf7572249cdf85] (wlp4s0): add_pending_action (1): 'activation-3'
18:48 NetworkManager[685]: <debug> [1712081928.4889] active-connection[0x55dac9a88250]: constructed (NMVpnConnection, version-id 3, type managed)
18:48 NetworkManager[685]: <info>  [1712081928.4914] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: starting l2tp
18:48 NetworkManager[685]: <debug> [1712081928.4914] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: starting: watch D-Bus service org.freedesktop.NetworkManager.l2tp
18:48 NetworkManager[685]: <debug> [1712081928.4916] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: set state: prepare (was waiting)
18:48 NetworkManager[685]: <debug> [1712081928.4916] active-connection[0x55dac9a88250]: set state activating (was unknown)
18:48 NetworkManager[685]: <debug> [1712081928.4917] active-connection[0x55dac9a88250]: check-master-ready: not signalling (state activating, no master)
18:48 NetworkManager[685]: <debug> [1712081928.4918] manager: ActivatingConnection now (none)
18:48 NetworkManager[685]: <info>  [1712081928.4923] audit: op="connection-activate" uuid="8703dc6b-780e-47ab-9bef-8ae1782c35c1" name="*My VPN*" pid=11454 uid=1000 result="success"
18:48 NetworkManager[685]: <debug> [1712081928.4968] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: starting: VPN service has PID 11459
18:48 NetworkManager[685]: <debug> [1712081928.5060] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: set state: need-auth (was prepare)
18:48 NetworkManager[685]: <debug> [1712081928.5064] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: secrets: requesting VPN secrets pass #1
18:48 NetworkManager[685]: <debug> [1712081928.5071] Secrets requested for connection /org/freedesktop/NetworkManager/Settings/2 (*My VPN*/vpn)
18:48 NetworkManager[685]: <debug> [1712081928.5072] settings-connection[e1e72689c4b55f7c,8703dc6b-780e-47ab-9bef-8ae1782c35c1]: (vpn:0x55dac9a84200) secrets requested flags 0x80000004 hints '(none)'
18:48 NetworkManager[685]: <debug> [1712081928.5075] agent-manager: ([24b5525205add36c/"*My VPN*"/"vpn"]) system settings secrets sufficient
18:48 NetworkManager[685]: <debug> [1712081928.5080] settings-connection[e1e72689c4b55f7c,8703dc6b-780e-47ab-9bef-8ae1782c35c1]: (vpn:0x55dac9a7e990) existing secrets returned
18:48 NetworkManager[685]: <debug> [1712081928.5081] settings-connection[e1e72689c4b55f7c,8703dc6b-780e-47ab-9bef-8ae1782c35c1]: (vpn:0x55dac9a7e990) secrets request completed
18:48 NetworkManager[685]: <debug> [1712081928.5084] settings-connection[e1e72689c4b55f7c,8703dc6b-780e-47ab-9bef-8ae1782c35c1]: (vpn:0x55dac9a7e990) new agent secrets processed
18:48 NetworkManager[685]: <debug> [1712081928.5091] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: secrets: asking service if additional secrets are required
18:48 NetworkManager[685]: <debug> [1712081928.5094] device[b1073be5cc444548] (p2p-dev-wlp4s0): add_pending_action (1): 'autoactivate'
18:48 NetworkManager[685]: <debug> [1712081928.5103] device[b1073be5cc444548] (p2p-dev-wlp4s0): remove_pending_action (0): 'autoactivate'
18:48 NetworkManager[685]: <debug> [1712081928.5131] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: service indicated no additional secrets required
18:48 NetworkManager[685]: <debug> [1712081928.5133] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: connect: allowing interactive secrets as all agents have that capability
18:48 NetworkManager[685]: <debug> [1712081928.5135] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: set state: connect (was need-auth)
18:48 NetworkManager[685]: <debug> [1712081928.5150] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: connect: falling back to non-interactive connect
18:48 NetworkManager[11475]: Stopping strongSwan IPsec...
18:48 charon: 00[DMN] SIGINT received, shutting down
18:48 NetworkManager[685]: <debug> [1712081928.5474] platform: signal: rt-rule removed: [4] 220: from all lookup 220
18:48 NetworkManager[685]: <debug> [1712081928.5474] platform: signal: rt-rule removed: [6] 220: from all lookup 220
18:48 ipsec[1140]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-101-generic, x86_64)
18:48 ipsec[1140]: 00[LIB] providers loaded by OpenSSL: legacy default
18:48 ipsec[1140]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
18:48 ipsec[1140]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
18:48 ipsec[1140]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
18:48 ipsec[1140]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
18:48 ipsec[1140]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
18:48 ipsec[1140]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
18:48 ipsec[1140]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
18:48 ipsec[1140]: 00[CFG]   loaded IKE secret for %any
18:48 ipsec[1140]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
18:48 ipsec[1140]: 00[LIB] dropped capabilities, running as uid 0, gid 0
18:48 ipsec[1140]: 00[JOB] spawning 16 worker threads
18:48 ipsec[1140]: 05[KNL] 172.17.0.1 appeared on docker0
18:48 ipsec[1140]: 09[KNL] interface docker0 activated
18:48 ipsec[1140]: 01[KNL] interface wlp4s0 activated
18:48 ipsec[1140]: 07[KNL] fe80::fa99:745b:d1c6:a5c4 appeared on wlp4s0
18:48 ipsec[1140]: 08[KNL] 192.168.1.72 appeared on wlp4s0
18:48 ipsec[1140]: 13[KNL] flags changed for fe80::fa99:745b:d1c6:a5c4 on wlp4s0
18:48 ipsec[1140]: 00[DMN] SIGINT received, shutting down
18:48 ipsec[1120]: charon stopped after 200 ms
18:48 ipsec[1120]: ipsec starter stopped
18:48 systemd[1]: strongswan-starter.service: Deactivated successfully.
18:50 NetworkManager[11472]: Starting strongSwan 5.9.5 IPsec [starter]...
18:50 NetworkManager[11472]: Loading config setup
18:50 NetworkManager[11472]: Loading conn '8703dc6b-780e-47ab-9bef-8ae1782c35c1'
18:50 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-101-generic, x86_64)
18:50 charon: 00[LIB] providers loaded by OpenSSL: legacy default
18:50 NetworkManager[685]: <debug> [1712081930.7037] platform: signal: rt-rule   added: [4] 220: from all lookup 220
18:50 NetworkManager[685]: <debug> [1712081930.7037] platform: signal: rt-rule   added: [6] 220: from all lookup 220
18:50 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
18:50 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
18:50 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
18:50 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
18:50 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
18:50 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
18:50 charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
18:50 charon: 00[CFG]   loaded IKE secret for %any
18:50 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
18:50 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
18:50 charon: 00[JOB] spawning 16 worker threads
18:50 charon: 06[CFG] received stroke: add connection '8703dc6b-780e-47ab-9bef-8ae1782c35c1'
18:50 charon: 06[CFG] algorithm 'sha26' not recognized
18:50 charon: 06[CFG] skipped invalid proposal string: aes256-sha26
18:51 charon: 07[CFG] rereading secrets
18:51 charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
18:51 charon: 07[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
18:51 charon: 07[CFG]   loaded IKE secret for %any
18:51 charon: 08[CFG] received stroke: initiate '8703dc6b-780e-47ab-9bef-8ae1782c35c1'
18:51 charon: 08[CFG] no config named '8703dc6b-780e-47ab-9bef-8ae1782c35c1'
18:51 NetworkManager[11518]: no config named '8703dc6b-780e-47ab-9bef-8ae1782c35c1'
18:51 NetworkManager[11525]: Stopping strongSwan IPsec...
18:51 charon: 00[DMN] SIGINT received, shutting down
18:52 NetworkManager[685]: <debug> [1712081932.0011] platform: signal: rt-rule removed: [4] 220: from all lookup 220
18:52 NetworkManager[685]: <debug> [1712081932.0013] platform: signal: rt-rule removed: [6] 220: from all lookup 220
18:52 NetworkManager[685]: <debug> [1712081932.1061] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: dbus: state changed: stopped (6)
18:52 NetworkManager[685]: <debug> [1712081932.1068] vpn[0x55dac9a88250,8703dc6b-780e-47ab-9bef-8ae1782c35c1,"*My VPN*"]: set state: failed (was connect)
18:52 NetworkManager[685]: <debug> [1712081932.1069] active-connection[0x55dac9a88250]: set state deactivated (was activating)
18:52 NetworkManager[685]: <debug> [1712081932.1074] active-connection[0x55dac9a88250]: check-master-ready: not signalling (state deactivated, no master)
18:52 NetworkManager[685]: <debug> [1712081932.1075] device[70bf7572249cdf85] (wlp4s0): remove_pending_action (0): 'activation-3'
18:52 NetworkManager[685]: <debug> [1712081932.1091] active-connection[0x55dac9a88250]: disposing
18:52 NetworkManager[685]: <debug> [1712081932.1268] agent-manager: agent[58dc3361ebb74f61,:1.166/nmcli-connect/1000]: agent unregistered or disappeared

配置中可能缺少什么?

为了了解更多背景信息,以下是我从 Windows 配置中提取的一些详细信息:

c:/> ipconfig

PPP VPN SSL Adapter:

   Specific DNS suffix for the connection. . : *domain.name.lan*
   Description . . . . . . . . . . . . . . . : SSL VPN
   Physical Address. . . . . . . . . . . . . : 
   DHCP enabled . . . . . . . . . . . . . . . : no
   Automatic configuration enabled . . . . . : yes
   IPv4 Address. . . . . . . . . . . . . . . : *YY.Y.YYY.YYY* (Preferred) 
   Subnet Mask . . . . . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . . . . . : 0.0.0.0
   DNS Servers. . . . . . . . . . . . . . . : ZZ.Z.ZZ.ZX
                                       ZZ.Z.ZZ.ZZ
   NetBIOS over TCP/IP. . . available

C:\Users\ 的内容我的用户\应用程序数据\漫游\微软\网络\连接\Pbk\rasphone.pbk

[*My VPN*]
Encoding=1
PBVersion=6
Type=2
AutoLogon=0
UseRasCredentials=1
LowDateTime=-983127088
HighDateTime=31098077
DialParamsUID=540106282
Guid=BA855029599A8A48AA3D491740AACC81
VpnStrategy=3
ExcludedProtocols=0
LcpExtensions=1
DataEncryption=8
SwCompression=0
NegotiateMultilinkAlways=0
SkipDoubleDialDialog=0
DialMode=0
OverridePref=15
RedialAttempts=3
RedialSeconds=60
IdleDisconnectSeconds=0
RedialOnLinkFailure=1
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
ForceSecureCompartment=0
DisableIKENameEkuCheck=0
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=VPN4-0
PreferredDevice=WAN Miniport (L2TP)
PreferredBps=0
PreferredHwFlow=1
PreferredProtocol=1
PreferredCompression=1
PreferredSpeaker=1
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=1
PreviewPhoneNumber=0
ShowDialingProgress=1
ShowMonitorIconInTaskBar=0
CustomAuthKey=0
AuthRestrictions=8
IpPrioritizeRemote=1
IpInterfaceMetric=0
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=1
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=2
IpSecFlags=1
IpDnsSuffix=
Ipv6Assign=1
Ipv6Address=::
Ipv6PrefixLength=0
Ipv6PrioritizeRemote=1
Ipv6InterfaceMetric=0
Ipv6NameAssign=1
Ipv6DnsAddress=::
Ipv6Dns2Address=::
Ipv6Prefix=0000000000000000
Ipv6InterfaceId=0000000000000000
DisableClassBasedDefaultRoute=0
DisableMobility=0
NetworkOutageTime=0
IDI=
IDR=
ImsConfig=0
IdiType=0
IdrType=0
ProvisionType=0
PreSharedKey=
CacheCredentials=1
NumCustomPolicy=0
NumEku=0
UseMachineRootCert=0
Disable_IKEv2_Fragmentation=0
PlumbIKEv2TSAsRoutes=0
NumServers=0
RouteVersion=1
NumRoutes=0
NumNrptRules=0
AutoTiggerCapable=0
NumAppIds=0
NumClassicAppIds=0
SecurityDescriptor=
ApnInfoProviderId=
ApnInfoUsername=
ApnInfoPassword=
ApnInfoAccessPoint=
ApnInfoAuthentication=1
ApnInfoCompression=0
DeviceComplianceEnabled=0
DeviceComplianceSsoEnabled=0
DeviceComplianceSsoEku=
DeviceComplianceSsoIssuer=
WebAuthEnabled=0
WebAuthClientId=
FlagsSet=0
Options=0
DisableDefaultDnsSuffixes=0
NumTrustedNetworks=0
NumDnsSearchSuffixes=0
PowershellCreatedProfile=0
ProxyFlags=0
ProxySettingsModified=0
ProvisioningAuthority=
AuthTypeOTP=0
GREKeyDefined=0
NumPerAppTrafficFilters=0
AlwaysOnCapable=0
DeviceTunnel=0
PrivateNetwork=0

NETCOMPONENTS=
ms_msclient=1
ms_server=1

MEDIA=rastapi
Port=VPN4-0
Device=WAN Miniport (L2TP)

DEVICE=vpn
PhoneNumber=*vpn.ssl.domain.com*
AreaCode=
CountryCode=0
CountryID=0
UseDialingRules=0
Comment=
FriendlyName=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1

我还注意到,尽管 Windows 中的 VPN 配置为“登录信息类型:用户名和密码”,但后来显示为“登录信息类型:常规身份验证方法”。

相关内容