调试了一周的L2TP/IPSEC VPN ,还是没有搞定,贴出来大家一起看一下吧!

Web、Mail、Ftp、DNS、Proxy、VPN、Samba、LDAP 等基础网络服务
回复
micro_cy
帖子: 104
注册时间: 2011-07-20 11:33
送出感谢: 9 次
接收感谢: 1 次

调试了一周的L2TP/IPSEC VPN ,还是没有搞定,贴出来大家一起看一下吧!

#1

帖子 micro_cy » 2017-06-13 16:18

先上传1张图谱结构图,以便大家能了解我目前的网络结构。
3C拓扑结构图.jpg
根据网上各种文档的教程,先安装相关的程序,我自己的系统环境现在Ubuntu 14.04.5,后来同意更改成官方的教程了,不过还是没有连上。

https://raymii.org/s/tutorials/IPSEC_L2 ... 14.04.html

虽然是E文,不过大概能看懂。
Install ppp openswan and xl2tpd

First we will install the required packages:

apt-get install openswan xl2tpd ppp lsof

剩下的我贴我的配置相关配置文件

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.
# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/us ... 22947.html
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
type=transport
# 替换 IP 地址为你的本地IP (一般是,私有地址、NAT内的地址)
left=172.16.0.111
# 用于升级过的 Windows 2000/XP 客户端
leftprotoport=17/1701
# 要支持老的客户端,需要设置 leftprotoport=17/%any
right=%any
rightprotoport=17/%any
# 强制所有连接都NAT,因为 iOS
dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
[email protected]:~#


[email protected]:~# cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
172.16.0.111 %any: PSK "793d36e8a93c1130aec0b60598914d3b4b8363a302866679b63d18480245"
# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc


[email protected]:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-79-lowlatency (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
[email protected]:~#



[email protected]:~# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
saref refinfo = 30

debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes

[lns default]
ip range = 10.11.17.111-10.11.17.222
local ip = 10.11.17.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[email protected]:~#


[email protected]:~# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 114.114.114.114
ms-dns 8.8.8.8
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
[email protected]:~#


[email protected]:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
caoyi * ****** *
micro_cy * ****** *
[email protected]:~#


Testing it

To make sure everything has the newest config files restart openswan and xl2tpd:

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

连接LOG:

Jun 13 15:42:01 xxxsq-server pluto[32486]: packet from 172.16.8.31:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jun 13 15:42:01 xxxsq-server pluto[32486]: packet from 172.16.8.31:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jun 13 15:42:01 xxxsq-server pluto[32486]: packet from 172.16.8.31:500: received Vendor ID payload [RFC 3947] method set to=115
Jun 13 15:42:01 xxxsq-server pluto[32486]: packet from 172.16.8.31:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Jun 13 15:42:01 xxxsq-server pluto[32486]: packet from 172.16.8.31:500: ignoring Vendor ID payload [FRAGMENTATION]
Jun 13 15:42:01 xxxsq-server pluto[32486]: packet from 172.16.8.31:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jun 13 15:42:01 xxxsq-server pluto[32486]: packet from 172.16.8.31:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jun 13 15:42:01 xxxsq-server pluto[32486]: packet from 172.16.8.31:500: ignoring Vendor ID payload [IKE CGA version 1]
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: responding to Main Mode from unknown peer 172.16.8.31
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: next payload type of ISAKMP Identification Payload has an unknown value: 247
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Jun 13 15:42:01 xxxsq-server pluto[32486]: | payload malformed after IV
Jun 13 15:42:01 xxxsq-server pluto[32486]: | c7 f0 6b 30 3b 5a 4f 72 6a 51 a1 87 8c 06 c7 93
Jun 13 15:42:01 xxxsq-server pluto[32486]: | b5 af 13 5e
Jun 13 15:42:01 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: sending notification PAYLOAD_MALFORMED to 172.16.8.31:500
Jun 13 15:42:02 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: next payload type of ISAKMP Identification Payload has an unknown value: 247
Jun 13 15:42:02 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Jun 13 15:42:02 xxxsq-server pluto[32486]: | payload malformed after IV
Jun 13 15:42:02 xxxsq-server pluto[32486]: | c7 f0 6b 30 3b 5a 4f 72 6a 51 a1 87 8c 06 c7 93
Jun 13 15:42:02 xxxsq-server pluto[32486]: | b5 af 13 5e
Jun 13 15:42:02 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: sending notification PAYLOAD_MALFORMED to 172.16.8.31:500
Jun 13 15:42:03 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: next payload type of ISAKMP Identification Payload has an unknown value: 247
Jun 13 15:42:03 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Jun 13 15:42:03 xxxsq-server pluto[32486]: | payload malformed after IV
Jun 13 15:42:03 xxxsq-server pluto[32486]: | c7 f0 6b 30 3b 5a 4f 72 6a 51 a1 87 8c 06 c7 93
Jun 13 15:42:03 xxxsq-server pluto[32486]: | b5 af 13 5e
Jun 13 15:42:03 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: sending notification PAYLOAD_MALFORMED to 172.16.8.31:500
Jun 13 15:42:06 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: next payload type of ISAKMP Identification Payload has an unknown value: 247
Jun 13 15:42:06 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Jun 13 15:42:06 xxxsq-server pluto[32486]: | payload malformed after IV
Jun 13 15:42:06 xxxsq-server pluto[32486]: | c7 f0 6b 30 3b 5a 4f 72 6a 51 a1 87 8c 06 c7 93
Jun 13 15:42:06 xxxsq-server pluto[32486]: | b5 af 13 5e
Jun 13 15:42:06 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: sending notification PAYLOAD_MALFORMED to 172.16.8.31:500
Jun 13 15:42:13 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: next payload type of ISAKMP Identification Payload has an unknown value: 247
Jun 13 15:42:13 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Jun 13 15:42:13 xxxsq-server pluto[32486]: | payload malformed after IV
Jun 13 15:42:13 xxxsq-server pluto[32486]: | c7 f0 6b 30 3b 5a 4f 72 6a 51 a1 87 8c 06 c7 93
Jun 13 15:42:13 xxxsq-server pluto[32486]: | b5 af 13 5e
Jun 13 15:42:13 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: sending notification PAYLOAD_MALFORMED to 172.16.8.31:500
Jun 13 15:42:24 xxxsq-server sshd[32553]: Accepted password for xxxsq from 172.16.8.31 port 6198 ssh2
Jun 13 15:42:24 xxxsq-server sshd[32553]: pam_unix(sshd:session): session opened for user xxxsq by (uid=0)
Jun 13 15:42:24 xxxsq-server systemd-logind[692]: New session 2 of user xxxsq.
Jun 13 15:42:28 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: next payload type of ISAKMP Identification Payload has an unknown value: 247
Jun 13 15:42:28 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Jun 13 15:42:28 xxxsq-server pluto[32486]: | payload malformed after IV
Jun 13 15:42:28 xxxsq-server pluto[32486]: | c7 f0 6b 30 3b 5a 4f 72 6a 51 a1 87 8c 06 c7 93
Jun 13 15:42:28 xxxsq-server pluto[32486]: | b5 af 13 5e
Jun 13 15:42:28 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: sending notification PAYLOAD_MALFORMED to 172.16.8.31:500
Jun 13 15:42:32 xxxsq-server sudo: xxxsq : TTY=pts/22 ; PWD=/home/xxxsq ; USER=root ; COMMAND=/bin/su
Jun 13 15:42:32 xxxsq-server sudo: pam_unix(sudo:session): session opened for user root by xxxsq(uid=0)
Jun 13 15:42:32 xxxsq-server su[32704]: Successful su for root by root
Jun 13 15:42:32 xxxsq-server su[32704]: + /dev/pts/22 root:root
Jun 13 15:42:32 xxxsq-server su[32704]: pam_unix(su:session): session opened for user root by xxxsq(uid=0)
Jun 13 15:42:43 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: next payload type of ISAKMP Identification Payload has an unknown value: 247
Jun 13 15:42:43 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Jun 13 15:42:43 xxxsq-server pluto[32486]: | payload malformed after IV
Jun 13 15:42:43 xxxsq-server pluto[32486]: | c7 f0 6b 30 3b 5a 4f 72 6a 51 a1 87 8c 06 c7 93
Jun 13 15:42:43 xxxsq-server pluto[32486]: | b5 af 13 5e
Jun 13 15:42:43 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: sending notification PAYLOAD_MALFORMED to 172.16.8.31:500
Jun 13 15:43:11 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31 #3: max number of retransmissions (2) reached STATE_MAIN_R2
Jun 13 15:43:11 xxxsq-server pluto[32486]: "L2TP-PSK-NAT"[3] 172.16.8.31: deleting connection "L2TP-PSK-NAT" instance with peer 172.16.8.31 {isakmp=#0/ipsec=#0}
Jun 13 16:09:01 xxxsq-server CRON[453]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 13 16:09:02 xxxsq-server CRON[453]: pam_unix(cron:session): session closed for user root
上次由 micro_cy 在 2017-06-15 8:14,总共编辑 1 次。
头像
astolia
论坛版主
帖子: 4623
注册时间: 2008-09-18 13:11
送出感谢: 1 次
接收感谢: 774 次

Re: 调试了一周的L2TP/IPSEC VPN ,还是没有搞定,贴出来大家一起看一下吧!

#2

帖子 astolia » 2017-06-14 11:04

我还是第一次看到有人把ip范围写成10.11.17.111-172.11.17.222这样把共有和私有地址混在一起的。
另外L2TP/IPSEC早就被gfw攻破了,如果你是要靠这个来翻墙的话,趁早放弃。
这些用户感谢了作者 astolia 于这个帖子:
micro_cy (2017-06-15 8:12)
评价: 3.7%
micro_cy
帖子: 104
注册时间: 2011-07-20 11:33
送出感谢: 9 次
接收感谢: 1 次

Re: 调试了一周的L2TP/IPSEC VPN ,还是没有搞定,贴出来大家一起看一下吧!

#3

帖子 micro_cy » 2017-06-15 8:17

astolia 写了:我还是第一次看到有人把ip范围写成10.11.17.111-172.11.17.222这样把共有和私有地址混在一起的。
另外L2TP/IPSEC早就被gfw攻破了,如果你是要靠这个来翻墙的话,趁早放弃。
这个地址是手误,应该是10.11.17.111-10.11.17.222.

这个VPN不是用来翻墙的,这个VPN是架设在单位,目的是出差的时候可以访问到内网的多个服务器。

已经测试成功,原因还是UDP和TCP的方式选择问题。
回复

回到 “服务器基础应用”