基于Libreswan的虚拟专用网在IPSEC认证后不建立L2TP隧道
基于Libreswan的虚拟专用网在IPSEC认证后不建立L2TP隧道
提问于 2017-03-22 18:02:55
过去几天,我一直试图在CentOS机器上设置一个libreswan客户端,以连接到libreswan服务器(也是CentOS),但没有成功。
问题如下:- VPN服务器已经启动并运行,我可以从Windows机器连接到它,一切都按预期工作-- Libreswan VPN客户端与服务器进行身份验证,但之后什么也没有。客户端和服务器都没有正在运行的vpn接口,日志在IPSEC之后不会在任何一方显示任何活动。
我的最终目标是用我无法控制的过时配置连接到VPN,所以我所能做的就是配置一个libreswan客户端。我现在试图连接到的VPN服务器是我为测试客户端而设置的。
服务器和客户端都是CentOS 7 KVM,共享相同的物理主机。
因为我怀疑问题在客户端,所以我只会发布客户机的配置,而不是服务器的配置,但是如果需要的话,我会发布所有的内容。
客户端ipsec.conf:
config setup
conn vpnpsk
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=<ServerIP>
rightprotoport=17/1701
rightid=<ServerIP>客户端ipsec.secrets:
[root@localhost ~]# vim /etc/ipsec.secrets
%any <ServerIP> : PSK "SECRET"客户端xl2tpd.conf:
[lac vpn-connection]
lns = <ServerIP>
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes/etc/ppp/options.12tpd.client:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name <user>
password <password>当启动连接时,这是输出:
[root@localhost ~]# ipsec auto --up vpnpsk
002 "vpnpsk" #1: initiating Main Mode
104 "vpnpsk" #1: STATE_MAIN_I1: initiate
003 "vpnpsk" #1: received Vendor ID payload [Dead Peer Detection]
003 "vpnpsk" #1: received Vendor ID payload [FRAGMENTATION]
003 "vpnpsk" #1: received Vendor ID payload [RFC 3947]
002 "vpnpsk" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "vpnpsk" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "vpnpsk" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpnpsk" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "vpnpsk" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "vpnpsk" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vpnpsk" #1: Main mode peer ID is ID_IPV4_ADDR: '<ServerIP>'
002 "vpnpsk" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "vpnpsk" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "vpnpsk" #1: Dead Peer Detection (RFC 3706): enabled
002 "vpnpsk" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:6305f4b0 proposal=defaults pfsgroup=no-pfs}
117 "vpnpsk" #2: STATE_QUICK_I1: initiate
002 "vpnpsk" #2: Dead Peer Detection (RFC 3706): enabled
002 "vpnpsk" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "vpnpsk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xad2a86a6 <0xcf8adbd0 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}之后就没有输出了。ip地址:
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether a6:6a:06:d0:03:80 brd ff:ff:ff:ff:ff:ff
inet <ClientIP>/24 brd <broadcast> scope global ens18
valid_lft forever preferred_lft forever
inet6 fe80::eb5b:83d6:e0aa:940e/64 scope link
valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0在服务器端:
Mar 22 17:17:28 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received and ignored empty informational notification payload
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [Dead Peer Detection]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [FRAGMENTATION]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [RFC 3947]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: responding to Main Mode from unknown peer <ClientIP>
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: Main mode peer ID is ID_IPV4_ADDR: '<ClientIP>'
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: Dead Peer Detection (RFC 3706): enabled
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: the peer proposed: <ServerIP>/32:17/1701 -> <ClientIP>/32:17/0
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: responding to Quick Mode proposal {msgid:6305f4b0}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: us: <ServerIP><<ServerIP>>:17/1701
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: them: <ClientIP>:17/1701
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP=>0xcf8adbd0 <0xad2a86a6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: Dead Peer Detection (RFC 3706): enabled
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xcf8adbd0 <0xad2a86a6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}别再伐木了。
客户端iptables -L:
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- <ServerIP> anywhere
ACCEPT udp -- <ServerIP> anywhere
ACCEPT tcp -- 10.0.0.0/24 anywhere
ACCEPT udp -- 10.0.0.0/24 anywhere
ACCEPT tcp -- <other_peer> anywhere
ACCEPT udp -- <other_peer> anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere <ServerIP>
ACCEPT udp -- anywhere <ServerIP>
ACCEPT tcp -- anywhere 10.0.0.0/24
ACCEPT udp -- anywhere 10.0.0.0/24
ACCEPT tcp -- anywhere <other_peer>
ACCEPT udp -- anywhere <other_peer>10.0.0.0/24是VPN网络。
谢谢你阅读了所有这些。
回答 1
Server Fault用户
发布于 2017-11-16 14:01:21
您可能错过了客户端输入链中的ESP接受规则。还将L2TP端口添加到规则列表中。
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m multiport --dports 1701,500,4500 -j ACCEPT而且,如果我读对了,在接受规则之前的输入链中有一个拒绝规则--删除那个规则!
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/839980
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号