ztaz
-
Posts
5 -
Joined
-
Last visited
Content Type
Profiles
Forums
Gallery
Downloads
Blogs
Events
Posts posted by ztaz
-
-
4 минуты назад, ztaz сказал:
no acknowledgement from peer after 5 retransmissions, deleting tunnel
так понимаю это ключевая проблема
win7 не отвечает на опросы и кинетик обрывает тунель.
может пробросить/проверить порты какие?
-
Приветствую, не долго радовался (
Подключаюсь с win7, пару минут все ок, соединение "подвисает", через 5-10 минут соединение отваливается. в логах вот так:
Скрытый текст[I] Oct 19 14:26:21 ndm: Core::Syslog: the system log has been cleared. [I] Oct 19 14:26:26 ipsec: 11[IKE] received MS NT5 ISAKMPOAKLEY vendor ID [I] Oct 19 14:26:26 ipsec: 11[IKE] received NAT-T (RFC 3947) vendor ID [I] Oct 19 14:26:26 ipsec: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID [I] Oct 19 14:26:26 ipsec: 11[IKE] received FRAGMENTATION vendor ID [I] Oct 19 14:26:26 ipsec: 11[IKE] 80.254.51.152 is initiating a Main Mode IKE_SA [I] Oct 19 14:26:26 ipsec: 11[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# [I] Oct 19 14:26:26 ipsec: 11[IKE] sending XAuth vendor ID [I] Oct 19 14:26:26 ipsec: 11[IKE] sending DPD vendor ID [I] Oct 19 14:26:26 ipsec: 11[IKE] sending Cisco Unity vendor ID [I] Oct 19 14:26:26 ipsec: 11[IKE] sending FRAGMENTATION vendor ID [I] Oct 19 14:26:26 ipsec: 11[IKE] sending NAT-T (RFC 3947) vendor ID [I] Oct 19 14:26:27 ipsec: 13[IKE] remote host is behind NAT [I] Oct 19 14:26:27 ipsec: 13[IKE] linked key for crypto map '(unnamed)' is not found, still searching [I] Oct 19 14:26:27 ipsec: 12[CFG] looking for pre-shared key peer configs matching 188.243.209.206...80.254.51.152[192.168.1.33] [I] Oct 19 14:26:27 ipsec: 12[CFG] selected peer config "VPNL2TPServer" [I] Oct 19 14:26:27 ipsec: 12[IKE] IKE_SA VPNL2TPServer[38] established between 188.243.209.206[188.243.209.206]...80.254.51.152[192.168.1.33] [I] Oct 19 14:26:27 ipsec: 12[IKE] scheduling reauthentication in 28762s [I] Oct 19 14:26:27 ipsec: 12[IKE] maximum IKE_SA lifetime 28782s [I] Oct 19 14:26:27 ipsec: 12[IKE] DPD not supported by peer, disabled [I] Oct 19 14:26:27 ipsec: 14[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ [I] Oct 19 14:26:27 ipsec: 14[IKE] received 3600s lifetime, configured 28800s [I] Oct 19 14:26:27 ipsec: 14[IKE] received 250000000 lifebytes, configured 21474836480 [I] Oct 19 14:26:27 ipsec: 10[IKE] CHILD_SA VPNL2TPServer{52} established with SPIs cfe80281_i cbf586e8_o and TS 188.243.209.206/32[udp/l2tp] === 80.254.51.152/32[udp/l2tp] [W] Oct 19 14:26:27 ndm: IpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "80.254.51.152" is established. [I] Oct 19 14:26:27 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Oct 19 14:26:27 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Oct 19 14:26:28 ndm: kernel: EIP93: build inbound ESP connection, (SPI=cfe80281) [I] Oct 19 14:26:28 ndm: kernel: EIP93: build outbound ESP connection, (SPI=cbf586e8) [I] Oct 19 14:26:28 accel-ppp: l2tp: new tunnel 25904-54 created following reception of SCCRQ from 80.254.51.152:1701 [I] Oct 19 14:26:28 accel-ppp: l2tp tunnel 25904-54 (80.254.51.152:1701): established at 188.243.209.206:1701 [I] Oct 19 14:26:28 accel-ppp: l2tp tunnel 25904-54 (80.254.51.152:1701): new session 39368-1 created following reception of ICRQ [I] Oct 19 14:26:31 accel-ppp: l2tp0:taktik: connect: l2tp0 <--> l2tp(80.254.51.152:1701 session 25904-54, 39368-1) [I] Oct 19 14:26:31 accel-ppp: l2tp0:taktik: taktik: authentication succeeded [I] Oct 19 14:26:33 accel-ppp: l2tp0:taktik: session started over l2tp session 25904-54, 39368-1 [W] Oct 19 14:26:33 ndm: IpSec::Configurator: "VPNL2TPServer": L2TP/IPsec client "taktik" connected with address "192.168.3.10" (from "80.254.51.152"). [I] Oct 19 14:26:37 telnetd: a new connection from ::ffff:192.168.3.10 accepted. [W] Oct 19 14:33:15 accel-ppp: l2tp tunnel 25904-54 (80.254.51.152:1701): no acknowledgement from peer after 5 retransmissions, deleting tunnel [W] Oct 19 14:33:15 ndm: IpSec::Configurator: "VPNL2TPServer": L2TP/IPsec client "taktik" with address "192.168.3.10" (from "80.254.51.152") disconnected. [I] Oct 19 14:33:18 ipsec: 15[CFG] received stroke: terminate 'VPNL2TPServer{52}' [I] Oct 19 14:33:18 ipsec: 16[IKE] closing CHILD_SA VPNL2TPServer{52} with SPIs cfe80281_i (953589 bytes) cbf586e8_o (4787559 bytes) and TS 188.243.209.206/32[udp/l2tp] === 80.254.51.152/32[udp/l2tp] [I] Oct 19 14:33:18 ndm: kernel: EIP93: release SPI cfe80281 [I] Oct 19 14:33:18 ndm: kernel: EIP93: release SPI cbf586e8 [I] Oct 19 14:33:18 ipsec: 16[IKE] sending DELETE for ESP CHILD_SA with SPI cfe80281 [I] Oct 19 14:33:18 ipsec: 05[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ [I] Oct 19 14:33:18 ipsec: 05[IKE] received 3600s lifetime, configured 28800s [I] Oct 19 14:33:18 ipsec: 05[IKE] received 250000000 lifebytes, configured 21474836480 [I] Oct 19 14:33:18 ipsec: 13[IKE] CHILD_SA VPNL2TPServer{53} established with SPIs c6d1e8b7_i 37b222b7_o and TS 188.243.209.206/32[udp/l2tp] === 80.254.51.152/32[udp/l2tp] [W] Oct 19 14:33:18 ndm: IpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "80.254.51.152" is established. [I] Oct 19 14:33:18 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Oct 19 14:33:18 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Oct 19 14:33:20 ipsec: 07[CFG] received stroke: terminate 'VPNL2TPServer[38]' [I] Oct 19 14:33:20 ipsec: 14[IKE] closing CHILD_SA VPNL2TPServer{53} with SPIs c6d1e8b7_i (0 bytes) 37b222b7_o (0 bytes) and TS 188.243.209.206/32[udp/l2tp] === 80.254.51.152/32[udp/l2tp] [I] Oct 19 14:33:20 ipsec: 14[IKE] sending DELETE for ESP CHILD_SA with SPI c6d1e8b7 [I] Oct 19 14:33:20 ipsec: 14[IKE] deleting IKE_SA VPNL2TPServer[38] between 188.243.209.206[188.243.209.206]...80.254.51.152[192.168.1.33] [I] Oct 19 14:33:20 ipsec: 14[IKE] sending DELETE for IKE_SA VPNL2TPServer[38] [I] Oct 19 14:33:20 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Oct 19 14:33:20 ipsec: 09[IKE] received MS NT5 ISAKMPOAKLEY vendor ID [I] Oct 19 14:33:20 ipsec: 09[IKE] received NAT-T (RFC 3947) vendor ID [I] Oct 19 14:33:20 ipsec: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID [I] Oct 19 14:33:20 ipsec: 09[IKE] received FRAGMENTATION vendor ID [I] Oct 19 14:33:20 ipsec: 09[IKE] 80.254.51.152 is initiating a Main Mode IKE_SA [I] Oct 19 14:33:20 ipsec: 09[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# [I] Oct 19 14:33:20 ipsec: 09[IKE] sending XAuth vendor ID [I] Oct 19 14:33:20 ipsec: 09[IKE] sending DPD vendor ID [I] Oct 19 14:33:20 ipsec: 09[IKE] sending Cisco Unity vendor ID [I] Oct 19 14:33:20 ipsec: 09[IKE] sending FRAGMENTATION vendor ID [I] Oct 19 14:33:20 ipsec: 09[IKE] sending NAT-T (RFC 3947) vendor ID [I] Oct 19 14:33:20 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Oct 19 14:33:20 ipsec: 10[IKE] remote host is behind NAT [I] Oct 19 14:33:20 ipsec: 10[IKE] linked key for crypto map '(unnamed)' is not found, still searching [I] Oct 19 14:33:20 ipsec: 08[CFG] looking for pre-shared key peer configs matching 188.243.209.206...80.254.51.152[192.168.1.33] [I] Oct 19 14:33:20 ipsec: 08[CFG] selected peer config "VPNL2TPServer" [I] Oct 19 14:33:20 ipsec: 08[IKE] IKE_SA VPNL2TPServer[39] established between 188.243.209.206[188.243.209.206]...80.254.51.152[192.168.1.33] [I] Oct 19 14:33:20 ipsec: 08[IKE] scheduling reauthentication in 28780s [I] Oct 19 14:33:20 ipsec: 08[IKE] maximum IKE_SA lifetime 28800s [I] Oct 19 14:33:20 ipsec: 08[IKE] DPD not supported by peer, disabled [I] Oct 19 14:33:20 ipsec: 15[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ [I] Oct 19 14:33:20 ipsec: 15[IKE] received 3600s lifetime, configured 28800s [I] Oct 19 14:33:20 ipsec: 15[IKE] received 250000000 lifebytes, configured 21474836480 [I] Oct 19 14:33:20 ipsec: 16[IKE] CHILD_SA VPNL2TPServer{54} established with SPIs c4a1851d_i 7832ba2c_o and TS 188.243.209.206/32[udp/l2tp] === 80.254.51.152/32[udp/l2tp] [W] Oct 19 14:33:20 ndm: IpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "80.254.51.152" is established. [I] Oct 19 14:33:20 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Oct 19 14:33:20 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.поиграл с crypto map VPNL2TPServer l2tp-server lcp echo xxx xx
пробовал crypto map VPNL2TPServer l2tp-server no lcp echo
результат один, посоветуйте куда покопать
-
1 час назад, Le ecureuil сказал:
Если отключить VirtualIp-сервер, то ситуация нормализуется?
отключил virtualIP - без изменений.
не смотря на то, что основная сеть роутера 192.168.2.1, DHCP (192.168.2.100 - 192.168.2.120)
VirtualIP нормально функционировал на ip (192.168.2.10 - 192.168.2.29). в локалке все всех видели.
l2tp-server не завелось на адресах (192.168.2.30 - 192.168.2.49)
разделил сети на разные диапазоны (роутер 192.168.2, LocalIP 192.168.3, l2tp-server 192.168.4) все завелось и заработало!
Не знаю, возможно ли было пихать все в одну сеть, но VirtualIP без l2tp-server так работал.
-
Добрый день, скажите плиз чайнику, стоит 2.11.A.4.0-2 GIGA III. настроено Virtual IP и L2TP/IPsec
Home ip address 192.168.2.1 255.255.255.0, dhcp range 192.168.2.100 192.168.2.119
virtual-ip range 192.168.2.10 192.168.2.29
l2tp-server range 192.168.2.30 192.168.2.49
при подключении с планшета/телефона из сети (80.254.51.152) на роутер (188.243.209.206) через virtual-ip, ping на роутер (192.168.2.1) проходит, видит всех в локальной сети, инет транслирует.
при подключении с компа(win7) из сети (80.254.51.152) на роутер (188.243.209.206) через l2tp-server, ping на роутер (192.168.2.1) не проходит, и вообще кроме себя никого не видит, но инет через роутер идет.
(т.е. банально не видит локалку 192.168.2.0)
криво наверно пишу, сорри.
в какую сторону посмотреть?
заранее спасибо
L2TP/IPsec сервер
in Обсуждение IPsec, OpenVPN и других туннелей
Posted
а протестить можно самому как-то? точнее, что на винде должно быть включено/открыто/итд, чтоб работало как часы?
сейчас попробую на другой машине потестить соединения