Dale Posted April 29, 2017 Share Posted April 29, 2017 (edited) Начиная, как минимум, с версии 2.09.A.6.0-2 перестало работать L2TP\IPSec соединение. В логе при попытке соединения пишет следующее: Spoiler [I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": interface is up. [I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": description saved. [I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": disabled connection. [I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": peer set. [I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": disabled connection. [I] Apr 29 10:25:24 ndm: Network::Interface::IP: "L2TP0": global priority is 1000. [I] Apr 29 10:25:24 ndm: Network::Interface::IP: TCP-MSS adjustment enabled. [I] Apr 29 10:25:24 ndm: Network::Interface::IP: "L2TP0": IP address cleared. [I] Apr 29 10:25:24 ndm: Network::Interface::PPP: remote address erased. [I] Apr 29 10:25:24 ndm: Network::Interface::PppTunnel: "L2TP0": remote endpoint is resolved to "178.162.211.213". [I] Apr 29 10:25:24 ndm: Network::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "93.100.xxx.xxx" (via "GigabitEthernet1"). [I] Apr 29 10:25:24 ndm: Network::Interface::L2TP: "L2TP0": updating IP secure configuration. [I] Apr 29 10:25:24 ndm: Network::Interface::Supplicant: identity is unchanged. [I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": schedule cleared. [E] Apr 29 10:25:24 ndm: Core::Configurator: not found: "interface/ipsec/preshared-key/key". [I] Apr 29 10:25:24 ndm: IpSec::Manager: IP secure connection "L2TP0" was added. [I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: static name server list cleared on L2TP0. [I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.218 added, domain (default). [I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.218, domain (default) deleted. [I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: name server 209.222.18.218 added, domain (default), interface L2TP0. [I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.222 added, domain (default). [I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.222, domain (default) deleted. [I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: name server 209.222.18.222 added, domain (default), interface L2TP0. [I] Apr 29 10:25:26 ndm: IpSec::Manager: create IPsec reconfiguration transaction... [I] Apr 29 10:25:26 ndm: IpSec::Manager: add config for high-priority crypto map "L2TP0". [I] Apr 29 10:25:26 ndm: IpSec::Manager: IPsec reconfiguration transaction was created. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: start applying IPsec configuration. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: IPsec configuration applying is done. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: start reloading IKE keys task. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: reloading IKE keys task done. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: start reloading IPsec config task. [I] Apr 29 10:25:26 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Apr 29 10:25:26 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: reloading IPsec config task done. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: crypto map "L2TP0" initialized. [I] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 0. [W] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" is up. [I] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 1. [I] Apr 29 10:25:27 ndm: Network::Interface::L2TP: "L2TP0": IPsec layer is up, do start L2TP layer. [I] Apr 29 10:25:27 ndm: Network::Interface::PPP: "L2TP0": enabled connection via any interface. [I] Apr 29 10:25:27 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Apr 29 10:25:27 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Apr 29 10:25:29 ndm: Network::Interface::L2TP: "L2TP0": added host route to 178.162.211.213 via 93.100.188.1. [E] Apr 29 10:25:48 ndm: Service: "L2TP0": unexpectedly stopped. [I] Apr 29 10:25:48 ndm: Network::Interface::Base: "L2TP0": interface is up. [I] Apr 29 10:25:51 ndm: Network::Interface::L2TP: "L2TP0": added host route to 178.162.211.213 via 93.100.188.1. [E] Apr 29 10:26:09 ndm: Service: "L2TP0": unexpectedly stopped. Как я понимаю, причиной такого поведения является вот это: "[E] Apr 29 10:25:24 ndm: Core::Configurator: not found: "interface/ipsec/preshared-key/key"." Естественно, PSK указан и не изменялся, соединение никак не редактировалось. Так же пробовал удалить старое и создать новое соединение - картина не меняется. На текущей прошивке 2.09.A.7.0-0 ситуация такая же. Конфиг и селфтест прилагаю в сообщении ниже. Edited April 29, 2017 by Dale Quote Link to comment Share on other sites More sharing options...
T@rkus Posted April 29, 2017 Share Posted April 29, 2017 (edited) @Le ecureuil Giga II 2.09.A.6.0-3 Подключение по L2TP\IPSec к shadeyouvpn.com происходит нормально. Но затем в log начинает сыпать зелень kernel: EIP93: PE ring[45] error: AUTH_ERR. Перестают открываться некоторые сайты к примеру youtube.com. Специально проверил соединение на Extra II; Lite III 2.08.C2. На них зелень не сыплется все сайты открываются. Self-test прилагаю. Edited April 29, 2017 by T@rkus Quote Link to comment Share on other sites More sharing options...
Dale Posted May 6, 2017 Author Share Posted May 6, 2017 На прошивке 2.09.A.7.0-2 L2TP\IPSec по прежнему не работает, но поведение немного изменилось, в логах syslog сервера вижу теперь такое: Spoiler 06.05.2017 20:47,Info,192.168.1.1,14[KNL] interface ppp1 activated 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Base: ""L2TP0"": interface is up. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Base: ""L2TP0"": description saved. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: ""L2TP0"": disabled connection. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: ""L2TP0"": peer set. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: ""L2TP0"": disabled connection. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::IP: ""L2TP0"": global priority is 1000. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::IP: TCP-MSS adjustment enabled. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::IP: ""L2TP0"": IP address cleared. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: remote address erased. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PppTunnel: ""L2TP0"": remote endpoint is resolved to ""178.162.211.213"". 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PppTunnel: ""L2TP0"": local endpoint is resolved to ""93.100.ххх.ххх"" (via ""GigabitEthernet1""). 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::L2TP: ""L2TP0"": updating IP secure configuration. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Supplicant: identity is unchanged. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Supplicant: added authentication: MS-CHAPv2. 06.05.2017 20:47,Info,192.168.1.1,IpSec::Manager: IP secure connection ""L2TP0"" was added. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Base: ""L2TP0"": schedule cleared. 06.05.2017 20:47,Error,192.168.1.1,Core::Configurator: not found: ""interface/ipsec/preshared-key/key"". 06.05.2017 20:47,Info,192.168.1.1,Dns::InterfaceSpecific: static name server list cleared on L2TP0. 06.05.2017 20:47,Info,192.168.1.1,Dns::Manager: name server 209.222.18.218 added, domain (default). 06.05.2017 20:47,Info,192.168.1.1,Dns::Manager: name server 209.222.18.218, domain (default) deleted. 06.05.2017 20:47,Info,192.168.1.1,Dns::InterfaceSpecific: name server 209.222.18.218 added, domain (default), interface L2TP0. 06.05.2017 20:47,Info,192.168.1.1,Dns::Manager: name server 209.222.18.222 added, domain (default). 06.05.2017 20:47,Info,192.168.1.1,Dns::Manager: name server 209.222.18.222, domain (default) deleted. 06.05.2017 20:47,Info,192.168.1.1,Dns::InterfaceSpecific: name server 209.222.18.222 added, domain (default), interface L2TP0. 06.05.2017 20:47,Info,192.168.1.1,IpSec::Manager: create IPsec reconfiguration transaction... 06.05.2017 20:47,Info,192.168.1.1,IpSec::Manager: add config for high-priority crypto map ""L2TP0"". 06.05.2017 20:47,Info,192.168.1.1,IpSec::Manager: IPsec reconfiguration transaction was created. 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: start applying IPsec configuration. 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: IPsec configuration applying is done. 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: start reloading IKE keys task. 06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading secrets 06.05.2017 20:47,Info,192.168.1.1,08[CFG] loading secrets 06.05.2017 20:47,Info,192.168.1.1,08[CFG] loaded IKE secret for cmap:L2TP0 06.05.2017 20:47,Info,192.168.1.1,08[CFG] loaded (5) secret for dalesoft 06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts' 06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts' 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: reloading IKE keys task done. 06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts' 06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts' 06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls' 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: start reloading IPsec config task. 06.05.2017 20:47,Info,192.168.1.1,00[DMN] signal of type SIGHUP received. Reloading configuration 06.05.2017 20:47,Info,192.168.1.1,09[CFG] received stroke: add connection 'L2TP0' 06.05.2017 20:47,Info,192.168.1.1,00[CFG] loaded 0 entries for attr plugin configuration 06.05.2017 20:47,Info,192.168.1.1,09[CFG] added configuration 'L2TP0' 06.05.2017 20:47,Info,192.168.1.1,IpSec::IpSecNetfilter: start reloading netfilter configuration... 06.05.2017 20:47,Info,192.168.1.1,IpSec::IpSecNetfilter: netfilter configuration reloading is done. 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: reloading IPsec config task done. 06.05.2017 20:47,Info,192.168.1.1,13[CFG] received stroke: initiate 'L2TP0' 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: crypto map ""L2TP0"" initialized. 06.05.2017 20:47,Info,192.168.1.1,14[IKE] sending DPD vendor ID 06.05.2017 20:47,Info,192.168.1.1,14[IKE] sending FRAGMENTATION vendor ID 06.05.2017 20:47,Info,192.168.1.1,14[IKE] sending NAT-T (RFC 3947) vendor ID 06.05.2017 20:47,Info,192.168.1.1,14[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID 06.05.2017 20:47,Info,192.168.1.1,14[IKE] initiating Main Mode IKE_SA L2TP0[1] to 178.162.211.213 06.05.2017 20:47,Info,192.168.1.1,12[IKE] received XAuth vendor ID 06.05.2017 20:47,Info,192.168.1.1,12[IKE] received DPD vendor ID 06.05.2017 20:47,Info,192.168.1.1,12[IKE] received NAT-T (RFC 3947) vendor ID 06.05.2017 20:47,Info,192.168.1.1,12[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/# 06.05.2017 20:47,Info,192.168.1.1,12[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# 06.05.2017 20:47,Info,192.168.1.1,12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/# 06.05.2017 20:47,Info,192.168.1.1,15[IKE] found linked key for crypto map 'L2TP0' 06.05.2017 20:47,Info,192.168.1.1,16[IKE] IKE_SA L2TP0[1] established between 93.100.ххх.ххх[93.100.ххх.ххх]...178.162.211.213[178.162.211.213] 06.05.2017 20:47,Info,192.168.1.1,16[IKE] scheduling reauthentication in 28766s 06.05.2017 20:47,Info,192.168.1.1,16[IKE] maximum IKE_SA lifetime 28786s 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: crypto map ""L2TP0"" active IKE SA: 1, active CHILD SA: 0. 06.05.2017 20:47,Info,192.168.1.1,05[CFG] received proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ 06.05.2017 20:47,Info,192.168.1.1,05[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ 06.05.2017 20:47,Info,192.168.1.1,05[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ 06.05.2017 20:47,Info,192.168.1.1,05[IKE] received 21474836000 lifebytes, configured 21474836480 06.05.2017 20:47,Info,192.168.1.1,05[IKE] CHILD_SA L2TP0{1} established with SPIs cfb5bf18_i c6a85104_o and TS 93.100.ххх.ххх/32[udp] === 178.162.211.213/32[udp/l2tp] 06.05.2017 20:47,Warning,192.168.1.1,IpSec::Configurator: crypto map ""L2TP0"" is up. 06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: crypto map ""L2TP0"" active IKE SA: 1, active CHILD SA: 1. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::L2TP: ""L2TP0"": IPsec layer is up, do start L2TP layer. 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: ""L2TP0"": enabled connection via any interface. 06.05.2017 20:47,Info,192.168.1.1,IpSec::IpSecNetfilter: start reloading netfilter configuration... 06.05.2017 20:47,Info,192.168.1.1,IpSec::IpSecNetfilter: netfilter configuration reloading is done. 06.05.2017 20:47,Info,192.168.1.1,Plugin pppol2tp.so loaded. 06.05.2017 20:47,Notice,192.168.1.1,pppd 2.4.4-4 started by root, uid 0 06.05.2017 20:47,Debug,192.168.1.1,Script /etc/ppp/pre-up-ppp1 started (pid 789) 06.05.2017 20:47,Info,192.168.1.1,Network::Interface::L2TP: ""L2TP0"": added host route to 178.162.211.213 via 93.100.188.1. 06.05.2017 20:47,Debug,192.168.1.1,Script /etc/ppp/pre-up-ppp1 finished (pid 789), status = 0x0 06.05.2017 20:47,Info,192.168.1.1,l2tp_control v2.02 06.05.2017 20:47,Info,192.168.1.1,l2tp: remote host: 178.162.211.213 06.05.2017 20:47,Info,192.168.1.1,l2tp: bind: 93.100.ххх.ххх 06.05.2017 20:47,Info,192.168.1.1,kernel: EIP93: build outbound ESP connection, (SPI=c6a85104) 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 1 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 2 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 3 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 4 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 5 06.05.2017 20:48,Info,192.168.1.1,l2tp: sccrq failed, fatal 06.05.2017 20:48,Error,192.168.1.1,l2tp: control init failed 06.05.2017 20:48,Info,192.168.1.1,Exit. 06.05.2017 20:48,Error,192.168.1.1,Service: ""L2TP0"": unexpectedly stopped. 06.05.2017 20:48,Info,192.168.1.1,Network::Interface::Base: ""L2TP0"": interface is up. 06.05.2017 20:48,Info,192.168.1.1,Plugin pppol2tp.so loaded. 06.05.2017 20:48,Notice,192.168.1.1,pppd 2.4.4-4 started by root, uid 0 06.05.2017 20:48,Debug,192.168.1.1,Script /etc/ppp/pre-up-ppp1 started (pid 826) 06.05.2017 20:48,Info,192.168.1.1,Network::Interface::L2TP: ""L2TP0"": added host route to 178.162.211.213 via 93.100.188.1. 06.05.2017 20:48,Debug,192.168.1.1,Script /etc/ppp/pre-up-ppp1 finished (pid 826), status = 0x0 06.05.2017 20:48,Info,192.168.1.1,l2tp_control v2.02 06.05.2017 20:48,Info,192.168.1.1,l2tp: remote host: 178.162.211.213 06.05.2017 20:48,Info,192.168.1.1,l2tp: bind: 93.100.ххх.ххх 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 1 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 2 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 3 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 4 06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 5 06.05.2017 20:48,Info,192.168.1.1,l2tp: sccrq failed, fatal 06.05.2017 20:48,Error,192.168.1.1,l2tp: control init failed 06.05.2017 20:48,Info,192.168.1.1,Exit. 06.05.2017 20:48,Error,192.168.1.1,Service: ""L2TP0"": unexpectedly stopped. Селфтест прилагаю ниже. Quote Link to comment Share on other sites More sharing options...
Vadim Korchagin Posted May 21, 2017 Share Posted May 21, 2017 Аналогичная проблема. На Giga II c ndms 2.09.A.8.0-0 и последней 2.08. IPSec поднимается нормально, но L2TP поверх него не поднимается. Я контролирую сервер на который осуществляется подключение, там freebsd+racoon+mpd, все настроено и работает т.к. iphone, подключенный по wifi через этот же keenetic нормально поднимает l2tp/ipseс туда. Когда кинетик поднимает ipsec, но не может поднять l2tp в логах mpd на сервере пусто - нет даже попытки соединения, значит l2tp роутится куда-то не туда. Скрытый текст Network::Interface::Supplicant: authnentication is unchanged. May 21 20:11:00ndmNetwork::Interface::Base: "L2TP0": description saved. May 21 20:11:00ndmNetwork::Interface::PPP: "L2TP0": peer set. May 21 20:11:00ndmNetwork::Interface::IP: "L2TP0": interface is non-global. May 21 20:11:00ndmNetwork::Interface::IP: TCP-MSS adjustment enabled. May 21 20:11:00ndmNetwork::Interface::IP: "L2TP0": IP address cleared. May 21 20:11:00ndmNetwork::Interface::PPP: remote address erased. May 21 20:11:00ndmNetwork::Interface::Supplicant: identity is unchanged. May 21 20:11:00ndmNetwork::Interface::Base: "L2TP0": schedule cleared. May 21 20:11:00ndmCore::Configurator: not found: "interface/ipsec/preshared-key/key". May 21 20:11:00ndmDns::InterfaceSpecific: static name server list cleared on L2TP0. May 21 20:11:00ndmCore::ConfigurationSaver: saving configuration... May 21 20:11:03ndmCore::ConfigurationSaver: configuration saved. May 21 20:11:04ndmNetwork::Interface::Supplicant: authnentication is unchanged. May 21 20:11:04ipsec10[KNL] interface ppp0 activated May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": interface is up. May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": description saved. May 21 20:11:04ndmNetwork::Interface::PPP: "L2TP0": disabled connection. May 21 20:11:04ndmNetwork::Interface::PPP: "L2TP0": peer set. May 21 20:11:04ndmNetwork::Interface::PPP: "L2TP0": disabled connection. May 21 20:11:04ndmNetwork::Interface::PppTunnel: "L2TP0": remote endpoint is resolved to "91.227.x.x". May 21 20:11:04ndmNetwork::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "100.112.x.x" (via "UsbLte0"). May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": static MTU reset to default. May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": network MTU is 1400. May 21 20:11:04ndmNetwork::Interface::L2TP: "L2TP0": updating IP secure configuration. May 21 20:11:04ndmIpSec::Manager: IP secure connection "L2TP0" was added. May 21 20:11:04ndmNetwork::Interface::IP: "L2TP0": interface is non-global. May 21 20:11:04ndmNetwork::Interface::IP: TCP-MSS adjustment enabled. May 21 20:11:04ndmNetwork::Interface::IP: "L2TP0": IP address cleared. May 21 20:11:04ndmNetwork::Interface::PPP: remote address erased. May 21 20:11:04ndmNetwork::Interface::Supplicant: identity is unchanged. May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": schedule cleared. May 21 20:11:04ndmCore::Configurator: not found: "interface/ipsec/preshared-key/key". May 21 20:11:04ndmDns::InterfaceSpecific: static name server list cleared on L2TP0. May 21 20:11:05ndmCore::ConfigurationSaver: saving configuration... May 21 20:11:06ndmIpSec::Manager: create IPsec reconfiguration transaction... May 21 20:11:06ndmIpSec::Manager: add config for crypto map "L2TP0". May 21 20:11:06ndmIpSec::Manager: IPsec reconfiguration transaction was created. May 21 20:11:07ndmIpSec::Configurator: start applying IPsec configuration. May 21 20:11:07ndmIpSec::Configurator: IPsec configuration applying is done. May 21 20:11:07ndmIpSec::Configurator: start reloading IKE keys task. May 21 20:11:07ipsec13[CFG] rereading secrets May 21 20:11:07ipsec13[CFG] loading secrets May 21 20:11:07ipsec13[CFG] loaded IKE secret for cmap:L2TP0 May 21 20:11:07ipsec13[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts' May 21 20:11:07ipsec13[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts' May 21 20:11:07ipsec13[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts' May 21 20:11:07ipsec13[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts' May 21 20:11:07ipsec13[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls' May 21 20:11:07ndmIpSec::Configurator: reloading IKE keys task done. May 21 20:11:07ndmIpSec::Configurator: start reloading IPsec config task. May 21 20:11:07ipsec00[DMN] signal of type SIGHUP received. Reloading configuration May 21 20:11:07ipsec06[CFG] received stroke: add connection 'L2TP0' May 21 20:11:07ipsec00[CFG] loaded 0 entries for attr plugin configuration May 21 20:11:07ipsec06[CFG] added configuration 'L2TP0' May 21 20:11:07ndmIpSec::IpSecNetfilter: start reloading netfilter configuration... May 21 20:11:07ndmIpSec::IpSecNetfilter: netfilter configuration reloading is done. May 21 20:11:07ndmIpSec::Configurator: reloading IPsec config task done. May 21 20:11:07ipsec08[CFG] received stroke: initiate 'L2TP0' May 21 20:11:07ndmIpSec::Configurator: crypto map "L2TP0" initialized. May 21 20:11:07ipsec10[IKE] sending DPD vendor ID May 21 20:11:07ipsec10[IKE] sending FRAGMENTATION vendor ID May 21 20:11:07ipsec10[IKE] sending NAT-T (RFC 3947) vendor ID May 21 20:11:07ipsec10[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 20:11:07ipsec10[IKE] initiating Main Mode IKE_SA L2TP0[5] to 91.227.x.x May 21 20:11:07ipsec14[IKE] received NAT-T (RFC 3947) vendor ID May 21 20:11:07ipsec14[IKE] received DPD vendor ID May 21 20:11:07ipsec14[IKE] received FRAGMENTATION vendor ID May 21 20:11:07ipsec14[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# May 21 20:11:07ipsec14[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# May 21 20:11:07ipsec14[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# May 21 20:11:07ipsec15[IKE] found linked key for crypto map 'L2TP0' May 21 20:11:07ipsec15[IKE] local host is behind NAT, sending keep alives May 21 20:11:08ipsec11[IKE] IKE_SA L2TP0[5] established between 100.112.x.x[100.112.x.x]...91.227.x.x[91.227.x.x] May 21 20:11:08ipsec11[IKE] scheduling reauthentication in 28776s May 21 20:11:08ipsec11[IKE] maximum IKE_SA lifetime 28796s May 21 20:11:08ndmIpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 0. May 21 20:11:08ipsec16[CFG] received proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ May 21 20:11:08ipsec16[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ May 21 20:11:08ipsec16[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ May 21 20:11:08ipsec16[IKE] received 21474836000 lifebytes, configured 21474836480 May 21 20:11:08ipsec16[IKE] CHILD_SA L2TP0{4} established with SPIs c591c4bb_i 06e91bb4_o and TS 100.112.x.x/32[udp] === 91.227.x.x/32[udp/l2tp] May 21 20:11:08ndmIpSec::Configurator: crypto map "L2TP0" is up. May 21 20:11:08ndmIpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 1. May 21 20:11:08ndmNetwork::Interface::L2TP: "L2TP0": IPsec layer is up, do start L2TP layer. May 21 20:11:08ndmNetwork::Interface::PPP: "L2TP0": enabled connection via any interface. May 21 20:11:08ndmkernel: EIP93: build inbound ESP connection, (SPI=c591c4bb) May 21 20:11:08ndmIpSec::IpSecNetfilter: start reloading netfilter configuration... May 21 20:11:08ndmIpSec::IpSecNetfilter: netfilter configuration reloading is done. May 21 20:11:09ndmCore::ConfigurationSaver: configuration saved. May 21 20:11:10pppd[4496]Plugin pppol2tp.so loaded. May 21 20:11:10pppd[4496]pppd 2.4.4-4 started by root, uid 0 May 21 20:11:10ndmNetwork::Interface::L2TP: "L2TP0": added host route to 91.227.x.x via 100.112.y.y. May 21 20:11:10pppd[4498]l2tp_control v2.02 May 21 20:11:10pppd[4498]l2tp: remote host: 91.227.x.x May 21 20:11:10pppd[4498]l2tp: bind: 100.112.x.x May 21 20:11:10ndmkernel: EIP93: build outbound ESP connection, (SPI=06e91bb4) May 21 20:11:12pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 1 May 21 20:11:14pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 2 May 21 20:11:16pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 3 May 21 20:11:18pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 4 May 21 20:11:20pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 5 May 21 20:11:20pppd[4498]l2tp: sccrq failed, fatal May 21 20:11:29pppd[4496]l2tp: control init failed May 21 20:11:29pppd[4496]Exit. May 21 20:11:29ndmService: "L2TP0": unexpectedly stopped. May 21 20:11:29ndmNetwork::Interface::Base: "L2TP0": interface is up. May 21 20:11:32pppd[4524]Plugin pppol2tp.so loaded. May 21 20:11:32pppd[4524]pppd 2.4.4-4 started by root, uid 0 May 21 20:11:32ndmNetwork::Interface::L2TP: "L2TP0": added host route to 91.227.x.x via 100.112.y.y. May 21 20:11:32pppd[4527]l2tp_control v2.02 May 21 20:11:32pppd[4527]l2tp: remote host: 91.227.x.x May 21 20:11:32pppd[4527]l2tp: bind: 100.112.x.x May 21 20:11:34pppd[4527]l2tp: timeout of sccrp, retry sccrq, try: 1 May 21 20:11:36pppd[4527]l2tp: timeout of sccrp, retry sccrq, try: 2 May 21 20:11:38pppd[4527]l2tp: timeout of sccrp, retry sccrq, try: 3 May 21 20:11:40pppd[4527]l2tp: timeout of sccrp, retry sccrq, try: 4 Quote Link to comment Share on other sites More sharing options...
Vadim Korchagin Posted May 21, 2017 Share Posted May 21, 2017 (edited) И действительно, почему то неправильно определяется маршрут (IP внешнего интерфейса) для l2tp, последний сегмент увеличен на единицу: Цитата May 21 20:11:10 ndm Network::Interface::L2TP: "L2TP0": added host route to 91.227.x.x via 100.112.114.222 В то время как ipsec был поднят и актуальный внещний IP на самом деле другой: Цитата May 21 20:16:54 ndm Network::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "100.112.114.221" (via "UsbLte0"). ... May 21 20:11:08 ipsec16[IKE] CHILD_SA L2TP0{4} established with SPIs c591c4bb_i 06e91bb4_o and TS 100.112.114.221/32[udp] === 91.227.x.x/32[udp/l2tp] Edited May 21, 2017 by Vadim Korchagin Quote Link to comment Share on other sites More sharing options...
Vadim Korchagin Posted May 21, 2017 Share Posted May 21, 2017 Более того, неправильный IP шлюза во всей таблице маршрутизации - 100.112.114.222, хотя в статусе внешнего соединения UsbLte0 "Адрес IPv4 100.112.114.221". Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted May 23, 2017 Share Posted May 23, 2017 У вас адрес интерфейса UsbLte0 - это 100.112.114.221, а адрес IPv4 gateway, доступного, через этот интерфейс - 100.112.114.222? Тогда все верно. В первом случае показывается via gateway, а во втором - адрес локального исходящего адреса (они разные). Насчет неработоспособности схемы - доходят ли до вас L2TP-пакеты на FreeBSD после расшифровки в IPsec? Можете в личку скинуть конфиги - попробую воспроизвести. Quote Link to comment Share on other sites More sharing options...
Vadim Korchagin Posted May 23, 2017 Share Posted May 23, 2017 24 минуты назад, Le ecureuil сказал: У вас адрес интерфейса UsbLte0 - это 100.112.114.221, а адрес IPv4 gateway, доступного, через этот интерфейс - 100.112.114.222? Тогда все верно. В первом случае показывается via gateway, а во втором - адрес локального исходящего адреса (они разные). Насчет неработоспособности схемы - доходят ли до вас L2TP-пакеты на FreeBSD после расшифровки в IPsec? Можете в личку скинуть конфиги - попробую воспроизвести. Да, вы правы. Моя глупость... L2TP-пакеты не доходят. Конфиг высылаю. Спасибо! Quote Link to comment Share on other sites More sharing options...
T@rkus Posted May 28, 2017 Share Posted May 28, 2017 (edited) @Le ecureuil Залил в Giga II 2.08C2 подключился к по L2TP\IPSec к shadeyouvpn.com. В лог перестало сыпать kernel: EIP93: PE ring[45] error: AUTH_ERR . Youtube и Gmail стали открываться. С этими же настройками обратно залил 2.09.A.9.0-0 снова стала повторяться ситуация описанная мною выше. Sesf-Testы прилагаю. Edited May 28, 2017 by T@rkus Quote Link to comment Share on other sites More sharing options...
T@rkus Posted May 31, 2017 Share Posted May 31, 2017 (edited) @Le ecureuilGiga II 2.09.A.9.0-0. Сбросил настройки да дефолтных. kernel: EIP93: PE ring[45] error: AUTH_ERR в логе пропало. На ПК при подключении через shadeyouvpn.com L2TP\IPSec Google, Youtube, Gmail не загружаются в Chrome 58.0.3029.110. В IE11 загружаются но медленно. На планшете Google, Youtube, Gmail в Chrome загружаются. Отключаю shadeyouvpn.com L2TP\IPSec Google, Youtube, Gmail на ПК в Chrome 58.0.3029.110 начинают загружаться. При подключении через hidemy.name L2TP\IPSec Google, Youtube, Gmail на ПК в Chrome 58.0.3029.110 загружаются. В чем может быть причина, что Google, Youtube, Gmail не загружаются в Chrome 58.0.3029.110 на ПК при подключении через shadeyouvpn.com L2TP\IPSec? Edited May 31, 2017 by T@rkus Quote Link to comment Share on other sites More sharing options...
Dale Posted June 13, 2017 Author Share Posted June 13, 2017 (edited) On 29 Апрель 2017 г. at 10:48 AM, Dale said: Начиная, как минимум, с версии 2.09.A.6.0-2 перестало работать L2TP\IPSec соединение. В логе при попытке соединения пишет следующее: Reveal hidden contents [I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": interface is up. [I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": description saved. [I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": disabled connection. [I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": peer set. [I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": disabled connection. [I] Apr 29 10:25:24 ndm: Network::Interface::IP: "L2TP0": global priority is 1000. [I] Apr 29 10:25:24 ndm: Network::Interface::IP: TCP-MSS adjustment enabled. [I] Apr 29 10:25:24 ndm: Network::Interface::IP: "L2TP0": IP address cleared. [I] Apr 29 10:25:24 ndm: Network::Interface::PPP: remote address erased. [I] Apr 29 10:25:24 ndm: Network::Interface::PppTunnel: "L2TP0": remote endpoint is resolved to "178.162.211.213". [I] Apr 29 10:25:24 ndm: Network::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "93.100.xxx.xxx" (via "GigabitEthernet1"). [I] Apr 29 10:25:24 ndm: Network::Interface::L2TP: "L2TP0": updating IP secure configuration. [I] Apr 29 10:25:24 ndm: Network::Interface::Supplicant: identity is unchanged. [I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": schedule cleared. [E] Apr 29 10:25:24 ndm: Core::Configurator: not found: "interface/ipsec/preshared-key/key". [I] Apr 29 10:25:24 ndm: IpSec::Manager: IP secure connection "L2TP0" was added. [I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: static name server list cleared on L2TP0. [I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.218 added, domain (default). [I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.218, domain (default) deleted. [I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: name server 209.222.18.218 added, domain (default), interface L2TP0. [I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.222 added, domain (default). [I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.222, domain (default) deleted. [I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: name server 209.222.18.222 added, domain (default), interface L2TP0. [I] Apr 29 10:25:26 ndm: IpSec::Manager: create IPsec reconfiguration transaction... [I] Apr 29 10:25:26 ndm: IpSec::Manager: add config for high-priority crypto map "L2TP0". [I] Apr 29 10:25:26 ndm: IpSec::Manager: IPsec reconfiguration transaction was created. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: start applying IPsec configuration. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: IPsec configuration applying is done. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: start reloading IKE keys task. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: reloading IKE keys task done. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: start reloading IPsec config task. [I] Apr 29 10:25:26 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Apr 29 10:25:26 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: reloading IPsec config task done. [I] Apr 29 10:25:26 ndm: IpSec::Configurator: crypto map "L2TP0" initialized. [I] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 0. [W] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" is up. [I] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 1. [I] Apr 29 10:25:27 ndm: Network::Interface::L2TP: "L2TP0": IPsec layer is up, do start L2TP layer. [I] Apr 29 10:25:27 ndm: Network::Interface::PPP: "L2TP0": enabled connection via any interface. [I] Apr 29 10:25:27 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Apr 29 10:25:27 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Apr 29 10:25:29 ndm: Network::Interface::L2TP: "L2TP0": added host route to 178.162.211.213 via 93.100.188.1. [E] Apr 29 10:25:48 ndm: Service: "L2TP0": unexpectedly stopped. [I] Apr 29 10:25:48 ndm: Network::Interface::Base: "L2TP0": interface is up. [I] Apr 29 10:25:51 ndm: Network::Interface::L2TP: "L2TP0": added host route to 178.162.211.213 via 93.100.188.1. [E] Apr 29 10:26:09 ndm: Service: "L2TP0": unexpectedly stopped. Потратив определённое время на анализ, привожу моё решение проблемы: в настройках брандмауэра для интерфейса своего ISP прописал два правила - разрешил любые соединения на IP адрес VPN провайдера от себя и от него ко мне. После этого все заработало. Edited June 13, 2017 by Dale 1 Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted June 13, 2017 Share Posted June 13, 2017 1 час назад, Dale сказал: Потратив определённое время на анализ, привожу моё решение проблемы: в настройках брандмауэра для интерфейса своего ISP прописал два правила - разрешил любые соединения на IP адрес VPN провайдера от себя и от него ко мне. После этого все заработало. Спасибо за анализ, попробуем поправить у нас в firewall. Quote Link to comment Share on other sites More sharing options...
Dale Posted June 13, 2017 Author Share Posted June 13, 2017 (edited) 31 minutes ago, Le ecureuil said: Спасибо за анализ, попробуем поправить у нас в firewall. @Le ecureuil Скажу больше, достаточно добавить только разрешение на входящие соединения от адреса VPN сервиса к ISP, хотя при установленном L2TP\IPSec соединении нет входящих с адреса VPN сервиса, только, как положено, исходящие соединения IPSec и L2TP - чудеса... Edited June 13, 2017 by Dale Quote Link to comment Share on other sites More sharing options...
denmmx Posted April 29, 2018 Share Posted April 29, 2018 (edited) Уже неделю как бьюсь с аналогичной проблемой. На выделенном сервере поднят L2TP/IPsec (из репозитория hwdsl2/docker-ipsec-vpn-server), на Android и Windows все работает без проблем, после подключения на Giga II сразу начинают сыпаться ошибки в журнал: kernel: EIP93: PE ring[45] error: AUTH_ERR и сайты не загружаются вообще никакие. Поначалу думал на проблемы с MTU, менял на стороне сервера - эффекта ноль. Также смотрел MTU соединения в самом роутере - 1280, такое же как и на сервере. Прошивка 2.11.C.1.0-3, на последней драфт версии 2.12.A.5.0-8 то же самое. Не знаю куда уже копать... В 13.06.2017 в 23:22, Dale сказал: достаточно добавить только разрешение на входящие соединения от адреса VPN сервиса к ISP Какие протоколы нужно добавить в брандмауэре? TCP, UDP, ESP? P.S. Добавлю, что Ipsec поднимаю внутри l2tp-туннеля Beeline, может это как-то влияет? Edited April 29, 2018 by denmmx Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted May 8, 2018 Share Posted May 8, 2018 В 4/29/2018 в 17:29, denmmx сказал: Уже неделю как бьюсь с аналогичной проблемой. На выделенном сервере поднят L2TP/IPsec (из репозитория hwdsl2/docker-ipsec-vpn-server), на Android и Windows все работает без проблем, после подключения на Giga II сразу начинают сыпаться ошибки в журнал: kernel: EIP93: PE ring[45] error: AUTH_ERR и сайты не загружаются вообще никакие. Поначалу думал на проблемы с MTU, менял на стороне сервера - эффекта ноль. Также смотрел MTU соединения в самом роутере - 1280, такое же как и на сервере. Прошивка 2.11.C.1.0-3, на последней драфт версии 2.12.A.5.0-8 то же самое. Не знаю куда уже копать... Какие протоколы нужно добавить в брандмауэре? TCP, UDP, ESP? P.S. Добавлю, что Ipsec поднимаю внутри l2tp-туннеля Beeline, может это как-то влияет? Попробуйте на новом draft, возможно поможет. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.