Jump to content

После очередного обновления прошивки поломался L2TP\IPSec


Recommended Posts

Начиная, как минимум, с версии 2.09.A.6.0-2 перестало работать L2TP\IPSec соединение. В логе при попытке соединения пишет следующее:

Spoiler

[I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": interface is up.
[I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": description saved.
[I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": disabled connection.
[I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": peer set.
[I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": disabled connection.
[I] Apr 29 10:25:24 ndm: Network::Interface::IP: "L2TP0": global priority is 1000.
[I] Apr 29 10:25:24 ndm: Network::Interface::IP: TCP-MSS adjustment enabled.
[I] Apr 29 10:25:24 ndm: Network::Interface::IP: "L2TP0": IP address cleared.
[I] Apr 29 10:25:24 ndm: Network::Interface::PPP: remote address erased.
[I] Apr 29 10:25:24 ndm: Network::Interface::PppTunnel: "L2TP0": remote endpoint is resolved to "178.162.211.213".
[I] Apr 29 10:25:24 ndm: Network::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "93.100.xxx.xxx" (via "GigabitEthernet1").
[I] Apr 29 10:25:24 ndm: Network::Interface::L2TP: "L2TP0": updating IP secure configuration.
[I] Apr 29 10:25:24 ndm: Network::Interface::Supplicant: identity is unchanged.
[I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": schedule cleared.
[E] Apr 29 10:25:24 ndm: Core::Configurator: not found: "interface/ipsec/preshared-key/key".
[I] Apr 29 10:25:24 ndm: IpSec::Manager: IP secure connection "L2TP0" was added.
[I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: static name server list cleared on L2TP0.
[I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.218 added, domain (default).
[I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.218, domain (default) deleted.
[I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: name server 209.222.18.218 added, domain (default), interface L2TP0.
[I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.222 added, domain (default).
[I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.222, domain (default) deleted.
[I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: name server 209.222.18.222 added, domain (default), interface L2TP0.
[I] Apr 29 10:25:26 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Apr 29 10:25:26 ndm: IpSec::Manager: add config for high-priority crypto map "L2TP0".
[I] Apr 29 10:25:26 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Apr 29 10:25:26 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Apr 29 10:25:26 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: crypto map "L2TP0" initialized.
[I] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 0.
[W] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" is up.
[I] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 1.
[I] Apr 29 10:25:27 ndm: Network::Interface::L2TP: "L2TP0": IPsec layer is up, do start L2TP layer.
[I] Apr 29 10:25:27 ndm: Network::Interface::PPP: "L2TP0": enabled connection via any interface.
[I] Apr 29 10:25:27 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Apr 29 10:25:27 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Apr 29 10:25:29 ndm: Network::Interface::L2TP: "L2TP0": added host route to 178.162.211.213 via 93.100.188.1.
[E] Apr 29 10:25:48 ndm: Service: "L2TP0": unexpectedly stopped.
[I] Apr 29 10:25:48 ndm: Network::Interface::Base: "L2TP0": interface is up.
[I] Apr 29 10:25:51 ndm: Network::Interface::L2TP: "L2TP0": added host route to 178.162.211.213 via 93.100.188.1.
[E] Apr 29 10:26:09 ndm: Service: "L2TP0": unexpectedly stopped.

 

Как я понимаю, причиной такого поведения является вот это: "[E] Apr 29 10:25:24 ndm: Core::Configurator: not found: "interface/ipsec/preshared-key/key"." Естественно, PSK указан и не изменялся, соединение никак не редактировалось. Так же пробовал удалить старое и создать новое соединение - картина не меняется. На текущей прошивке 2.09.A.7.0-0 ситуация такая же. Конфиг и селфтест прилагаю в сообщении ниже.

Edited by Dale
Link to comment
Share on other sites

@Le ecureuil Giga II 2.09.A.6.0-3

Подключение по L2TP\IPSec к shadeyouvpn.com происходит нормально. Но затем в log начинает сыпать зелень  

kernel: EIP93: PE ring[45] error: AUTH_ERR. Перестают открываться некоторые сайты к примеру youtube.com. Специально проверил соединение на Extra II; Lite III 2.08.C2. На них зелень не сыплется все сайты открываются. Self-test прилагаю.

 

2017-04-29_143316.png.5a00260d3e4ca6e4df689f907c45e4f5.png

Edited by T@rkus
Link to comment
Share on other sites

На прошивке 2.09.A.7.0-2 L2TP\IPSec по прежнему не работает, но поведение немного изменилось, в логах syslog сервера вижу теперь такое:

Spoiler

06.05.2017 20:47,Info,192.168.1.1,14[KNL] interface ppp1 activated 
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Base: ""L2TP0"": interface is up.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Base: ""L2TP0"": description saved.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: ""L2TP0"": disabled connection.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: ""L2TP0"": peer set.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: ""L2TP0"": disabled connection.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::IP: ""L2TP0"": global priority is 1000.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::IP: TCP-MSS adjustment enabled.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::IP: ""L2TP0"": IP address cleared.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: remote address erased.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PppTunnel: ""L2TP0"": remote endpoint is resolved to ""178.162.211.213"".
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PppTunnel: ""L2TP0"": local endpoint is resolved to ""93.100.ххх.ххх"" (via ""GigabitEthernet1"").
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::L2TP: ""L2TP0"": updating IP secure configuration.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Supplicant: identity is unchanged.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Supplicant: added authentication: MS-CHAPv2.
06.05.2017 20:47,Info,192.168.1.1,IpSec::Manager: IP secure connection ""L2TP0"" was added.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::Base: ""L2TP0"": schedule cleared.
06.05.2017 20:47,Error,192.168.1.1,Core::Configurator: not found: ""interface/ipsec/preshared-key/key"".
06.05.2017 20:47,Info,192.168.1.1,Dns::InterfaceSpecific: static name server list cleared on L2TP0.
06.05.2017 20:47,Info,192.168.1.1,Dns::Manager: name server 209.222.18.218 added, domain (default).
06.05.2017 20:47,Info,192.168.1.1,Dns::Manager: name server 209.222.18.218, domain (default) deleted.
06.05.2017 20:47,Info,192.168.1.1,Dns::InterfaceSpecific: name server 209.222.18.218 added, domain (default), interface L2TP0.
06.05.2017 20:47,Info,192.168.1.1,Dns::Manager: name server 209.222.18.222 added, domain (default).
06.05.2017 20:47,Info,192.168.1.1,Dns::Manager: name server 209.222.18.222, domain (default) deleted.
06.05.2017 20:47,Info,192.168.1.1,Dns::InterfaceSpecific: name server 209.222.18.222 added, domain (default), interface L2TP0.
06.05.2017 20:47,Info,192.168.1.1,IpSec::Manager: create IPsec reconfiguration transaction...
06.05.2017 20:47,Info,192.168.1.1,IpSec::Manager: add config for high-priority crypto map ""L2TP0"".
06.05.2017 20:47,Info,192.168.1.1,IpSec::Manager: IPsec reconfiguration transaction was created.
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: start applying IPsec configuration.
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: IPsec configuration applying is done.
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: start reloading IKE keys task.
06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading secrets 
06.05.2017 20:47,Info,192.168.1.1,08[CFG] loading secrets 
06.05.2017 20:47,Info,192.168.1.1,08[CFG]   loaded IKE secret for cmap:L2TP0 
06.05.2017 20:47,Info,192.168.1.1,08[CFG]   loaded (5) secret for dalesoft 
06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts' 
06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts' 
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: reloading IKE keys task done.
06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts' 
06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts' 
06.05.2017 20:47,Info,192.168.1.1,08[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls' 
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: start reloading IPsec config task.
06.05.2017 20:47,Info,192.168.1.1,00[DMN] signal of type SIGHUP received. Reloading configuration 
06.05.2017 20:47,Info,192.168.1.1,09[CFG] received stroke: add connection 'L2TP0' 
06.05.2017 20:47,Info,192.168.1.1,00[CFG] loaded 0 entries for attr plugin configuration 
06.05.2017 20:47,Info,192.168.1.1,09[CFG] added configuration 'L2TP0' 
06.05.2017 20:47,Info,192.168.1.1,IpSec::IpSecNetfilter: start reloading netfilter configuration...
06.05.2017 20:47,Info,192.168.1.1,IpSec::IpSecNetfilter: netfilter configuration reloading is done.
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: reloading IPsec config task done.
06.05.2017 20:47,Info,192.168.1.1,13[CFG] received stroke: initiate 'L2TP0' 
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: crypto map ""L2TP0"" initialized.
06.05.2017 20:47,Info,192.168.1.1,14[IKE] sending DPD vendor ID 
06.05.2017 20:47,Info,192.168.1.1,14[IKE] sending FRAGMENTATION vendor ID 
06.05.2017 20:47,Info,192.168.1.1,14[IKE] sending NAT-T (RFC 3947) vendor ID 
06.05.2017 20:47,Info,192.168.1.1,14[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
06.05.2017 20:47,Info,192.168.1.1,14[IKE] initiating Main Mode IKE_SA L2TP0[1] to 178.162.211.213 
06.05.2017 20:47,Info,192.168.1.1,12[IKE] received XAuth vendor ID 
06.05.2017 20:47,Info,192.168.1.1,12[IKE] received DPD vendor ID 
06.05.2017 20:47,Info,192.168.1.1,12[IKE] received NAT-T (RFC 3947) vendor ID 
06.05.2017 20:47,Info,192.168.1.1,12[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/# 
06.05.2017 20:47,Info,192.168.1.1,12[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# 
06.05.2017 20:47,Info,192.168.1.1,12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/# 
06.05.2017 20:47,Info,192.168.1.1,15[IKE] found linked key for crypto map 'L2TP0' 
06.05.2017 20:47,Info,192.168.1.1,16[IKE] IKE_SA L2TP0[1] established between 93.100.ххх.ххх[93.100.ххх.ххх]...178.162.211.213[178.162.211.213] 
06.05.2017 20:47,Info,192.168.1.1,16[IKE] scheduling reauthentication in 28766s 
06.05.2017 20:47,Info,192.168.1.1,16[IKE] maximum IKE_SA lifetime 28786s 
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: crypto map ""L2TP0"" active IKE SA: 1, active CHILD SA: 0.
06.05.2017 20:47,Info,192.168.1.1,05[CFG] received proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ 
06.05.2017 20:47,Info,192.168.1.1,05[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ 
06.05.2017 20:47,Info,192.168.1.1,05[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ 
06.05.2017 20:47,Info,192.168.1.1,05[IKE] received 21474836000 lifebytes, configured 21474836480 
06.05.2017 20:47,Info,192.168.1.1,05[IKE] CHILD_SA L2TP0{1} established with SPIs cfb5bf18_i c6a85104_o and TS 93.100.ххх.ххх/32[udp] === 178.162.211.213/32[udp/l2tp] 
06.05.2017 20:47,Warning,192.168.1.1,IpSec::Configurator: crypto map ""L2TP0"" is up.
06.05.2017 20:47,Info,192.168.1.1,IpSec::Configurator: crypto map ""L2TP0"" active IKE SA: 1, active CHILD SA: 1.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::L2TP: ""L2TP0"": IPsec layer is up, do start L2TP layer.
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::PPP: ""L2TP0"": enabled connection via any interface.
06.05.2017 20:47,Info,192.168.1.1,IpSec::IpSecNetfilter: start reloading netfilter configuration...
06.05.2017 20:47,Info,192.168.1.1,IpSec::IpSecNetfilter: netfilter configuration reloading is done.
06.05.2017 20:47,Info,192.168.1.1,Plugin pppol2tp.so loaded.
06.05.2017 20:47,Notice,192.168.1.1,pppd 2.4.4-4 started by root, uid 0
06.05.2017 20:47,Debug,192.168.1.1,Script /etc/ppp/pre-up-ppp1 started (pid 789)
06.05.2017 20:47,Info,192.168.1.1,Network::Interface::L2TP: ""L2TP0"": added host route to 178.162.211.213 via 93.100.188.1.
06.05.2017 20:47,Debug,192.168.1.1,Script /etc/ppp/pre-up-ppp1 finished (pid 789), status = 0x0
06.05.2017 20:47,Info,192.168.1.1,l2tp_control v2.02 
06.05.2017 20:47,Info,192.168.1.1,l2tp: remote host: 178.162.211.213 
06.05.2017 20:47,Info,192.168.1.1,l2tp: bind: 93.100.ххх.ххх 
06.05.2017 20:47,Info,192.168.1.1,kernel: EIP93: build outbound ESP connection, (SPI=c6a85104)
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 1 
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 2 
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 3 
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 4 
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 5 
06.05.2017 20:48,Info,192.168.1.1,l2tp: sccrq failed, fatal 
06.05.2017 20:48,Error,192.168.1.1,l2tp: control init failed
06.05.2017 20:48,Info,192.168.1.1,Exit.
06.05.2017 20:48,Error,192.168.1.1,Service: ""L2TP0"": unexpectedly stopped.
06.05.2017 20:48,Info,192.168.1.1,Network::Interface::Base: ""L2TP0"": interface is up.
06.05.2017 20:48,Info,192.168.1.1,Plugin pppol2tp.so loaded.
06.05.2017 20:48,Notice,192.168.1.1,pppd 2.4.4-4 started by root, uid 0
06.05.2017 20:48,Debug,192.168.1.1,Script /etc/ppp/pre-up-ppp1 started (pid 826)
06.05.2017 20:48,Info,192.168.1.1,Network::Interface::L2TP: ""L2TP0"": added host route to 178.162.211.213 via 93.100.188.1.
06.05.2017 20:48,Debug,192.168.1.1,Script /etc/ppp/pre-up-ppp1 finished (pid 826), status = 0x0
06.05.2017 20:48,Info,192.168.1.1,l2tp_control v2.02 
06.05.2017 20:48,Info,192.168.1.1,l2tp: remote host: 178.162.211.213 
06.05.2017 20:48,Info,192.168.1.1,l2tp: bind: 93.100.ххх.ххх 
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 1 
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 2 
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 3 
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 4
06.05.2017 20:48,Info,192.168.1.1,l2tp: timeout of sccrp, retry sccrq, try: 5 
06.05.2017 20:48,Info,192.168.1.1,l2tp: sccrq failed, fatal 
06.05.2017 20:48,Error,192.168.1.1,l2tp: control init failed
06.05.2017 20:48,Info,192.168.1.1,Exit.
06.05.2017 20:48,Error,192.168.1.1,Service: ""L2TP0"": unexpectedly stopped.

 

Селфтест прилагаю ниже.

Link to comment
Share on other sites

  • 2 weeks later...

Аналогичная проблема. На Giga II c ndms 2.09.A.8.0-0 и последней 2.08. IPSec поднимается нормально, но L2TP поверх него не поднимается. Я контролирую сервер на который осуществляется подключение, там freebsd+racoon+mpd, все настроено и работает т.к. iphone, подключенный по wifi через этот же keenetic нормально поднимает l2tp/ipseс туда. Когда кинетик поднимает ipsec, но не может поднять l2tp в логах mpd на сервере пусто - нет даже попытки соединения, значит l2tp роутится куда-то не туда.

Скрытый текст

 


Network::Interface::Supplicant: authnentication is unchanged.
May 21 20:11:00ndmNetwork::Interface::Base: "L2TP0": description saved.
May 21 20:11:00ndmNetwork::Interface::PPP: "L2TP0": peer set.
May 21 20:11:00ndmNetwork::Interface::IP: "L2TP0": interface is non-global.
May 21 20:11:00ndmNetwork::Interface::IP: TCP-MSS adjustment enabled.
May 21 20:11:00ndmNetwork::Interface::IP: "L2TP0": IP address cleared.
May 21 20:11:00ndmNetwork::Interface::PPP: remote address erased.
May 21 20:11:00ndmNetwork::Interface::Supplicant: identity is unchanged.
May 21 20:11:00ndmNetwork::Interface::Base: "L2TP0": schedule cleared.
May 21 20:11:00ndmCore::Configurator: not found: "interface/ipsec/preshared-key/key".
May 21 20:11:00ndmDns::InterfaceSpecific: static name server list cleared on L2TP0.
May 21 20:11:00ndmCore::ConfigurationSaver: saving configuration...
May 21 20:11:03ndmCore::ConfigurationSaver: configuration saved.
May 21 20:11:04ndmNetwork::Interface::Supplicant: authnentication is unchanged.
May 21 20:11:04ipsec10[KNL] interface ppp0 activated 
May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": interface is up.
May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": description saved.
May 21 20:11:04ndmNetwork::Interface::PPP: "L2TP0": disabled connection.
May 21 20:11:04ndmNetwork::Interface::PPP: "L2TP0": peer set.
May 21 20:11:04ndmNetwork::Interface::PPP: "L2TP0": disabled connection.
May 21 20:11:04ndmNetwork::Interface::PppTunnel: "L2TP0": remote endpoint is resolved to "91.227.x.x".
May 21 20:11:04ndmNetwork::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "100.112.x.x" (via "UsbLte0").
May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": static MTU reset to default.
May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": network MTU is 1400.
May 21 20:11:04ndmNetwork::Interface::L2TP: "L2TP0": updating IP secure configuration.
May 21 20:11:04ndmIpSec::Manager: IP secure connection "L2TP0" was added.
May 21 20:11:04ndmNetwork::Interface::IP: "L2TP0": interface is non-global.
May 21 20:11:04ndmNetwork::Interface::IP: TCP-MSS adjustment enabled.
May 21 20:11:04ndmNetwork::Interface::IP: "L2TP0": IP address cleared.
May 21 20:11:04ndmNetwork::Interface::PPP: remote address erased.
May 21 20:11:04ndmNetwork::Interface::Supplicant: identity is unchanged.
May 21 20:11:04ndmNetwork::Interface::Base: "L2TP0": schedule cleared.
May 21 20:11:04ndmCore::Configurator: not found: "interface/ipsec/preshared-key/key".
May 21 20:11:04ndmDns::InterfaceSpecific: static name server list cleared on L2TP0.
May 21 20:11:05ndmCore::ConfigurationSaver: saving configuration...
May 21 20:11:06ndmIpSec::Manager: create IPsec reconfiguration transaction...
May 21 20:11:06ndmIpSec::Manager: add config for crypto map "L2TP0".
May 21 20:11:06ndmIpSec::Manager: IPsec reconfiguration transaction was created.
May 21 20:11:07ndmIpSec::Configurator: start applying IPsec configuration.
May 21 20:11:07ndmIpSec::Configurator: IPsec configuration applying is done.
May 21 20:11:07ndmIpSec::Configurator: start reloading IKE keys task.
May 21 20:11:07ipsec13[CFG] rereading secrets 
May 21 20:11:07ipsec13[CFG] loading secrets 
May 21 20:11:07ipsec13[CFG]   loaded IKE secret for cmap:L2TP0 
May 21 20:11:07ipsec13[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts' 
May 21 20:11:07ipsec13[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts' 
May 21 20:11:07ipsec13[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts' 
May 21 20:11:07ipsec13[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts' 
May 21 20:11:07ipsec13[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls' 
May 21 20:11:07ndmIpSec::Configurator: reloading IKE keys task done.
May 21 20:11:07ndmIpSec::Configurator: start reloading IPsec config task.
May 21 20:11:07ipsec00[DMN] signal of type SIGHUP received. Reloading configuration 
May 21 20:11:07ipsec06[CFG] received stroke: add connection 'L2TP0' 
May 21 20:11:07ipsec00[CFG] loaded 0 entries for attr plugin configuration 
May 21 20:11:07ipsec06[CFG] added configuration 'L2TP0' 
May 21 20:11:07ndmIpSec::IpSecNetfilter: start reloading netfilter configuration...
May 21 20:11:07ndmIpSec::IpSecNetfilter: netfilter configuration reloading is done.
May 21 20:11:07ndmIpSec::Configurator: reloading IPsec config task done.
May 21 20:11:07ipsec08[CFG] received stroke: initiate 'L2TP0' 
May 21 20:11:07ndmIpSec::Configurator: crypto map "L2TP0" initialized.
May 21 20:11:07ipsec10[IKE] sending DPD vendor ID 
May 21 20:11:07ipsec10[IKE] sending FRAGMENTATION vendor ID 
May 21 20:11:07ipsec10[IKE] sending NAT-T (RFC 3947) vendor ID 
May 21 20:11:07ipsec10[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
May 21 20:11:07ipsec10[IKE] initiating Main Mode IKE_SA L2TP0[5] to 91.227.x.x 
May 21 20:11:07ipsec14[IKE] received NAT-T (RFC 3947) vendor ID 
May 21 20:11:07ipsec14[IKE] received DPD vendor ID 
May 21 20:11:07ipsec14[IKE] received FRAGMENTATION vendor ID 
May 21 20:11:07ipsec14[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# 
May 21 20:11:07ipsec14[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# 
May 21 20:11:07ipsec14[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# 
May 21 20:11:07ipsec15[IKE] found linked key for crypto map 'L2TP0' 
May 21 20:11:07ipsec15[IKE] local host is behind NAT, sending keep alives 
May 21 20:11:08ipsec11[IKE] IKE_SA L2TP0[5] established between 100.112.x.x[100.112.x.x]...91.227.x.x[91.227.x.x] 
May 21 20:11:08ipsec11[IKE] scheduling reauthentication in 28776s 
May 21 20:11:08ipsec11[IKE] maximum IKE_SA lifetime 28796s 
May 21 20:11:08ndmIpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 0.
May 21 20:11:08ipsec16[CFG] received proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ 
May 21 20:11:08ipsec16[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ 
May 21 20:11:08ipsec16[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ 
May 21 20:11:08ipsec16[IKE] received 21474836000 lifebytes, configured 21474836480 
May 21 20:11:08ipsec16[IKE] CHILD_SA L2TP0{4} established with SPIs c591c4bb_i 06e91bb4_o and TS 100.112.x.x/32[udp] === 91.227.x.x/32[udp/l2tp] 
May 21 20:11:08ndmIpSec::Configurator: crypto map "L2TP0" is up.
May 21 20:11:08ndmIpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 1.
May 21 20:11:08ndmNetwork::Interface::L2TP: "L2TP0": IPsec layer is up, do start L2TP layer.
May 21 20:11:08ndmNetwork::Interface::PPP: "L2TP0": enabled connection via any interface.
May 21 20:11:08ndmkernel: EIP93: build  inbound ESP connection, (SPI=c591c4bb)
May 21 20:11:08ndmIpSec::IpSecNetfilter: start reloading netfilter configuration...
May 21 20:11:08ndmIpSec::IpSecNetfilter: netfilter configuration reloading is done.
May 21 20:11:09ndmCore::ConfigurationSaver: configuration saved.
May 21 20:11:10pppd[4496]Plugin pppol2tp.so loaded.
May 21 20:11:10pppd[4496]pppd 2.4.4-4 started by root, uid 0
May 21 20:11:10ndmNetwork::Interface::L2TP: "L2TP0": added host route to 91.227.x.x via 100.112.y.y.
May 21 20:11:10pppd[4498]l2tp_control v2.02 
May 21 20:11:10pppd[4498]l2tp: remote host: 91.227.x.x 
May 21 20:11:10pppd[4498]l2tp: bind: 100.112.x.x 
May 21 20:11:10ndmkernel: EIP93: build outbound ESP connection, (SPI=06e91bb4)
May 21 20:11:12pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 1 
May 21 20:11:14pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 2 
May 21 20:11:16pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 3 
May 21 20:11:18pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 4 
May 21 20:11:20pppd[4498]l2tp: timeout of sccrp, retry sccrq, try: 5 
May 21 20:11:20pppd[4498]l2tp: sccrq failed, fatal 
May 21 20:11:29pppd[4496]l2tp: control init failed
May 21 20:11:29pppd[4496]Exit.
May 21 20:11:29ndmService: "L2TP0": unexpectedly stopped.
May 21 20:11:29ndmNetwork::Interface::Base: "L2TP0": interface is up.
May 21 20:11:32pppd[4524]Plugin pppol2tp.so loaded.
May 21 20:11:32pppd[4524]pppd 2.4.4-4 started by root, uid 0
May 21 20:11:32ndmNetwork::Interface::L2TP: "L2TP0": added host route to 91.227.x.x via 100.112.y.y.
May 21 20:11:32pppd[4527]l2tp_control v2.02 
May 21 20:11:32pppd[4527]l2tp: remote host: 91.227.x.x 
May 21 20:11:32pppd[4527]l2tp: bind: 100.112.x.x 
May 21 20:11:34pppd[4527]l2tp: timeout of sccrp, retry sccrq, try: 1 
May 21 20:11:36pppd[4527]l2tp: timeout of sccrp, retry sccrq, try: 2 
May 21 20:11:38pppd[4527]l2tp: timeout of sccrp, retry sccrq, try: 3 
May 21 20:11:40pppd[4527]l2tp: timeout of sccrp, retry sccrq, try: 4 

 

 

Link to comment
Share on other sites

И действительно, почему то неправильно определяется маршрут (IP внешнего интерфейса) для l2tp, последний сегмент увеличен на единицу:

Цитата

May 21 20:11:10 ndm Network::Interface::L2TP: "L2TP0": added host route to 91.227.x.x via 100.112.114.222

В то время как ipsec был поднят и актуальный внещний IP на самом деле другой:

Цитата

May 21 20:16:54 ndm Network::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "100.112.114.221" (via "UsbLte0").
...
May 21 20:11:08 ipsec16[IKE] CHILD_SA L2TP0{4} established with SPIs c591c4bb_i 06e91bb4_o and TS 100.112.114.221/32[udp] === 91.227.x.x/32[udp/l2tp] 

 

Edited by Vadim Korchagin
Link to comment
Share on other sites

У вас адрес интерфейса UsbLte0 - это 100.112.114.221, а адрес IPv4 gateway, доступного, через этот интерфейс - 100.112.114.222? Тогда все верно. В первом случае показывается via gateway, а во втором - адрес локального исходящего адреса (они разные).

Насчет неработоспособности схемы - доходят ли до вас L2TP-пакеты на FreeBSD после расшифровки в IPsec?

Можете в личку скинуть конфиги - попробую воспроизвести.

Link to comment
Share on other sites

24 минуты назад, Le ecureuil сказал:

У вас адрес интерфейса UsbLte0 - это 100.112.114.221, а адрес IPv4 gateway, доступного, через этот интерфейс - 100.112.114.222? Тогда все верно. В первом случае показывается via gateway, а во втором - адрес локального исходящего адреса (они разные).

Насчет неработоспособности схемы - доходят ли до вас L2TP-пакеты на FreeBSD после расшифровки в IPsec?

Можете в личку скинуть конфиги - попробую воспроизвести.

Да, вы правы. Моя глупость... 

L2TP-пакеты не доходят. Конфиг высылаю. Спасибо!

Link to comment
Share on other sites

@Le ecureuil Залил в Giga II 2.08C2 подключился к по L2TP\IPSec к shadeyouvpn.com. В лог перестало сыпать kernel: EIP93: PE ring[45] error: AUTH_ERR . Youtube и Gmail стали открываться. С этими же настройками обратно залил 2.09.A.9.0-0 снова стала повторяться ситуация описанная мною выше. Sesf-Testы прилагаю.

Edited by T@rkus
Link to comment
Share on other sites

@Le ecureuilGiga II 2.09.A.9.0-0. Сбросил настройки да дефолтных. kernel: EIP93: PE ring[45] error: AUTH_ERR в логе пропало. На ПК при подключении через shadeyouvpn.com L2TP\IPSec Google, Youtube, Gmail не загружаются в Chrome 58.0.3029.110. В IE11 загружаются но медленно. На планшете Google, Youtube, Gmail в Chrome загружаются. Отключаю shadeyouvpn.com L2TP\IPSec Google, Youtube, Gmail на ПК в Chrome 58.0.3029.110 начинают загружаться. При подключении через hidemy.name L2TP\IPSec Google, Youtube, Gmail на ПК в Chrome 58.0.3029.110 загружаются. В чем может быть причина, что Google, Youtube, Gmail не загружаются в Chrome 58.0.3029.110 на ПК при подключении через shadeyouvpn.com L2TP\IPSec?

Edited by T@rkus
Link to comment
Share on other sites

  • 2 weeks later...
On 29 Апрель 2017 г. at 10:48 AM, Dale said:

Начиная, как минимум, с версии 2.09.A.6.0-2 перестало работать L2TP\IPSec соединение. В логе при попытке соединения пишет следующее:

  Reveal hidden contents


[I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": interface is up.
[I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": description saved.
[I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": disabled connection.
[I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": peer set.
[I] Apr 29 10:25:24 ndm: Network::Interface::PPP: "L2TP0": disabled connection.
[I] Apr 29 10:25:24 ndm: Network::Interface::IP: "L2TP0": global priority is 1000.
[I] Apr 29 10:25:24 ndm: Network::Interface::IP: TCP-MSS adjustment enabled.
[I] Apr 29 10:25:24 ndm: Network::Interface::IP: "L2TP0": IP address cleared.
[I] Apr 29 10:25:24 ndm: Network::Interface::PPP: remote address erased.
[I] Apr 29 10:25:24 ndm: Network::Interface::PppTunnel: "L2TP0": remote endpoint is resolved to "178.162.211.213".
[I] Apr 29 10:25:24 ndm: Network::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "93.100.xxx.xxx" (via "GigabitEthernet1").
[I] Apr 29 10:25:24 ndm: Network::Interface::L2TP: "L2TP0": updating IP secure configuration.
[I] Apr 29 10:25:24 ndm: Network::Interface::Supplicant: identity is unchanged.
[I] Apr 29 10:25:24 ndm: Network::Interface::Base: "L2TP0": schedule cleared.
[E] Apr 29 10:25:24 ndm: Core::Configurator: not found: "interface/ipsec/preshared-key/key".
[I] Apr 29 10:25:24 ndm: IpSec::Manager: IP secure connection "L2TP0" was added.
[I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: static name server list cleared on L2TP0.
[I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.218 added, domain (default).
[I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.218, domain (default) deleted.
[I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: name server 209.222.18.218 added, domain (default), interface L2TP0.
[I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.222 added, domain (default).
[I] Apr 29 10:25:24 ndm: Dns::Manager: name server 209.222.18.222, domain (default) deleted.
[I] Apr 29 10:25:24 ndm: Dns::InterfaceSpecific: name server 209.222.18.222 added, domain (default), interface L2TP0.
[I] Apr 29 10:25:26 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Apr 29 10:25:26 ndm: IpSec::Manager: add config for high-priority crypto map "L2TP0".
[I] Apr 29 10:25:26 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Apr 29 10:25:26 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Apr 29 10:25:26 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Apr 29 10:25:26 ndm: IpSec::Configurator: crypto map "L2TP0" initialized.
[I] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 0.
[W] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" is up.
[I] Apr 29 10:25:27 ndm: IpSec::Configurator: crypto map "L2TP0" active IKE SA: 1, active CHILD SA: 1.
[I] Apr 29 10:25:27 ndm: Network::Interface::L2TP: "L2TP0": IPsec layer is up, do start L2TP layer.
[I] Apr 29 10:25:27 ndm: Network::Interface::PPP: "L2TP0": enabled connection via any interface.
[I] Apr 29 10:25:27 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Apr 29 10:25:27 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Apr 29 10:25:29 ndm: Network::Interface::L2TP: "L2TP0": added host route to 178.162.211.213 via 93.100.188.1.
[E] Apr 29 10:25:48 ndm: Service: "L2TP0": unexpectedly stopped.
[I] Apr 29 10:25:48 ndm: Network::Interface::Base: "L2TP0": interface is up.
[I] Apr 29 10:25:51 ndm: Network::Interface::L2TP: "L2TP0": added host route to 178.162.211.213 via 93.100.188.1.
[E] Apr 29 10:26:09 ndm: Service: "L2TP0": unexpectedly stopped.

 

 

Потратив определённое время на анализ, привожу моё решение проблемы: в настройках брандмауэра для интерфейса своего ISP прописал два правила - разрешил любые соединения на IP адрес VPN провайдера от себя и от него ко мне. После этого все заработало. 

Edited by Dale
  • Thanks 1
Link to comment
Share on other sites

1 час назад, Dale сказал:

Потратив определённое время на анализ, привожу моё решение проблемы: в настройках брандмауэра для интерфейса своего ISP прописал два правила - разрешил любые соединения на IP адрес VPN провайдера от себя и от него ко мне. После этого все заработало. 

Спасибо за анализ, попробуем поправить у нас в firewall.

Link to comment
Share on other sites

31 minutes ago, Le ecureuil said:

Спасибо за анализ, попробуем поправить у нас в firewall.

@Le ecureuil Скажу больше, достаточно добавить только разрешение на входящие соединения от адреса VPN сервиса к ISP, хотя при установленном L2TP\IPSec соединении нет входящих с адреса VPN сервиса, только, как положено, исходящие соединения  IPSec и L2TP - чудеса...

Edited by Dale
Link to comment
Share on other sites

  • 10 months later...

Уже неделю как бьюсь с аналогичной проблемой. На выделенном сервере поднят L2TP/IPsec (из репозитория hwdsl2/docker-ipsec-vpn-server), на Android и Windows все работает без проблем, после подключения на Giga II сразу начинают сыпаться ошибки в журнал:

kernel: EIP93: PE ring[45] error: AUTH_ERR

и сайты не загружаются вообще никакие. Поначалу думал на проблемы с MTU, менял на стороне сервера - эффекта ноль. Также смотрел MTU соединения в самом роутере - 1280, такое же как и на сервере. Прошивка 2.11.C.1.0-3, на последней драфт версии 2.12.A.5.0-8 то же самое. Не знаю куда уже копать...

В 13.06.2017 в 23:22, Dale сказал:

достаточно добавить только разрешение на входящие соединения от адреса VPN сервиса к ISP

Какие протоколы нужно добавить в брандмауэре? TCP, UDP, ESP?

P.S. Добавлю, что Ipsec поднимаю внутри l2tp-туннеля Beeline, может это как-то влияет?

Edited by denmmx
Link to comment
Share on other sites

  • 2 weeks later...
В 4/29/2018 в 17:29, denmmx сказал:

Уже неделю как бьюсь с аналогичной проблемой. На выделенном сервере поднят L2TP/IPsec (из репозитория hwdsl2/docker-ipsec-vpn-server), на Android и Windows все работает без проблем, после подключения на Giga II сразу начинают сыпаться ошибки в журнал:

kernel: EIP93: PE ring[45] error: AUTH_ERR

и сайты не загружаются вообще никакие. Поначалу думал на проблемы с MTU, менял на стороне сервера - эффекта ноль. Также смотрел MTU соединения в самом роутере - 1280, такое же как и на сервере. Прошивка 2.11.C.1.0-3, на последней драфт версии 2.12.A.5.0-8 то же самое. Не знаю куда уже копать...

Какие протоколы нужно добавить в брандмауэре? TCP, UDP, ESP?

P.S. Добавлю, что Ipsec поднимаю внутри l2tp-туннеля Beeline, может это как-то влияет?

Попробуйте на новом draft, возможно поможет.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...