The_Immortal Posted September 13, 2020 Share Posted September 13, 2020 (edited) Друзья, быть может, у кого-то была подобная проблема с подключением к VPN-серверу по протоколу LT2P/IPsec такого плана: Скрытый текст [I] Sep 13 21:27:53 ndm: Network::Interface::Base: "L2TP0": interface is up. [I] Sep 13 21:27:53 ndm: IpSec::Manager: service enabled. [I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": interface state is changed, reconnecting. [I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": remote endpoint is resolved to "102.*.*.*". [I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": connecting via PPPoE0 (PPPoE0). [I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "92.*.*.*". [I] Sep 13 21:27:53 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": added host route to 102.*.*.* via PPPoE0 (PPPoE0). [I] Sep 13 21:27:53 ndm: Network::Interface::L2tp: "L2TP0": using port 41216 as local. [I] Sep 13 21:27:53 ndm: Network::Interface::L2tp: "L2TP0": updating IP secure configuration. [I] Sep 13 21:27:53 ndm: IpSec::Manager: "L2TP0": IP secure connection was added. [I] Sep 13 21:27:53 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Sep 13 21:27:55 ndm: IpSec::Manager: create IPsec reconfiguration transaction... [I] Sep 13 21:27:55 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer". [I] Sep 13 21:27:55 ndm: IpSec::Manager: add config for crypto map "L2TP0". [I] Sep 13 21:27:55 ndm: IpSec::Manager: IPsec reconfiguration transaction was created. [I] Sep 13 21:27:55 ndm: IpSec::Configurator: start applying IPsec configuration. [I] Sep 13 21:27:55 ndm: IpSec::Configurator: IPsec configuration applying is done. [I] Sep 13 21:27:55 ndm: IpSec::Configurator: start reloading IKE keys task. [I] Sep 13 21:27:55 ipsec: 15[CFG] rereading secrets [I] Sep 13 21:27:55 ipsec: 15[CFG] loading secrets [I] Sep 13 21:27:55 ipsec: 15[CFG] loaded IKE secret for %any [I] Sep 13 21:27:55 ipsec: 15[CFG] loaded IKE secret for cmap:L2TP0 [I] Sep 13 21:27:55 ipsec: 15[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts' [I] Sep 13 21:27:55 ndm: IpSec::Configurator: reloading IKE keys task done. [I] Sep 13 21:27:55 ipsec: 15[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts' [I] Sep 13 21:27:55 ipsec: 15[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts' [I] Sep 13 21:27:55 ipsec: 15[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts' [I] Sep 13 21:27:55 ipsec: 15[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls' [I] Sep 13 21:27:56 ndm: IpSec::Configurator: start reloading IPsec config task. [I] Sep 13 21:27:56 ipsec: 10[CFG] received stroke: delete connection 'VPNL2TPServer' [I] Sep 13 21:27:56 ipsec: 10[CFG] deleted connection 'VPNL2TPServer' [I] Sep 13 21:27:56 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration [I] Sep 13 21:27:56 ipsec: 09[CFG] received stroke: add connection 'VPNL2TPServer' [I] Sep 13 21:27:56 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration [I] Sep 13 21:27:56 ipsec: 09[CFG] added configuration 'VPNL2TPServer' [I] Sep 13 21:27:56 ipsec: 13[CFG] received stroke: add connection 'L2TP0' [I] Sep 13 21:27:56 ipsec: 13[CFG] added configuration 'L2TP0' [I] Sep 13 21:27:56 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Sep 13 21:27:56 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Sep 13 21:27:56 ndm: IpSec::Configurator: reloading IPsec config task done. [I] Sep 13 21:27:56 ipsec: 12[CFG] received stroke: initiate 'L2TP0' [I] Sep 13 21:27:56 ndm: IpSec::Configurator: "L2TP0": crypto map initialized. [I] Sep 13 21:27:56 ipsec: 11[IKE] sending DPD vendor ID [I] Sep 13 21:27:56 ipsec: 11[IKE] sending FRAGMENTATION vendor ID [I] Sep 13 21:27:56 ipsec: 11[IKE] sending NAT-T (RFC 3947) vendor ID [I] Sep 13 21:27:56 ipsec: 11[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID [I] Sep 13 21:27:56 ipsec: 11[IKE] initiating Main Mode IKE_SA L2TP0[5] to 102.*.*.* [I] Sep 13 21:27:56 ipsec: 08[IKE] received NAT-T (RFC 3947) vendor ID [I] Sep 13 21:27:56 ipsec: 08[IKE] received DPD vendor ID [I] Sep 13 21:27:56 ipsec: 08[IKE] received FRAGMENTATION vendor ID [I] Sep 13 21:27:56 ipsec: 08[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 [I] Sep 13 21:27:56 ipsec: 08[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 [I] Sep 13 21:27:56 ipsec: 08[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 [I] Sep 13 21:27:57 ipsec: 15[IKE] found linked key for crypto map 'L2TP0' [I] Sep 13 21:27:57 ipsec: 07[IKE] IKE_SA L2TP0[5] established between 92.*.*.*[92.*.*.*]...102.*.*.*[102.*.*.*] [I] Sep 13 21:27:57 ipsec: 07[IKE] scheduling reauthentication in 28772s [I] Sep 13 21:27:57 ipsec: 07[IKE] maximum IKE_SA lifetime 28792s [I] Sep 13 21:27:57 ndm: IpSec::Configurator: "L2TP0": crypto map active IKE SA: 1, active CHILD SA: 0. [I] Sep 13 21:27:57 ipsec: 16[CFG] received proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ [I] Sep 13 21:27:57 ipsec: 16[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ [I] Sep 13 21:27:57 ipsec: 16[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ [I] Sep 13 21:27:57 ipsec: 16[IKE] CHILD_SA L2TP0{4} established with SPIs cb1a6567_i 05d20153_o and TS 92.*.*.*/32[udp/41216] === 102.*.*.*/32[udp/l2tp] [W] Sep 13 21:27:57 ndm: IpSec::Configurator: crypto map "L2TP0" is up. [I] Sep 13 21:27:57 ndm: IpSec::Configurator: "L2TP0": crypto map active IKE SA: 1, active CHILD SA: 1. [I] Sep 13 21:27:57 ndm: Network::Interface::L2tp: "L2TP0": IPsec layer is up, do start L2TP layer. [I] Sep 13 21:27:57 ndm: Network::Interface::Ppp: "L2TP0": enabled connection via any interface. [I] Sep 13 21:27:58 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... [I] Sep 13 21:27:58 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. [I] Sep 13 21:27:59 l2tp[1423]: Plugin pppol2tp.so loaded. [I] Sep 13 21:27:59 l2tp[1423]: pppd 2.4.4-4 started by root, uid 0 [I] Sep 13 21:27:59 ndm: Network::Interface::PppTunnel: "L2TP0": added host route to 102.*.*.* via PPPoE0 (PPPoE0). [I] Sep 13 21:28:00 pppd_L2TP0: l2tp_control v2.02 [I] Sep 13 21:28:00 pppd_L2TP0: remote host: 102.*.*.*:1701 [I] Sep 13 21:28:00 pppd_L2TP0: local bind: 92.*.*.*:41216 [I] Sep 13 21:28:02 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 1 [I] Sep 13 21:28:04 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 2 [I] Sep 13 21:28:06 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 3 [I] Sep 13 21:28:08 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 4 [I] Sep 13 21:28:10 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 5 [I] Sep 13 21:28:10 pppd_L2TP0: l2tp: sccrq failed, fatal [I] Sep 13 21:28:10 pppd_L2TP0: l2tp: shutting down control connection [I] Sep 13 21:28:12 pppd_L2TP0: l2tp: shutdown completed [C] Sep 13 21:28:19 pppd_L2TP0: control init failed [E] Sep 13 21:28:19 pppd_L2TP0: Couldn't get channel number: Bad file descriptor [I] Sep 13 21:28:19 pppd_L2TP0: Exit. [E] Sep 13 21:28:19 ndm: Service: "L2TP0": unexpectedly stopped. VPN-сервер корпоративный, его детали неизвестны, но с Windows, и с Android подключение происходит без проблем, а вот роутер со стабильной KeeneticOS 3.4.12 не хочет... Спасибо! Edited September 13, 2020 by The_Immortal Quote Link to comment Share on other sites More sharing options...
The_Immortal Posted September 14, 2020 Author Share Posted September 14, 2020 Подскажите, пожалуйста, каким образом сделать так, чтобы клиент при подключении на первой фазе не использовал 3des? Quote Link to comment Share on other sites More sharing options...
PASPARTU Posted September 14, 2020 Share Posted September 14, 2020 9 часов назад, The_Immortal сказал: Подскажите, пожалуйста, каким образом сделать так, чтобы клиент при подключении на первой фазе не использовал 3des? я так думаю run-conf отредактировать но предварительно сделать бэкап 1 Quote Link to comment Share on other sites More sharing options...
The_Immortal Posted September 14, 2020 Author Share Posted September 14, 2020 (edited) 2 часа назад, PASPARTU сказал: я так думаю run-conf отредактировать Дело в том, что там речь только про сервер: crypto ike proposal VPNL2TPServer ... crypto ipsec transform-set VPNL2TPServer Edited September 14, 2020 by The_Immortal Quote Link to comment Share on other sites More sharing options...
The_Immortal Posted September 14, 2020 Author Share Posted September 14, 2020 Делаю так: (config)> crypto ike proposal VPNL2TPServer (config-ike-proposal)> no encryption des IpSec::Manager: "VPNL2TPServer": crypto ike proposal "VPNL2TPServer" encryption type successfully removed. (config-ike-proposal)> no encryption 3des IpSec::Manager: "VPNL2TPServer": crypto ike proposal "VPNL2TPServer" encryption type successfully removed. (config-ike-proposal)> system reboot Core::System::RebootManager: Rebooting the system. В итоге в running-config по-прежнему наблюдаю: crypto ike proposal VPNL2TPServer encryption 3des encryption des encryption aes-cbc-128 encryption aes-cbc-256 ... Что не так? Quote Link to comment Share on other sites More sharing options...
r13 Posted September 15, 2020 Share Posted September 15, 2020 5 часов назад, The_Immortal сказал: Делаю так: (config)> crypto ike proposal VPNL2TPServer (config-ike-proposal)> no encryption des IpSec::Manager: "VPNL2TPServer": crypto ike proposal "VPNL2TPServer" encryption type successfully removed. (config-ike-proposal)> no encryption 3des IpSec::Manager: "VPNL2TPServer": crypto ike proposal "VPNL2TPServer" encryption type successfully removed. (config-ike-proposal)> system reboot Core::System::RebootManager: Rebooting the system. В итоге в running-config по-прежнему наблюдаю: crypto ike proposal VPNL2TPServer encryption 3des encryption des encryption aes-cbc-128 encryption aes-cbc-256 ... Что не так? system configuration save не хватает 1 Quote Link to comment Share on other sites More sharing options...
The_Immortal Posted September 15, 2020 Author Share Posted September 15, 2020 Благодарю! Однако в итоге не взлетело... Надо как-то у клиента вырубать 3des... Quote Link to comment Share on other sites More sharing options...
Werld Posted September 17, 2020 Share Posted September 17, 2020 (edited) В 15.09.2020 в 14:36, The_Immortal сказал: Благодарю! Однако в итоге не взлетело... Надо как-то у клиента вырубать 3des... А если посмотреть в сторону команды interface ipsec encryption-level (см. в cli manual). Там есть разные предустановленные "уровни шифрования". Думаю, стоит попробовать что-то типа interface l2tp0 ipsec encryption-level strong В наборе "strong" только AES128 и AES256, 3DES отключен. Не уверен на 100%, что эти уровни применяются к созданным через веб l2tp/ipsec интерфейсам, но попробовать определенно стоит. Edited September 17, 2020 by werldmgn 1 Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted September 18, 2020 Share Posted September 18, 2020 Применяются, работать должно. Quote Link to comment Share on other sites More sharing options...
The_Immortal Posted September 22, 2020 Author Share Posted September 22, 2020 В 17.09.2020 в 11:50, werldmgn сказал: стоит попробовать что-то типа interface l2tp0 ipsec encryption-level strong Благодарю! После этого подключение прошло! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.