Jump to content

Проблемы с подключением по LT2P/IPsec


Recommended Posts

Друзья, быть может, у кого-то была подобная проблема с подключением к VPN-серверу по протоколу LT2P/IPsec такого плана:

Скрытый текст

[I] Sep 13 21:27:53 ndm: Network::Interface::Base: "L2TP0": interface is up.
[I] Sep 13 21:27:53 ndm: IpSec::Manager: service enabled.
[I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": interface state is changed, reconnecting.
[I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": remote endpoint is resolved to "102.*.*.*".
[I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": connecting via PPPoE0 (PPPoE0).
[I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": local endpoint is resolved to "92.*.*.*".
[I] Sep 13 21:27:53 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Sep 13 21:27:53 ndm: Network::Interface::PppTunnel: "L2TP0": added host route to 102.*.*.* via PPPoE0 (PPPoE0).
[I] Sep 13 21:27:53 ndm: Network::Interface::L2tp: "L2TP0": using port 41216 as local.
[I] Sep 13 21:27:53 ndm: Network::Interface::L2tp: "L2TP0": updating IP secure configuration.
[I] Sep 13 21:27:53 ndm: IpSec::Manager: "L2TP0": IP secure connection was added.
[I] Sep 13 21:27:53 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Sep 13 21:27:55 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Sep 13 21:27:55 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Sep 13 21:27:55 ndm: IpSec::Manager: add config for crypto map "L2TP0".
[I] Sep 13 21:27:55 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Sep 13 21:27:55 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Sep 13 21:27:55 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Sep 13 21:27:55 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Sep 13 21:27:55 ipsec: 15[CFG] rereading secrets 
[I] Sep 13 21:27:55 ipsec: 15[CFG] loading secrets 
[I] Sep 13 21:27:55 ipsec: 15[CFG]   loaded IKE secret for %any 
[I] Sep 13 21:27:55 ipsec: 15[CFG]   loaded IKE secret for cmap:L2TP0 
[I] Sep 13 21:27:55 ipsec: 15[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts' 
[I] Sep 13 21:27:55 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Sep 13 21:27:55 ipsec: 15[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts' 
[I] Sep 13 21:27:55 ipsec: 15[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts' 
[I] Sep 13 21:27:55 ipsec: 15[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts' 
[I] Sep 13 21:27:55 ipsec: 15[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls' 
[I] Sep 13 21:27:56 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Sep 13 21:27:56 ipsec: 10[CFG] received stroke: delete connection 'VPNL2TPServer' 
[I] Sep 13 21:27:56 ipsec: 10[CFG] deleted connection 'VPNL2TPServer' 
[I] Sep 13 21:27:56 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration 
[I] Sep 13 21:27:56 ipsec: 09[CFG] received stroke: add connection 'VPNL2TPServer' 
[I] Sep 13 21:27:56 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration 
[I] Sep 13 21:27:56 ipsec: 09[CFG] added configuration 'VPNL2TPServer' 
[I] Sep 13 21:27:56 ipsec: 13[CFG] received stroke: add connection 'L2TP0' 
[I] Sep 13 21:27:56 ipsec: 13[CFG] added configuration 'L2TP0' 
[I] Sep 13 21:27:56 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Sep 13 21:27:56 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Sep 13 21:27:56 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Sep 13 21:27:56 ipsec: 12[CFG] received stroke: initiate 'L2TP0' 
[I] Sep 13 21:27:56 ndm: IpSec::Configurator: "L2TP0": crypto map initialized.
[I] Sep 13 21:27:56 ipsec: 11[IKE] sending DPD vendor ID 
[I] Sep 13 21:27:56 ipsec: 11[IKE] sending FRAGMENTATION vendor ID 
[I] Sep 13 21:27:56 ipsec: 11[IKE] sending NAT-T (RFC 3947) vendor ID 
[I] Sep 13 21:27:56 ipsec: 11[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
[I] Sep 13 21:27:56 ipsec: 11[IKE] initiating Main Mode IKE_SA L2TP0[5] to 102.*.*.* 
[I] Sep 13 21:27:56 ipsec: 08[IKE] received NAT-T (RFC 3947) vendor ID 
[I] Sep 13 21:27:56 ipsec: 08[IKE] received DPD vendor ID 
[I] Sep 13 21:27:56 ipsec: 08[IKE] received FRAGMENTATION vendor ID 
[I] Sep 13 21:27:56 ipsec: 08[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 
[I] Sep 13 21:27:56 ipsec: 08[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
[I] Sep 13 21:27:56 ipsec: 08[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 
[I] Sep 13 21:27:57 ipsec: 15[IKE] found linked key for crypto map 'L2TP0' 
[I] Sep 13 21:27:57 ipsec: 07[IKE] IKE_SA L2TP0[5] established between 92.*.*.*[92.*.*.*]...102.*.*.*[102.*.*.*] 
[I] Sep 13 21:27:57 ipsec: 07[IKE] scheduling reauthentication in 28772s 
[I] Sep 13 21:27:57 ipsec: 07[IKE] maximum IKE_SA lifetime 28792s 
[I] Sep 13 21:27:57 ndm: IpSec::Configurator: "L2TP0": crypto map active IKE SA: 1, active CHILD SA: 0.
[I] Sep 13 21:27:57 ipsec: 16[CFG] received proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ 
[I] Sep 13 21:27:57 ipsec: 16[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ 
[I] Sep 13 21:27:57 ipsec: 16[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ 
[I] Sep 13 21:27:57 ipsec: 16[IKE] CHILD_SA L2TP0{4} established with SPIs cb1a6567_i 05d20153_o and TS 92.*.*.*/32[udp/41216] === 102.*.*.*/32[udp/l2tp] 
[W] Sep 13 21:27:57 ndm: IpSec::Configurator: crypto map "L2TP0" is up.
[I] Sep 13 21:27:57 ndm: IpSec::Configurator: "L2TP0": crypto map active IKE SA: 1, active CHILD SA: 1.
[I] Sep 13 21:27:57 ndm: Network::Interface::L2tp: "L2TP0": IPsec layer is up, do start L2TP layer.
[I] Sep 13 21:27:57 ndm: Network::Interface::Ppp: "L2TP0": enabled connection via any interface.
[I] Sep 13 21:27:58 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Sep 13 21:27:58 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Sep 13 21:27:59 l2tp[1423]: Plugin pppol2tp.so loaded.
[I] Sep 13 21:27:59 l2tp[1423]: pppd 2.4.4-4 started by root, uid 0
[I] Sep 13 21:27:59 ndm: Network::Interface::PppTunnel: "L2TP0": added host route to 102.*.*.* via PPPoE0 (PPPoE0).
[I] Sep 13 21:28:00 pppd_L2TP0: l2tp_control v2.02 
[I] Sep 13 21:28:00 pppd_L2TP0: remote host: 102.*.*.*:1701 
[I] Sep 13 21:28:00 pppd_L2TP0: local bind: 92.*.*.*:41216 
[I] Sep 13 21:28:02 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 1 
[I] Sep 13 21:28:04 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 2 
[I] Sep 13 21:28:06 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 3 
[I] Sep 13 21:28:08 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 4 
[I] Sep 13 21:28:10 pppd_L2TP0: l2tp: timeout of sccrp, retry sccrq, try: 5 
[I] Sep 13 21:28:10 pppd_L2TP0: l2tp: sccrq failed, fatal 
[I] Sep 13 21:28:10 pppd_L2TP0: l2tp: shutting down control connection 
[I] Sep 13 21:28:12 pppd_L2TP0: l2tp: shutdown completed 
[C] Sep 13 21:28:19 pppd_L2TP0: control init failed
[E] Sep 13 21:28:19 pppd_L2TP0: Couldn't get channel number: Bad file descriptor
[I] Sep 13 21:28:19 pppd_L2TP0: Exit.
[E] Sep 13 21:28:19 ndm: Service: "L2TP0": unexpectedly stopped.
 

VPN-сервер корпоративный, его детали неизвестны, но с Windows, и с Android подключение происходит без проблем, а вот роутер со стабильной KeeneticOS 3.4.12 не хочет...

Спасибо!

Edited by The_Immortal
Link to comment
Share on other sites

9 часов назад, The_Immortal сказал:

Подскажите, пожалуйста, каким образом сделать так, чтобы клиент при подключении на первой фазе не использовал 3des?

я так думаю run-conf отредактировать

но предварительно сделать бэкап

 

  • Thanks 1
Link to comment
Share on other sites

2 часа назад, PASPARTU сказал:

я так думаю run-conf отредактировать

Дело в том, что там речь только про сервер:

crypto ike proposal VPNL2TPServer
...
crypto ipsec transform-set VPNL2TPServer

 

Edited by The_Immortal
Link to comment
Share on other sites

Делаю так:

(config)> crypto ike proposal VPNL2TPServer
(config-ike-proposal)> no encryption des
IpSec::Manager: "VPNL2TPServer": crypto ike proposal "VPNL2TPServer" encryption type successfully removed.
(config-ike-proposal)> no encryption 3des
IpSec::Manager: "VPNL2TPServer": crypto ike proposal "VPNL2TPServer" encryption type successfully removed.
(config-ike-proposal)> system reboot
Core::System::RebootManager: Rebooting the system.

В итоге в running-config по-прежнему наблюдаю:

crypto ike proposal VPNL2TPServer
    encryption 3des
    encryption des
    encryption aes-cbc-128
    encryption aes-cbc-256
...

Что не так?

Link to comment
Share on other sites

5 часов назад, The_Immortal сказал:

Делаю так:


(config)> crypto ike proposal VPNL2TPServer
(config-ike-proposal)> no encryption des
IpSec::Manager: "VPNL2TPServer": crypto ike proposal "VPNL2TPServer" encryption type successfully removed.
(config-ike-proposal)> no encryption 3des
IpSec::Manager: "VPNL2TPServer": crypto ike proposal "VPNL2TPServer" encryption type successfully removed.
(config-ike-proposal)> system reboot
Core::System::RebootManager: Rebooting the system.

В итоге в running-config по-прежнему наблюдаю:


crypto ike proposal VPNL2TPServer
    encryption 3des
    encryption des
    encryption aes-cbc-128
    encryption aes-cbc-256
...

Что не так?

system configuration save не хватает

  • Thanks 1
Link to comment
Share on other sites

В 15.09.2020 в 14:36, The_Immortal сказал:

Благодарю!

Однако в итоге не взлетело... Надо как-то у клиента вырубать 3des...

А если посмотреть в сторону команды interface ipsec encryption-level (см. в cli manual). Там есть разные предустановленные "уровни шифрования". Думаю, стоит попробовать что-то типа interface l2tp0 ipsec encryption-level strong   В наборе "strong"  только AES128 и AES256, 3DES отключен. Не уверен на 100%, что эти уровни применяются к созданным через веб l2tp/ipsec интерфейсам, но попробовать определенно стоит.
 

Edited by werldmgn
  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...