Здравствуйте.Хочу настроить VPN для удалённо работающих сотрудников. Остановился на Ipsec/openswan.
Начал с малого - подключение на базе preshared key, но уже напоролся на грабли.
Тестовая конфигурация простая: сервак на Debian Wheezy+клиент Win7 соединенные через роутер в локалке.
xl2tp остановлен, для чистоты эксперимента .
Вот конфигурация openswan:
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
conn L2TP-PSK
authby=secret
pfs=no
auto=add
rekey=no
type=transport
left=192.168.200.223
leftprotoport=17/701
right=%any
rightprotoport=17/701
rightsubnet=192.168.20.0/24
При попытке подключения клиента в лог pluto сыпится вот такое:
packet from 192.168.20.230:500: received and ignored informational message
packet from 192.168.20.230:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
packet from 192.168.20.230:500: received Vendor ID payload [RFC 3947] method set to=109
packet from 192.168.20.230:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
packet from 192.168.20.230:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 192.168.20.230:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
packet from 192.168.20.230:500: ignoring Vendor ID payload [Vid-Initial-Contact]
packet from 192.168.20.230:500: ignoring Vendor ID payload [IKE CGA version 1]
"L2TP-PSK"[3] 192.168.20.230 #3: responding to Main Mode from unknown peer 192.168.20.230
"L2TP-PSK"[3] 192.168.20.230 #3: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
"L2TP-PSK"[3] 192.168.20.230 #3: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
"L2TP-PSK"[3] 192.168.20.230 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"L2TP-PSK"[3] 192.168.20.230 #3: STATE_MAIN_R1: sent MR1, expecting MI2
"L2TP-PSK"[3] 192.168.20.230 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
"L2TP-PSK"[3] 192.168.20.230 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"L2TP-PSK"[3] 192.168.20.230 #3: STATE_MAIN_R2: sent MR2, expecting MI3
"L2TP-PSK"[3] 192.168.20.230 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.230'
"L2TP-PSK"[3] 192.168.20.230 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"L2TP-PSK"[3] 192.168.20.230 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
"L2TP-PSK"[3] 192.168.20.230 #3: the peer proposed: 192.168.200.223/32:17/701 -> 192.168.20.230/32:17/701
"L2TP-PSK"[3] 192.168.20.230 #3: cannot respond to IPsec SA request because no connection is known for 192.168.200.223<192.168.200.223>[+S=C]:17/1701...192.168.20.230[+S=C]:17/1701
"L2TP-PSK"[3] 192.168.20.230 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.20.230:500
"L2TP-PSK"[3] 192.168.20.230 #3: the peer proposed: 192.168.200.223/32:17/701 -> 192.168.20.230/32:17/701
"L2TP-PSK"[3] 192.168.20.230 #3: cannot respond to IPsec SA request because no connection is known for 192.168.200.223<192.168.200.223>[+S=C]:17/1701...192.168.20.230[+S=C]:17/1701
"L2TP-PSK"[3] 192.168.20.230 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.20.230:500
"L2TP-PSK"[3] 192.168.20.230 #3: the peer proposed: 192.168.200.223/32:17/701 -> 192.168.20.230/32:17/701
"L2TP-PSK"[3] 192.168.20.230 #3: cannot respond to IPsec SA request because no connection is known for 192.168.200.223<192.168.200.223>[+S=C]:17/1701...192.168.20.230[+S=C]:17/1701
"L2TP-PSK"[3] 192.168.20.230 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.20.230:500
"L2TP-PSK"[3] 192.168.20.230 #3: the peer proposed: 192.168.200.223/32:17/701 -> 192.168.20.230/32:17/701
"L2TP-PSK"[3] 192.168.20.230 #3: cannot respond to IPsec SA request because no connection is known for 192.168.200.223<192.168.200.223>[+S=C]:17/1701...192.168.20.230[+S=C]:17/1701
"L2TP-PSK"[3] 192.168.20.230 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.20.230:500
"L2TP-PSK"[3] 192.168.20.230 #3: the peer proposed: 192.168.200.223/32:17/701 -> 192.168.20.230/32:17/701
"L2TP-PSK"[3] 192.168.20.230 #3: cannot respond to IPsec SA request because no connection is known for 192.168.200.223<192.168.200.223>[+S=C]:17/1701...192.168.20.230[+S=C]:17/1701
"L2TP-PSK"[3] 192.168.20.230 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.20.230:500
"L2TP-PSK"[3] 192.168.20.230 #3: the peer proposed: 192.168.200.223/32:17/701 -> 192.168.20.230/32:17/701
"L2TP-PSK"[3] 192.168.20.230 #3: cannot respond to IPsec SA request because no connection is known for 192.168.200.223<192.168.200.223>[+S=C]:17/1701...192.168.20.230[+S=C]:17/1701
"L2TP-PSK"[3] 192.168.20.230 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.20.230:500
"L2TP-PSK"[3] 192.168.20.230 #3: the peer proposed: 192.168.200.223/32:17/701 -> 192.168.20.230/32:17/701
"L2TP-PSK"[3] 192.168.20.230 #3: cannot respond to IPsec SA request because no connection is known for 192.168.200.223<192.168.200.223>:17/1701...192.168.20.230[+S=C]:17/1701
"L2TP-PSK"[3] 192.168.20.230 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.20.230:500
"L2TP-PSK"[3] 192.168.20.230 #3: received Delete SA payload: deleting ISAKMP State #3
"L2TP-PSK"[3] 192.168.20.230: deleting connection "L2TP-PSK" instance with peer 192.168.20.230 {isakmp=#0/ipsec=#0}
Как я понимаю, демон не может найти в конфиге секцию для пары сервер-клиент, но как только не прописывал адреса и порты/протоколы - никакого эффекта(
Может проблема в приписках [+S=C]?