The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]



"strongswan + xl2tpd + dnsmasq = xl2tpd : Maximum retries exc"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Информационная безопасность (VPN, IPSec / Linux)
Изначальное сообщение [ Отслеживать ]

"strongswan + xl2tpd + dnsmasq = xl2tpd : Maximum retries exc"  +/
Сообщение от noisebringer (ok), 07-Авг-19, 00:02 
Всем хеллоу.

Есть:
  Linux - 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 GNU/Linux
  xl2tpd version: xl2tpd-1.3.12
  Linux strongSwan U5.7.2/K4.19.0-5-amd64
  Dnsmasq version 2.80


/etc/ipsec.conf

        config setup
           charondebug="enc 0, net 0, ike 0, cfg 0, knl 0, lib 0, job 0, dmn 0"

        conn vpnserver
           authby=secret
           auto=add
           type=transport
           left={ip-2}
           leftprotoport=17/1701
           right=%any
           rightprotoport=17/%any
           rekey=no


/etc/dnsmasq.conf

dhcp-range=10.1.2.3,static
dhcp-option=option:router
dhcp-option=121,10.1.2.1/32,10.1.2.2,{ip-1}/32,10.1.2.2
dhcp-option=249,10.1.2.1/32,10.1.2.2,{ip-1}/32,10.1.2.2
dhcp-option=vendor:MSFT,2,1i


/etc/xl2tpd/xl2tpd.conf

        [global]
            ipsec saref = yes

        [lns default]
            ip range = 10.1.2.3-10.1.2.25
            local ip = 10.1.2.2
            require chap = yes
            refuse pap = yes
            require authentication = yes
            pppoptfile = /etc/ppp/options.xl2tpd


/etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
debug
auth
name vpnserver
proxyarp
mtu 1372


/etc/iptables/rules.v4

        *filter

        -A INPUT -i lo -j ACCEPT
        -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
        -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

        -A INPUT -p udp --dport 4500 -j ACCEPT
        -A INPUT -p udp --dport 500 -j ACCEPT

        -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
        -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable

        -A INPUT -i ppp+ -s 10.1.2.0/24 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

        -A INPUT -j DROP


        -A FORWARD -s 8.8.8.8 -j ACCEPT
        -A FORWARD -d 8.8.8.8 -j ACCEPT

        -A FORWARD -j REJECT

        -A OUTPUT -j ACCEPT

        -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
        -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable

        COMMIT

        *nat
        -A POSTROUTING -o ens3 -s 10.1.2.0/24 --jump MASQUERADE
        #-I POSTROUTING 1 -j LOG

        COMMIT


/etc/network/interfaces

auto ens3
iface ens3 inet static
        address {ip-1}
        netmask 255.255.255.255
        gateway 10.0.0.1
        pointopoint 10.0.0.1
        up ip addr add {ip-2}/32 dev ens3
        down ip addr del {ip-2}/32 dev ens3

auto dummy0
iface dummy0 inet static
        address 10.1.2.1
        netmask 255.255.255.0
        pre-up ip link add dummy0 type dummy


/etc/modules

dummy


/etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.ip_forward = 1


ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:57:d7:ec brd ff:ff:ff:ff:ff:ff
    inet {ip-1} peer 10.0.0.1/32 brd {ip-1} scope global ens3
       valid_lft forever preferred_lft forever
    inet {ip-2}/32 scope global ens3
       valid_lft forever preferred_lft forever
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether f6:ed:c9:9f:fc:ef brd ff:ff:ff:ff:ff:ff
    inet 10.1.2.1/24 brd 10.1.2.255 scope global dummy0
       valid_lft forever preferred_lft forever


В результате всего этого имеем

Aug  7 03:46:43 - charon: 00[DMN] signal of type SIGINT received. Shutting down
Aug  7 03:46:43 - ipsec[585]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  7 03:46:43 - ipsec[585]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  7 03:46:43 - ipsec[585]: 00[CFG]   loaded IKE secret for {ip-2}
Aug  7 03:46:43 - ipsec[585]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug  7 03:46:43 - ipsec[585]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug  7 03:46:43 - ipsec[585]: 00[JOB] spawning 16 worker threads
Aug  7 03:46:43 - ipsec[585]: 05[CFG] received stroke: add connection 'vpnserver'
Aug  7 03:46:43 - ipsec[585]: 05[CFG] added configuration 'vpnserver'
Aug  7 03:46:43 - ipsec[585]: 00[DMN] signal of type SIGINT received. Shutting down
Aug  7 03:46:43 - ipsec[585]: charon stopped after 200 ms
Aug  7 03:46:43 - ipsec[585]: ipsec starter stopped
Aug  7 03:46:43 - systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
Aug  7 03:46:43 - systemd[1]: strongswan.service: Succeeded.
Aug  7 03:46:43 - systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Aug  7 03:46:43 - systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Aug  7 03:46:43 - ipsec[684]: Starting strongSwan 5.7.2 IPsec [starter]...
Aug  7 03:46:43 - systemd[1]: Stopping LSB: layer 2 tunelling protocol daemon...
Aug  7 03:46:43 - xl2tpd[613]: death_handler: Fatal signal 15 received
Aug  7 03:46:43 - xl2tpd[694]: Stopping xl2tpd: xl2tpd.
Aug  7 03:46:43 - systemd[1]: xl2tpd.service: Succeeded.
Aug  7 03:46:43 - systemd[1]: Stopped LSB: layer 2 tunelling protocol daemon.
Aug  7 03:46:43 - systemd[1]: Starting LSB: layer 2 tunelling protocol daemon...
Aug  7 03:46:43 - charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug  7 03:46:43 - xl2tpd[711]: Enabling IPsec SAref processing for L2TP transport mode SAs
Aug  7 03:46:43 - xl2tpd[711]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Aug  7 03:46:43 - xl2tpd[711]: setsockopt recvref[30]: Protocol not available
Aug  7 03:46:43 - xl2tpd[711]: Not looking for kernel support.
Aug  7 03:46:43 - xl2tpd[703]: Starting xl2tpd: xl2tpd.
Aug  7 03:46:43 - systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
Aug  7 03:46:43 - xl2tpd[712]: xl2tpd version xl2tpd-1.3.12 started on -.info PID:712
Aug  7 03:46:43 - xl2tpd[712]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug  7 03:46:43 - xl2tpd[712]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug  7 03:46:43 - xl2tpd[712]: Inherited by Jeff McAdams, (C) 2002
Aug  7 03:46:43 - xl2tpd[712]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Aug  7 03:46:43 - xl2tpd[712]: Listening on IP address 0.0.0.0, port 1701
Aug  7 03:46:43 - charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  7 03:46:43 - charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  7 03:46:43 - charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  7 03:46:43 - charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  7 03:46:43 - charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  7 03:46:43 - charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  7 03:46:43 - charon: 00[CFG]   loaded IKE secret for {ip-2}
Aug  7 03:46:43 - charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug  7 03:46:43 - charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug  7 03:46:43 - charon: 00[JOB] spawning 16 worker threads
Aug  7 03:46:43 - systemd[1]: Stopping dnsmasq - A lightweight DHCP and caching DNS server...
Aug  7 03:46:43 - ipsec[684]: charon (710) started after 40 ms
Aug  7 03:46:43 - charon: 05[CFG] received stroke: add connection 'vpnserver'
Aug  7 03:46:43 - charon: 05[CFG] added configuration 'vpnserver'
Aug  7 03:46:43 - dnsmasq[649]: exiting on receipt of SIGTERM
Aug  7 03:46:43 - systemd[1]: dnsmasq.service: Succeeded.
Aug  7 03:46:43 - systemd[1]: Stopped dnsmasq - A lightweight DHCP and caching DNS server.
Aug  7 03:46:43 - systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
Aug  7 03:46:43 - dnsmasq[740]: dnsmasq: syntax check OK.
Aug  7 03:46:43 - dnsmasq[748]: started, version 2.80 cachesize 150
Aug  7 03:46:43 - dnsmasq[748]: DNS service limited to local subnets
Aug  7 03:46:43 - dnsmasq[748]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
Aug  7 03:46:43 - dnsmasq-dhcp[748]: DHCP, static leases only on 10.1.2.3, lease time 1h
Aug  7 03:46:43 - dnsmasq[748]: reading /etc/resolv.conf
Aug  7 03:46:43 - dnsmasq[748]: using nameserver 8.8.8.8#53
Aug  7 03:46:43 - dnsmasq[748]: using nameserver 8.8.4.4#53
Aug  7 03:46:43 - dnsmasq[748]: read /etc/hosts - 5 addresses
Aug  7 03:46:43 - systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Aug  7 03:46:55 - charon: 07[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (408 bytes)
Aug  7 03:46:55 - charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Aug  7 03:46:55 - charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Aug  7 03:46:55 - charon: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Aug  7 03:46:55 - charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Aug  7 03:46:55 - charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug  7 03:46:55 - charon: 07[IKE] received FRAGMENTATION vendor ID
Aug  7 03:46:55 - charon: 07[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Aug  7 03:46:55 - charon: 07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Aug  7 03:46:55 - charon: 07[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Aug  7 03:46:55 - charon: 07[IKE] {ip-client} is initiating a Main Mode IKE_SA
Aug  7 03:46:55 - charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
Aug  7 03:46:55 - charon: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug  7 03:46:55 - charon: 07[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (160 bytes)
Aug  7 03:46:55 - charon: 08[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (228 bytes)
Aug  7 03:46:55 - charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug  7 03:46:55 - charon: 08[IKE] remote host is behind NAT
Aug  7 03:46:55 - charon: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug  7 03:46:55 - charon: 08[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (212 bytes)
Aug  7 03:46:55 - charon: 09[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug  7 03:46:55 - charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug  7 03:46:55 - charon: 09[CFG] looking for pre-shared key peer configs matching {ip-2}...{ip-client}[192.168.98.25]
Aug  7 03:46:55 - charon: 09[CFG] selected peer config "vpnserver"
Aug  7 03:46:55 - charon: 09[IKE] IKE_SA vpnserver[1] established between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug  7 03:46:55 - charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug  7 03:46:55 - charon: 09[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (76 bytes)
Aug  7 03:46:55 - charon: 11[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (444 bytes)
Aug  7 03:46:55 - charon: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug  7 03:46:55 - charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug  7 03:46:55 - charon: 11[IKE] received 3600s lifetime, configured 0s
Aug  7 03:46:55 - charon: 11[IKE] received 250000000 lifebytes, configured 0
Aug  7 03:46:55 - charon: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug  7 03:46:55 - charon: 11[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (204 bytes)
Aug  7 03:46:55 - charon: 12[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (60 bytes)
Aug  7 03:46:55 - charon: 12[ENC] parsed QUICK_MODE request 1 [ HASH ]
Aug  7 03:46:55 - charon: 12[IKE] CHILD_SA vpnserver{1} established with SPIs c14bb892_i 06c946b0_o and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug  7 03:46:56 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:46:58 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:02 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:10 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:20 - xl2tpd[712]: control_finish: Peer requested tunnel 13 twice, ignoring second one.
Aug  7 03:47:26 - xl2tpd[712]: Maximum retries exceeded for tunnel 35573.  Closing.
Aug  7 03:47:26 - xl2tpd[712]: Connection 13 closed to {ip-client}, port 1701 (Timeout)
Aug  7 03:47:30 - charon: 15[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug  7 03:47:30 - charon: 15[ENC] parsed INFORMATIONAL_V1 request 3378750910 [ HASH D ]
Aug  7 03:47:30 - charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI 06c946b0
Aug  7 03:47:30 - charon: 15[IKE] closing CHILD_SA vpnserver{1} with SPIs c14bb892_i (648 bytes) 06c946b0_o (0 bytes) and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug  7 03:47:30 - charon: 16[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (92 bytes)
Aug  7 03:47:30 - ipsec[684]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64)
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  7 03:47:30 - ipsec[684]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  7 03:47:30 - ipsec[684]: 00[CFG]   loaded IKE secret for {ip-2}
Aug  7 03:47:30 - ipsec[684]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Aug  7 03:47:30 - ipsec[684]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug  7 03:47:30 - ipsec[684]: 00[JOB] spawning 16 worker threads
Aug  7 03:47:30 - ipsec[684]: 05[CFG] received stroke: add connection 'vpnserver'
Aug  7 03:47:30 - ipsec[684]: 05[CFG] added configuration 'vpnserver'
Aug  7 03:47:30 - ipsec[684]: 07[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (408 bytes)
Aug  7 03:47:30 - ipsec[684]: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Aug  7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Aug  7 03:47:30 - ipsec[684]: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Aug  7 03:47:30 - ipsec[684]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Aug  7 03:47:30 - ipsec[684]: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug  7 03:47:30 - ipsec[684]: 07[IKE] received FRAGMENTATION vendor ID
Aug  7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Aug  7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Aug  7 03:47:30 - ipsec[684]: 07[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Aug  7 03:47:30 - ipsec[684]: 07[IKE] {ip-client} is initiating a Main Mode IKE_SA
Aug  7 03:47:30 - ipsec[684]: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
Aug  7 03:47:30 - ipsec[684]: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug  7 03:47:30 - ipsec[684]: 07[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (160 bytes)
Aug  7 03:47:30 - ipsec[684]: 08[NET] received packet: from {ip-client}[15822] to {ip-2}[500] (228 bytes)
Aug  7 03:47:30 - ipsec[684]: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug  7 03:47:30 - charon: 16[ENC] parsed INFORMATIONAL_V1 request 1455205357 [ HASH D ]
Aug  7 03:47:30 - ipsec[684]: 08[IKE] remote host is behind NAT
Aug  7 03:47:30 - ipsec[684]: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug  7 03:47:30 - ipsec[684]: 08[NET] sending packet: from {ip-2}[500] to {ip-client}[15822] (212 bytes)
Aug  7 03:47:30 - ipsec[684]: 09[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug  7 03:47:30 - ipsec[684]: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug  7 03:47:30 - ipsec[684]: 09[CFG] looking for pre-shared key peer configs matching {ip-2}...{ip-client}[192.168.98.25]
Aug  7 03:47:30 - ipsec[684]: 09[CFG] selected peer config "vpnserver"
Aug  7 03:47:30 - ipsec[684]: 09[IKE] IKE_SA vpnserver[1] established between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug  7 03:47:30 - ipsec[684]: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug  7 03:47:30 - ipsec[684]: 09[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (76 bytes)
Aug  7 03:47:30 - ipsec[684]: 11[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (444 bytes)
Aug  7 03:47:30 - ipsec[684]: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug  7 03:47:30 - ipsec[684]: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug  7 03:47:30 - ipsec[684]: 11[IKE] received 3600s lifetime, configured 0s
Aug  7 03:47:30 - ipsec[684]: 11[IKE] received 250000000 lifebytes, configured 0
Aug  7 03:47:30 - ipsec[684]: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug  7 03:47:30 - ipsec[684]: 11[NET] sending packet: from {ip-2}[4500] to {ip-client}[15823] (204 bytes)
Aug  7 03:47:30 - ipsec[684]: 12[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (60 bytes)
Aug  7 03:47:30 - ipsec[684]: 12[ENC] parsed QUICK_MODE request 1 [ HASH ]
Aug  7 03:47:30 - ipsec[684]: 12[IKE] CHILD_SA vpnserver{1} established with SPIs c14bb892_i 06c946b0_o and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug  7 03:47:30 - ipsec[684]: 15[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (76 bytes)
Aug  7 03:47:30 - ipsec[684]: 15[ENC] parsed INFORMATIONAL_V1 request 3378750910 [ HASH D ]
Aug  7 03:47:30 - ipsec[684]: 15[IKE] received DELETE for ESP CHILD_SA with SPI 06c946b0
Aug  7 03:47:30 - ipsec[684]: 15[IKE] closing CHILD_SA vpnserver{1} with SPIs c14bb892_i (648 bytes) 06c946b0_o (0 bytes) and TS {ip-2}/32[udp/l2f] === {ip-client}/32[udp/l2f]
Aug  7 03:47:30 - ipsec[684]: 16[NET] received packet: from {ip-client}[15823] to {ip-2}[4500] (92 bytes)
Aug  7 03:47:30 - ipsec[684]: 16[ENC] parsed INFORMATIONAL_V1 request 1455205357 [ HASH D ]
Aug  7 03:47:30 - ipsec[684]: 16[IKE] received DELETE for IKE_SA vpnserver[1]
Aug  7 03:47:30 - charon: 16[IKE] received DELETE for IKE_SA vpnserver[1]
Aug  7 03:47:30 - charon: 16[IKE] deleting IKE_SA vpnserver[1] between {ip-2}[{ip-2}]...{ip-client}[192.168.98.25]
Aug  7 03:47:57 - xl2tpd[712]: Unable to deliver closing message for tunnel 35573. Destroying anyway.
Aug  7 03:48:20 - systemd[1]: Started Session 3 of user root.

Пробовал подключение через двух разных провайдеров - результат идентичный => вряд ли провайдер блокирует что-то.

С этим конфигом всё работало на debian 9 Результат стал таким при применении обозначенных конфигов на debian 10. А может чего-то перепутано... :)

Хелп плз :)

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения [Сортировка по времени | RSS]


1. "strongswan + xl2tpd + dnsmasq = xl2tpd : Maximum retries exc"  +/
Сообщение от noisebringer (ok), 11-Авг-19, 16:35 
Спасибо за помощь :)

Дело было в том, что в конфиге /etc/xl2tpd/xl2tpd.conf в секции global не хватало определения опции listen-addr

Прописал.

После этого всё заработало.

Всем спасибо!

Тему можно закрывать.

Ответить | Правка | Наверх | Cообщить модератору

3. "strongswan + xl2tpd + dnsmasq = xl2tpd : Maximum retries exc"  +/
Сообщение от datswdemail (?), 09-Май-20, 20:28 
Хеллоу

Никто не в курсе, что конкретно даёт proxyarp в /etc/ppp/options.xl2tpd?

С уважением,
Даниил.


Ответить | Правка | Наверх | Cообщить модератору

4. "strongswan + xl2tpd + dnsmasq = xl2tpd : Maximum retries exc"  +/
Сообщение от Licha Morada (ok), 10-Май-20, 05:03 
> Никто не в курсе, что конкретно даёт proxyarp в /etc/ppp/options.xl2tpd?

Документация в курсе. Смотрите:
https://www.tldp.org/HOWTO/PPP-HOWTO/x1552.html
The 'proxyarp' option sets up (surprise) a proxy ARP entry in the PPP server's ARP table that basically says 'send all packets destined for the PPP client to me'.

Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру