привет. тоже мучаюсь с ipsec+l2tp
есть офисная сетка. интернет приходит через роутер netgear wnr3500l 192.168.1.1, там включен DMZ перенаправление на 192.168.1.109 это хост freebsd + mpd + ipsec-tools + racoon.
pptp работает: клиент(dynamic IP) > провайдер > интернет > провайдер > (static IP) роутер wnr3500l (192.168.1.1) > freebsdVPN(192.168.1.109)
l2tp по этой схеме не работает. если клиент находится внутри сети 192.168.1.0 то соединение срабатывает, если клиент находится за роутером - нет.
подключаюсь с айфона. через вайфай внутри офисной сетки l2tp коннект срабатывает и телефон подключается к 192.168.1.109. через 3G интернет на внешний статический IP офиса подключается только по pptp.
на роутере включен режим DMZ т.е. все пакеты пересылаются на 192.168.1.109(freebsdvpn)
фактически vpn сервер напрямую в интернет не светит, только через nat роутера.
сам роутер практически не настраивается, можно только включить пересылку по портам или как у меня сейчас - пересылать все порты на внутренний хост сервера vpn.
по логам видно что порты снаружи открыты и соединение есть. почему не получается коннект ума не приложу.
вкомпилена поддержка NAT-T IPSEC
Код: Выделить всё
freebsdvpn# uname -a
FreeBSD freebsdvpn 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Mon Jun 25 11:13:37 MSK 2012 kamaz@freebsdvpn:/usr/obj/usr/src/sys/MYKERNEL i386
racoon.log
Код: Выделить всё
2012-06-27 12:56:23: INFO: respond new phase 1 negotiation: 192.168.1.109[500]<=>217.118.66.85[22200]
2012-06-27 12:56:23: INFO: begin Identity Protection mode.
2012-06-27 12:56:23: INFO: received Vendor ID: RFC 3947
2012-06-27 12:56:23: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-06-27 12:56:23: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-06-27 12:56:23: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-06-27 12:56:23: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-06-27 12:56:23: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-06-27 12:56:23: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-06-27 12:56:23: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-27 12:56:23: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-27 12:56:23: INFO: received Vendor ID: DPD
2012-06-27 12:56:23: [217.118.66.85] INFO: Selected NAT-T version: RFC 3947
2012-06-27 12:56:23: [192.168.1.109] INFO: Hashing 192.168.1.109[500] with algo #2
2012-06-27 12:56:23: INFO: NAT-D payload #0 doesn't match
2012-06-27 12:56:23: [217.118.66.85] INFO: Hashing 217.118.66.85[22200] with algo #2
2012-06-27 12:56:23: INFO: NAT-D payload #1 doesn't match
2012-06-27 12:56:23: INFO: NAT detected: ME PEER
2012-06-27 12:56:23: [217.118.66.85] INFO: Hashing 217.118.66.85[22200] with algo #2
2012-06-27 12:56:23: [192.168.1.109] INFO: Hashing 192.168.1.109[500] with algo #2
2012-06-27 12:56:23: INFO: Adding remote and local NAT-D payloads.
2012-06-27 12:56:23: INFO: NAT-T: ports changed to: 217.118.66.85[12439]<->192.168.1.109[4500]
2012-06-27 12:56:23: INFO: KA list add: 192.168.1.109[4500]->217.118.66.85[12439]
2012-06-27 12:56:23: [217.118.66.85] INFO: received INITIAL-CONTACT
2012-06-27 12:56:23: INFO: ISAKMP-SA established 192.168.1.109[4500]-217.118.66.85[12439] spi:db519f485041bdc2:b89568b879752140
2012-06-27 12:56:24: INFO: respond new phase 2 negotiation: 192.168.1.109[4500]<=>217.118.66.85[12439]
2012-06-27 12:56:24: INFO: no policy found, try to generate the policy : 10.194.247.240/32[60288] 81.95.28.158/32[1701] proto=udp dir=in
2012-06-27 12:56:24: INFO: Adjusting my encmode UDP-Transport->Transport
2012-06-27 12:56:24: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2012-06-27 12:56:24: INFO: IPsec-SA established: ESP/Transport 192.168.1.109[500]->217.118.66.85[500] spi=136667385(0x82560f9)
2012-06-27 12:56:24: INFO: IPsec-SA established: ESP/Transport 192.168.1.109[500]->217.118.66.85[500] spi=255411533(0xf39454d)
mpd.log
Код: Выделить всё
Jun 27 12:56:24 freebsdvpn mpd: Incoming L2TP packet from 217.118.66.85 60288
Jun 27 12:57:24 freebsdvpn mpd: L2TP: Control connection 0x28807c08 terminated: 6 (expecting reply; none received)
Jun 27 12:57:35 freebsdvpn mpd: L2TP: Control connection 0x28807c08 destroyed
Код: Выделить всё
freebsdvpn# /usr/local/sbin/setkey -DP
10.194.110.56[49177] 81.95.28.158[1701] udp
in ipsec
esp/transport//require
created: Jun 27 13:01:58 2012 lastused: Jun 27 13:01:58 2012
lifetime: 3600(s) validtime: 0(s)
spid=53 seq=1 pid=6836
refcnt=1
81.95.28.158[1701] 10.194.110.56[49177] udp
out ipsec
esp/transport//require
created: Jun 27 13:01:58 2012 lastused: Jun 27 13:01:58 2012
lifetime: 3600(s) validtime: 0(s)
spid=54 seq=0 pid=6836
refcnt=1
freebsdvpn# /usr/local/sbin/setkey -Da
192.168.1.109[4500] 217.118.66.58[12027]
esp-udp mode=transport spi=135696123(0x08168efb) reqid=0(0x00000000)
E: aes-cbc 570d14f0 7f422c90 61617e13 b74c120a 58d73014 9fc5f7e6 660a1748 2372f0c1
A: hmac-sha1 d6335fdf f1952321 dce9b7e2 09cad488 c68abd06
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jun 27 13:01:58 2012 current: Jun 27 13:02:17 2012
diff: 19(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=6837 refcnt=1
217.118.66.58[12027] 192.168.1.109[4500]
esp-udp mode=transport spi=173712183(0x0a5aa337) reqid=0(0x00000000)
E: aes-cbc a9c4c632 f441bc39 a98dfe72 0fb40c7f e88eeaab f2e15f99 49c4358b 4f198c02
A: hmac-sha1 ef818eab 2ff90a7d 46018b2c 415fd60f c141f4e2
seq=0x00000006 replay=4 flags=0x00000000 state=mature
created: Jun 27 13:01:58 2012 current: Jun 27 13:02:17 2012
diff: 19(s) hard: 3600(s) soft: 2880(s)
last: Jun 27 13:02:13 2012 hard: 0(s) soft: 0(s)
current: 528(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 6 hard: 0 soft: 0
sadb_seq=0 pid=6837 refcnt=1
Код: Выделить всё
freebsdvpn# cat /usr/local/etc/racoon/racoon.conf
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "@sysconfdir_x@/racoon";
#include "remote.conf";
# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "@sysconfdir_x@/cert";
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log info;
# "padding" defines some padding parameters. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
isakmp 192.168.1.109 [500];
isakmp_natt 192.168.1.109 [4500];
#admin [7002]; # administrative port for racoonctl.
strict_address; # requires that all addresses must be bound.
}
# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main;
lifetime time 24 hour;
passive on;
generate_policy on;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
pfs_group modp1024;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
lifetime time 1 hour;
compression_algorithm deflate;
}
Код: Выделить всё
freebsdvpn# cat /usr/local/etc/mpd5/mpd.conf
#################################################################
#
# MPD configuration file
#
# This file defines the configuration for mpd: what the
# bundles are, what the links are in those bundles, how
# the interface should be configured, various PPP parameters,
# etc. It contains commands just as you would type them
# in at the console. Lines without padding are labels. Lines
# starting with a "#" are comments.
#
# $Id: mpd.conf.sample,v 1.46 2009/04/29 11:04:17 amotin Exp $
#
#################################################################
startup:
# configure mpd users
set user rooter
set user bar1
# configure the console
set console self 0.0.0.0 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
#
# Default configuration is "dialup"
default:
load pptp_server
load l2tp_server
pptp_server:
#
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and the
# machine running mpd is at 192.168.1.1, and also has an externally visible
# IP address of 1.2.3.4.
#
# We want to allow a client to connect to 1.2.3.4 from out on the Internet
# via PPTP. We will assign that client the address 192.168.1.50 and proxy-ARP
# for that address, so the virtual PPP link will be numbered 192.168.1.1 local
# and 192.168.1.50 remote. From the client machine's perspective, it will
# appear as if it is actually on the 192.168.1.0/24 network, even though in
# reality it is somewhere far away out on the Internet.
#
# Our DNS server is at 192.168.1.3 and our NBNS (WINS server) is at 192.168.1.4.
# If you don't have an NBNS server, leave that line out.
#
# Define dynamic IP address pool.
set ippool add pool1 192.168.1.50 192.168.1.74
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.1.5/32 ippool pool1
set ipcp dns 192.168.1.10
set ipcp nbns 192.168.1.121
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap-msv2
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
# load radius
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self 192.168.1.109
# Allow to accept calls
set link enable incoming
l2tp_server:
set ippool add pool2 192.168.1.75 192.168.1.99
create bundle template C
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
set ipcp ranges 192.168.1.5/24 ippool pool2
set ipcp dns 192.168.1.10
set ipcp nbns 192.168.1.121
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
create link template M l2tp
set link action bundle B
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap-msv2
set link keep-alive 10 60
set link mtu 1460
set l2tp self 192.168.1.109
set link enable incoming