FreeBSD L2TP/IPsec (mpd5+racoon) не работает

[PJKR]

Стоит задача: настроить универсальный VPN для разных клиентов (WIN, iOS, Android).
Не могу понять, где ошибка.
За основу брал эту статью: http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD , в процессе менял только setkey.conf
Помогите, пожалуйста, разобраться.
__________________________
Лог racoon.log:

Код: Выделить всё

2014-03-20 17:40:49: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2014-03-20 17:40:49: INFO: @(#)This product linked OpenSSL 0.9.8y 5 Feb 2013 (http://www.openssl.org/)
2014-03-20 17:40:49: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2014-03-20 17:40:49: INFO: 46.4.253.132[4500] used for NAT-T
2014-03-20 17:40:49: INFO: 46.4.253.132[4500] used as isakmp port (fd=4)
2014-03-20 17:40:49: INFO: 46.4.253.132[500] used for NAT-T
2014-03-20 17:40:49: INFO: 46.4.253.132[500] used as isakmp port (fd=5)
2014-03-20 17:41:03: INFO: respond new phase 1 negotiation: 46.4.253.132[500]<=>176.8.123.126[500]
2014-03-20 17:41:03: INFO: begin Identity Protection mode.
2014-03-20 17:41:03: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
2014-03-20 17:41:03: INFO: received Vendor ID: RFC 3947
2014-03-20 17:41:03: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2014-03-20 17:41:03: INFO: received Vendor ID: FRAGMENTATION
2014-03-20 17:41:03: [176.8.123.126] INFO: Selected NAT-T version: RFC 3947
2014-03-20 17:41:03: ERROR: invalid DH group 20.
2014-03-20 17:41:03: ERROR: invalid DH group 19.
2014-03-20 17:41:03: [46.4.253.132] INFO: Hashing 46.4.253.132[500] with algo #2
2014-03-20 17:41:03: INFO: NAT-D payload #0 verified
2014-03-20 17:41:03: [176.8.123.126] INFO: Hashing 176.8.123.126[500] with algo #2
2014-03-20 17:41:03: INFO: NAT-D payload #1 doesn't match
2014-03-20 17:41:03: INFO: NAT detected: PEER
2014-03-20 17:41:03: [176.8.123.126] INFO: Hashing 176.8.123.126[500] with algo #2
2014-03-20 17:41:03: [46.4.253.132] INFO: Hashing 46.4.253.132[500] with algo #2
2014-03-20 17:41:03: INFO: Adding remote and local NAT-D payloads.
2014-03-20 17:41:04: INFO: NAT-T: ports changed to: 176.8.123.126[4500]<->46.4.253.132[4500]
2014-03-20 17:41:04: INFO: KA list add: 46.4.253.132[4500]->176.8.123.126[4500]
2014-03-20 17:41:04: INFO: ISAKMP-SA established 46.4.253.132[4500]-176.8.123.126[4500] spi:b24a9803d034c3d1:50f61e66c9b605a3
2014-03-20 17:41:04: INFO: respond new phase 2 negotiation: 46.4.253.132[4500]<=>176.8.123.126[4500]
2014-03-20 17:41:04: INFO: Adjusting my encmode UDP-Transport->Transport
2014-03-20 17:41:04: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2014-03-20 17:41:04: INFO: IPsec-SA established: ESP/Transport 46.4.253.132[500]->176.8.123.126[500] spi=101963383(0x613d677)
2014-03-20 17:41:04: INFO: IPsec-SA established: ESP/Transport 46.4.253.132[500]->176.8.123.126[500] spi=1770861818(0x698d34fa)
2014-03-20 17:41:39: INFO: purged IPsec-SA proto_id=ESP spi=1770861818.
2014-03-20 17:41:39: INFO: ISAKMP-SA expired 46.4.253.132[4500]-176.8.123.126[4500] spi:b24a9803d034c3d1:50f61e66c9b605a3
2014-03-20 17:41:39: INFO: ISAKMP-SA deleted 46.4.253.132[4500]-176.8.123.126[4500] spi:b24a9803d034c3d1:50f61e66c9b605a3
2014-03-20 17:41:39: INFO: KA remove: 46.4.253.132[4500]->176.8.123.126[4500]

______________________________
В логе MPD5 только mpd: L2TP: waiting for connection on 46.4.253.132 1701 и тишина.

______________________________
cat ./racoon.conf

Код: Выделить всё

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen
{
    # REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP)
        isakmp           46.4.253.132 [500];
        isakmp_natt      46.4.253.132 [4500];
    # NOTE, you can specify multiple IPs to listen on
#        isakmp           p.q.r.s [500];
#        isakmp_natt      p.q.r.s [4500];
        strict_address;
}

remote anonymous
{
        exchange_mode    main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        20;

        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }

        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}

sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
__________________________________

cat ./setkey.conf

flush;
spdflush;
spdadd 0.0.0.0/0[0] 46.4.253.132/32[1701] udp -P in  ipsec esp/transport/0.0.0.0-46.4.253.132/require;
spdadd 46.4.253.132/32[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport/46.4.253.132-0.0.0.0/require;

___________________________________

Ну, и собсно cat ./mpd.conf

Код: Выделить всё

startup:
        # configure mpd users
        set user admin PASSWD admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
#        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool - these are the IP addresses which will be
# allocated to our remote clients when they join the LAN
# REPLACE w.x.y.from - w.x.y.to with the IP addresses mpd5 will allocate IP address range.
# e.g.  set ippool add pool_l2tp 10.10.10.2 10.10.10.253
        set ippool add pool_l2tp 10.10.10.2 10.10.10.253

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
       # This is the internal IP and netmask of the box
       # REPLACE w.x.y.z with the IP address for your VPN server
        set ipcp ranges 10.10.10.1/24 ippool pool_l2tp
       # an accessible DNS server for clients to use
       # REPLACE w.x.y.dns with the IP address for your DNS server
       # e.g. set ipcp dns w.x.y.50
        set ipcp dns 8.8.8.8

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
       # REPLACE with the IP address racoon will listen on (if behind NAT, this s the INSIDE IP)
       # Unfortunately, you can not specify multiple IPs here, so just comment the next line if you need that
        set l2tp self 46.4.253.132
#        set l2tp enable length
# Allow to accept calls
        set link enable incoming

__________________________________

Вот как-то так

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/