Собираем ядро с нужными опциями
Код: Выделить всё
include GENERIC
ident WHY21
#PF and QOS
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
#IPSEC
options IPSEC
options IPSEC_NAT_T
options IPSEC_DEBUG
device crypto
/etc/pf.conf
Код: Выделить всё
ext_if="dc0"
int_if="msk0"
vpn_if="{ ng0, ng1 }"
why="192.168.1.0/24"
nat on $ext_if from $why to any -> ($ext_if)
pass quick all
Код: Выделить всё
startup:
#configure mpd users
set user login pass admin
#configure the console
set console self 127.0.0.1 5005
set console open
#configure web server
#set web disable auth
set web self 192.168.1.3 5006
set web open
default:
load lemurs_vpn
lemurs_vpn:
set ippool add poolsat 192.168.1.200 192.168.1.220
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
set ipcp ranges 192.168.1.200/24 ippool poolsat
set ipcp dns 192.168.1.3
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
create link template L l2tp
set link action bundle B
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
# set l2tp enable length
set link keep-alive 10 60
set link mtu 1460
set l2tp self 0.0.0.0
set link enable incoming
Код: Выделить всё
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log info;
#listen
#{
# isakmp 192.168.0.1 [500];
# isakmp_natt 192.168.0.1 [4500];
# strict_address;
#}
remote anonymous
{
exchange_mode aggressive,main;
# passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 30;
generate_policy on;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
Код: Выделить всё
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
racoon.log без debug2
Код: Выделить всё
2013-10-24 19:40:15: INFO: respond new phase 1 negotiation: SERVER.IP[500]<=>ANDROID.IP[57577]
2013-10-24 19:40:15: INFO: begin Identity Protection mode.
2013-10-24 19:40:15: INFO: received Vendor ID: RFC 3947
2013-10-24 19:40:15: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-10-24 19:40:15: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-10-24 19:40:15: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-10-24 19:40:15: INFO: received broken Microsoft ID: FRAGMENTATION
2013-10-24 19:40:15: INFO: received Vendor ID: DPD
2013-10-24 19:40:15: [ANDROID.IP] INFO: Selected NAT-T version: RFC 3947
2013-10-24 19:40:16: [SERVER.IP] INFO: Hashing SERVER.IP[500] with algo #2
2013-10-24 19:40:16: INFO: NAT-D payload #0 verified
2013-10-24 19:40:16: [ANDROID.IP] INFO: Hashing ANDROID.IP[57577] with algo #2
2013-10-24 19:40:16: INFO: NAT-D payload #1 doesn't match
2013-10-24 19:40:16: INFO: NAT detected: PEER
2013-10-24 19:40:16: [ANDROID.IP] INFO: Hashing ANDROID.IP[57577] with algo #2
2013-10-24 19:40:16: [SERVER.IP] INFO: Hashing SERVER.IP[500] with algo #2
2013-10-24 19:40:16: INFO: Adding remote and local NAT-D payloads.
2013-10-24 19:40:17: INFO: NAT-T: ports changed to: ANDROID.IP[57833]<->SERVER.IP[4500]
2013-10-24 19:40:17: INFO: KA list add: SERVER.IP[4500]->ANDROID.IP[57833]
2013-10-24 19:40:17: INFO: ISAKMP-SA established SERVER.IP[4500]-ANDROID.IP[57833] spi:311fa45f4ea77921:536427825b92cc3e
2013-10-24 19:40:18: [ANDROID.IP] INFO: received INITIAL-CONTACT
2013-10-24 19:40:18: INFO: respond new phase 2 negotiation: SERVER.IP[4500]<=>ANDROID.IP[57833]
2013-10-24 19:40:18: INFO: Update the generated policy : 10.218.130.252/32[0] SERVER.IP/32[1701] proto=udp dir=in
2013-10-24 19:40:18: INFO: Adjusting my encmode UDP-Transport->Transport
2013-10-24 19:40:18: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2013-10-24 19:40:19: INFO: IPsec-SA established: ESP/Transport SERVER.IP[500]->ANDROID.IP[500] spi=253884309(0xf21f795)
2013-10-24 19:40:19: INFO: IPsec-SA established: ESP/Transport SERVER.IP[500]->ANDROID.IP[500] spi=8896613(0x87c065)
Код: Выделить всё
2013-10-24 19:52:25: DEBUG: hmac(hmac_sha1)
2013-10-24 19:52:25: DEBUG: HASH computed:
2013-10-24 19:52:25: DEBUG:
dea64457 b1881007 797cf9a1 4c9a6f56 2b90e9ee
2013-10-24 19:52:25: DEBUG: begin encryption.
2013-10-24 19:52:25: DEBUG: encryption(aes)
2013-10-24 19:52:25: DEBUG: pad length = 8
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: encryption(aes)
2013-10-24 19:52:25: DEBUG: with key:
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: encrypted payload by IV:
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: save IV for next:
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: encrypted.
2013-10-24 19:52:25: DEBUG: Adding NON-ESP marker
2013-10-24 19:52:25: DEBUG: 96 bytes from SERVER.IP[4500] to ANDROID.IP[9826]
2013-10-24 19:52:25: DEBUG: sockname SERVER.IP[4500]
2013-10-24 19:52:25: DEBUG: send packet from SERVER.IP[4500]
2013-10-24 19:52:25: DEBUG: send packet to ANDROID.IP[9826]
2013-10-24 19:52:25: DEBUG: 1 times of 96 bytes message will be sent to ANDROID.IP[9826]
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: sendto Information notify.
2013-10-24 19:52:25: DEBUG: IV freed
2013-10-24 19:52:25: [ANDROID.IP] DEBUG: DPD R-U-There sent (0)
2013-10-24 19:52:25: [ANDROID.IP] DEBUG: rescheduling send_r_u (5).
INFO: DPD: remote (ISAKMP-SA spi=c0438f6223a8f3f3:72d24bf5c980aeb4) seems to be dead.
Код: Выделить всё
listening on dc0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:27:48.598556 IP ANDROID.IP.33340 > SERVER.IP.500: isakmp: phase 1 I ident
19:27:48.620432 IP SERVER.IP.500 > ANDROID.IP.33340: isakmp: phase 1 R ident
19:27:49.518825 IP ANDROID.IP.33340 > SERVER.IP.500: isakmp: phase 1 I ident
19:27:49.531577 IP SERVER.IP.500 > ANDROID.IP.33340: isakmp: phase 1 R ident
19:27:50.482412 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:27:53.064023 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:27:56.145664 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:27:59.181806 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:02.219749 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:05.278630 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:07.118834 IP ANDROID.IP.35605 > SERVER.IP.4500: isakmp-nat-keep-alive
19:28:08.919564 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:11.199049 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:14.139449 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:17.159703 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:20.119156 IP ANDROID.IP.59592 > SERVER.IP.1701: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(59832) *RECV_WIN_SIZE(1)
19:28:20.199346 IP ANDROID.IP.59592 > SERVER.IP.1701: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(59832) *RECV_WIN_SIZE(1)
19:28:20.199786 IP ANDROID.IP.59592 > SERVER.IP.1701: l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(59832) *RESULT_CODE(6)
В логах MPD вообще пустота...
Подскажите куда хотя бы копать?
