Страница 1 из 1

MPD L2TP + IPSEC = Ж?

Добавлено: 2013-10-24 19:05:34
tisugol
Имеем FBSD 9.2
Собираем ядро с нужными опциями

Код: Выделить всё

include         GENERIC
ident            WHY21

#PF and QOS
device          pf
device          pflog
device          pfsync
options         ALTQ
options         ALTQ_CBQ
options         ALTQ_RED
options         ALTQ_RIO
options         ALTQ_HFSC
options         ALTQ_PRIQ
options         ALTQ_NOPCC

#IPSEC
options         IPSEC
options         IPSEC_NAT_T
options         IPSEC_DEBUG
device          crypto
дальше по инструкциям для простоты
/etc/pf.conf

Код: Выделить всё

ext_if="dc0"
int_if="msk0"
vpn_if="{ ng0, ng1 }"
why="192.168.1.0/24"

nat on $ext_if from $why to any -> ($ext_if)
pass quick all
/usr/local/etc/mpd5/mpd.conf

Код: Выделить всё

startup:
        #configure mpd users
        set user login pass admin
        #configure the console
        set console self 127.0.0.1 5005
        set console open
        #configure web server
        #set web disable auth
        set web self 192.168.1.3 5006
        set web open
default:
        load lemurs_vpn

lemurs_vpn:
        set ippool add poolsat 192.168.1.200 192.168.1.220
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
        set ipcp ranges 192.168.1.200/24 ippool poolsat
        set ipcp dns 192.168.1.3

        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

        create link template L l2tp
        set link action bundle B
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
#       set l2tp enable length
        set link keep-alive 10 60
        set link mtu 1460
        set l2tp self 0.0.0.0
        set link enable incoming
/usr/local/etc/racoon/racoon.conf

Код: Выделить всё

path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log info;

#listen
#{
#        isakmp           192.168.0.1 [500];
#        isakmp_natt      192.168.0.1 [4500];
#        strict_address;
#}

remote anonymous
{
        exchange_mode    aggressive,main;
#        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        30;
        generate_policy  on;
        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }

        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}

sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
}
setkey.conf

Код: Выделить всё

flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
В результате
racoon.log без debug2

Код: Выделить всё

2013-10-24 19:40:15: INFO: respond new phase 1 negotiation: SERVER.IP[500]<=>ANDROID.IP[57577]
2013-10-24 19:40:15: INFO: begin Identity Protection mode.
2013-10-24 19:40:15: INFO: received Vendor ID: RFC 3947
2013-10-24 19:40:15: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-10-24 19:40:15: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-10-24 19:40:15: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-10-24 19:40:15: INFO: received broken Microsoft ID: FRAGMENTATION
2013-10-24 19:40:15: INFO: received Vendor ID: DPD
2013-10-24 19:40:15: [ANDROID.IP] INFO: Selected NAT-T version: RFC 3947
2013-10-24 19:40:16: [SERVER.IP] INFO: Hashing SERVER.IP[500] with algo #2
2013-10-24 19:40:16: INFO: NAT-D payload #0 verified
2013-10-24 19:40:16: [ANDROID.IP] INFO: Hashing ANDROID.IP[57577] with algo #2
2013-10-24 19:40:16: INFO: NAT-D payload #1 doesn't match
2013-10-24 19:40:16: INFO: NAT detected: PEER
2013-10-24 19:40:16: [ANDROID.IP] INFO: Hashing ANDROID.IP[57577] with algo #2
2013-10-24 19:40:16: [SERVER.IP] INFO: Hashing SERVER.IP[500] with algo #2
2013-10-24 19:40:16: INFO: Adding remote and local NAT-D payloads.
2013-10-24 19:40:17: INFO: NAT-T: ports changed to: ANDROID.IP[57833]<->SERVER.IP[4500]
2013-10-24 19:40:17: INFO: KA list add: SERVER.IP[4500]->ANDROID.IP[57833]
2013-10-24 19:40:17: INFO: ISAKMP-SA established SERVER.IP[4500]-ANDROID.IP[57833] spi:311fa45f4ea77921:536427825b92cc3e
2013-10-24 19:40:18: [ANDROID.IP] INFO: received INITIAL-CONTACT
2013-10-24 19:40:18: INFO: respond new phase 2 negotiation: SERVER.IP[4500]<=>ANDROID.IP[57833]
2013-10-24 19:40:18: INFO: Update the generated policy : 10.218.130.252/32[0] SERVER.IP/32[1701] proto=udp dir=in
2013-10-24 19:40:18: INFO: Adjusting my encmode UDP-Transport->Transport
2013-10-24 19:40:18: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2013-10-24 19:40:19: INFO: IPsec-SA established: ESP/Transport SERVER.IP[500]->ANDROID.IP[500] spi=253884309(0xf21f795)
2013-10-24 19:40:19: INFO: IPsec-SA established: ESP/Transport SERVER.IP[500]->ANDROID.IP[500] spi=8896613(0x87c065)
Последние события с debug2

Код: Выделить всё

2013-10-24 19:52:25: DEBUG: hmac(hmac_sha1)
2013-10-24 19:52:25: DEBUG: HASH computed:
2013-10-24 19:52:25: DEBUG:
dea64457 b1881007 797cf9a1 4c9a6f56 2b90e9ee
2013-10-24 19:52:25: DEBUG: begin encryption.
2013-10-24 19:52:25: DEBUG: encryption(aes)
2013-10-24 19:52:25: DEBUG: pad length = 8
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: encryption(aes)
2013-10-24 19:52:25: DEBUG: with key:
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: encrypted payload by IV:
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: save IV for next:
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: encrypted.
2013-10-24 19:52:25: DEBUG: Adding NON-ESP marker
2013-10-24 19:52:25: DEBUG: 96 bytes from SERVER.IP[4500] to ANDROID.IP[9826]
2013-10-24 19:52:25: DEBUG: sockname SERVER.IP[4500]
2013-10-24 19:52:25: DEBUG: send packet from SERVER.IP[4500]
2013-10-24 19:52:25: DEBUG: send packet to ANDROID.IP[9826]
2013-10-24 19:52:25: DEBUG: 1 times of 96 bytes message will be sent to ANDROID.IP[9826]
2013-10-24 19:52:25: DEBUG:
ТУТ БЫЛ КАКОЙ ТО ХЭШ
2013-10-24 19:52:25: DEBUG: sendto Information notify.
2013-10-24 19:52:25: DEBUG: IV freed
2013-10-24 19:52:25: [ANDROID.IP] DEBUG: DPD R-U-There sent (0)
2013-10-24 19:52:25: [ANDROID.IP] DEBUG: rescheduling send_r_u (5).
INFO: DPD: remote (ISAKMP-SA spi=c0438f6223a8f3f3:72d24bf5c980aeb4) seems to be dead.

tcpdump от этого клиента

Код: Выделить всё

listening on dc0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:27:48.598556 IP ANDROID.IP.33340 > SERVER.IP.500: isakmp: phase 1 I ident
19:27:48.620432 IP SERVER.IP.500 > ANDROID.IP.33340: isakmp: phase 1 R ident
19:27:49.518825 IP ANDROID.IP.33340 > SERVER.IP.500: isakmp: phase 1 I ident
19:27:49.531577 IP SERVER.IP.500 > ANDROID.IP.33340: isakmp: phase 1 R ident
19:27:50.482412 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:27:53.064023 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:27:56.145664 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:27:59.181806 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:02.219749 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:05.278630 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:07.118834 IP ANDROID.IP.35605 > SERVER.IP.4500: isakmp-nat-keep-alive
19:28:08.919564 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:11.199049 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:14.139449 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:17.159703 IP ANDROID.IP.35605 > SERVER.IP.4500: NONESP-encap: isakmp: phase 1 I ident[E]
19:28:20.119156 IP ANDROID.IP.59592 > SERVER.IP.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(59832) *RECV_WIN_SIZE(1)
19:28:20.199346 IP ANDROID.IP.59592 > SERVER.IP.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(59832) *RECV_WIN_SIZE(1)
19:28:20.199786 IP ANDROID.IP.59592 > SERVER.IP.1701:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(59832) *RESULT_CODE(6)

В логах MPD вообще пустота...

Подскажите куда хотя бы копать?

Re: MPD L2TP + IPSEC = Ж?

Добавлено: 2013-10-24 19:18:45
Bayerische
В логах MPD вообще пустота...
Ну так включите логи. В секцию стартап добавьте

Код: Выделить всё

log +ALL +EVENTS -FRAME -ECHO
в /etc/syslog.conf добавьте

Код: Выделить всё

!mpd
*.*                                             /var/log/mpd.log
Создайте файл лога, пните syslogd

Re: MPD L2TP + IPSEC = Ж?

Добавлено: 2013-10-24 20:39:35
tisugol
Под пустота я имел ввиду

Код: Выделить всё

Oct 24 21:32:30 <daemon.info> walle mpd: process 4671 started, version 5.7 (root@walle.nora.lemurs 07:58 15-Oct-2013)
Oct 24 21:32:30 <daemon.info> walle mpd: CONSOLE: listening on 127.0.0.1 5005
Oct 24 21:32:30 <daemon.info> walle mpd: web: listening on 172.16.5.3 5006
Oct 24 21:32:30 <daemon.info> walle mpd: L2TP: waiting for connection on 0.0.0.0 1701
Фсе

Re: MPD L2TP + IPSEC = Ж?

Добавлено: 2013-10-24 21:22:30
Bayerische
Не верю. Там информация валом прёт, даже с одним +ALL, не умещается в буфере.

Re: MPD L2TP + IPSEC = Ж?

Добавлено: 2013-10-24 21:53:18
tisugol

Код: Выделить всё

!mpd
*.*                                             /var/log/mpd5.log

Код: Выделить всё

Oct 24 22:41:47 <daemon.info> walle mpd: process 2371 started, version 5.7 (root@walle.nora.lemurs 07:58 15-Oct-2013)
Oct 24 22:41:47 <daemon.info> walle mpd: CONSOLE: listening on 127.0.0.1 5005
Oct 24 22:41:47 <daemon.info> walle mpd: web: listening on 172.16.5.3 5006
Oct 24 22:41:47 <daemon.info> walle mpd: EVENT: Registering event EVENT_READ MsgEvent() at msg.c:77
Oct 24 22:41:47 <daemon.info> walle mpd: EVENT: Registering event EVENT_READ MsgEvent() done at msg.c:77
Oct 24 22:41:47 <daemon.info> walle mpd: EVENT: Registering event EVENT_READ L2tpServerEvent() at l2tp.c:1644
Oct 24 22:41:47 <daemon.info> walle mpd: EVENT: Registering event EVENT_READ L2tpServerEvent() done at l2tp.c:1644
Oct 24 22:41:47 <daemon.info> walle mpd: L2TP: waiting for connection on 0.0.0.0 1701
Oct 24 22:41:47 <daemon.info> walle mpd: EVENT: Processing event EVENT_TIMEOUT ConfigRead() done

Код: Выделить всё

startup:
        #configure mpd users
        set user login pass admin
        #configure the console
        set console self 127.0.0.1 5005
        set console open
        #configure web server
        #set web disable auth
        set web self 172.16.5.3 5006
        set web open
        log +ALL +EVENTS -FRAME -ECHO

Re: MPD L2TP + IPSEC = Ж?

Добавлено: 2013-10-28 11:04:57
tisugol
Вообщем после установки патчей ядра с конференции freebsd.org + нескольких итерация конфига ракуна все заработало