Задать вопрос
@WSGlebKavash
ubuntu

Как исправить плохой управляющий пакет L2TP?

Software:
Ubuntu 22.04
Strongswan
xl2tpd
Соединение L2TP/IPsec не устанавливается, но при этом IPsec XAuth RSA и IKEv2 работают. xl2tpd выдаёт в логи: bad control packet! В чём дело, и как исправить ошибку? Как настроить L2TP/IPsec с сертификатом (L2TP/IPsec RSA)?
ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	# uniqueids = no
	nat_traversal=yes 
 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 

# Add connections here.

conn %default
	dpdaction=clear
	dpddelay=35s
	dpdtimeout=300s

	fragmentation=yes
	rekey=no

	ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!

	esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

	# left - local (server) side
	left=%any
	leftauth=pubkey
	leftcert=server.crt
	leftsendcert=always
	leftsubnet=0.0.0.0/0,::/0

	# right - remote (client) side
	right=%any
	rightauth=pubkey
	rightsourceip=192.168.103.0/24,fd46:61f7:22d5:6::/64
	rightdns=8.8.8.8,2001:4860:4860::8888

conn ikev2-pubkey
	keyexchange=ikev2
	auto=add

conn ikev2-pubkey-osx
	also="ikev2-pubkey"
	leftid=trainzcity.myftp.org

conn ikev1-fakexauth
	keyexchange=ikev1
	rightauth2=xauth
	auto=add

conn ikev2-eap-tls
	also="ikev2-pubkey"
	rightauth=eap-tls
	eap_identity=%identity

conn l2tpvpn
        type=transport
        authby=rsasig
        pfs=no
        rekey=no
        keyingtries=2
        left=%any
        leftprotoport=udp/l2tp
        leftid=@l2tpvpnserver
        right=%any
        rightprotoport=udp/%any
        rightrsasigkey=%cert
        auto=add

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start
xl2tpd.conf
[global]
port = 1701
access control = no
ipsec saref = yes
force userspace = yes
auth file = /etc/ppp/chap-secrets

[lns default]
ip range = 192.168.102.10-192.168.102.200
local ip = 192.168.102.1
lac = 1.1.1.1-254.254.254.254
ppp debug = yes
name = l2tpserver
pppoptfile = /etc/ppp/options.xl2tpd
flow bit = yes
exclusive = no
hidden bit = no
length bit = yes
require authentication = yes
require chap = yes
refuse pap = yes
Логи xl2tpd
Feb 17 22:18:06 nix-adserver xl2tpd[1102]: Starting xl2tpd: xl2tpd.
Feb 17 22:18:06 nix-adserver xl2tpd[1145]: xl2tpd version xl2tpd-1.3.16 started on nix-adserver.trainzcity.myftp.org PID:1145
Feb 17 22:18:06 nix-adserver xl2tpd[1145]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Feb 17 22:18:06 nix-adserver xl2tpd[1145]: Forked by Scott Balmos and David Stipp, (C) 2001
Feb 17 22:18:06 nix-adserver xl2tpd[1145]: Inherited by Jeff McAdams, (C) 2002
Feb 17 22:18:06 nix-adserver xl2tpd[1145]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Feb 17 22:18:06 nix-adserver xl2tpd[1145]: Listening on IP address 0.0.0.0, port 1701
Feb 17 22:20:31 nix-adserver xl2tpd[1145]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Feb 17 22:20:31 nix-adserver xl2tpd[1145]: handle_control: bad control packet!
Feb 17 22:21:02 nix-adserver xl2tpd[1145]: Maximum retries exceeded for tunnel 24509.  Closing.
Feb 17 22:21:02 nix-adserver xl2tpd[1145]: Connection 1233 closed to CLIENT_IP, port 59446 (Timeout)
Feb 17 22:21:33 nix-adserver xl2tpd[1145]: Unable to deliver closing message for tunnel 24509. Destroying anyway.
Feb 17 22:23:42 nix-adserver xl2tpd[1145]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Feb 17 22:23:42 nix-adserver xl2tpd[1145]: handle_control: bad control packet!
Feb 17 22:24:13 nix-adserver xl2tpd[1145]: Maximum retries exceeded for tunnel 39804.  Closing.
Feb 17 22:24:13 nix-adserver xl2tpd[1145]: Connection 31760 closed to CLIENT_IP, port 49121 (Timeout)
Feb 17 22:24:44 nix-adserver xl2tpd[1145]: Unable to deliver closing message for tunnel 39804. Destroying anyway.
Feb 17 22:48:48 nix-adserver xl2tpd[1145]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Feb 17 22:48:48 nix-adserver xl2tpd[1145]: handle_control: bad control packet!
Feb 17 22:49:19 nix-adserver xl2tpd[1145]: Maximum retries exceeded for tunnel 21965.  Closing.
Feb 17 22:49:19 nix-adserver xl2tpd[1145]: Connection 21880 closed to CLIENT_IP, port 42723 (Timeout)
Feb 17 22:49:50 nix-adserver xl2tpd[1145]: Unable to deliver closing message for tunnel 21965. Destroying anyway.
Feb 17 22:50:03 nix-adserver xl2tpd[1145]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Feb 17 22:50:03 nix-adserver xl2tpd[1145]: handle_control: bad control packet!
Feb 17 22:50:34 nix-adserver xl2tpd[1145]: Maximum retries exceeded for tunnel 30861.  Closing.
Feb 17 22:50:34 nix-adserver xl2tpd[1145]: Connection 54031 closed to CLIENT_IP, port 57700 (Timeout)
Feb 17 22:50:58 nix-adserver xl2tpd[1145]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Feb 17 22:50:58 nix-adserver xl2tpd[1145]: handle_control: bad control packet!
Feb 17 22:51:05 nix-adserver xl2tpd[1145]: Unable to deliver closing message for tunnel 30861. Destroying anyway.
Feb 17 22:51:29 nix-adserver xl2tpd[1145]: Maximum retries exceeded for tunnel 41533.  Closing.
Feb 17 22:51:29 nix-adserver xl2tpd[1145]: Connection 18454 closed to CLIENT_IP, port 45801 (Timeout)
Feb 17 22:52:01 nix-adserver xl2tpd[1145]: Unable to deliver closing message for tunnel 41533. Destroying anyway.
Feb 17 22:56:12 nix-adserver xl2tpd[1145]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Feb 17 22:56:12 nix-adserver xl2tpd[1145]: handle_control: bad control packet!
Feb 17 22:56:43 nix-adserver xl2tpd[1145]: Maximum retries exceeded for tunnel 30307.  Closing.
Feb 17 22:56:43 nix-adserver xl2tpd[1145]: Connection 29834 closed to 192.168.2.106, port 32812 (Timeout)
Feb 17 22:57:14 nix-adserver xl2tpd[1145]: Unable to deliver closing message for tunnel 30307. Destroying anyway.
Feb 17 23:07:53 nix-adserver xl2tpd[1145]: death_handler: Fatal signal 15 received
Feb 17 23:07:53 nix-adserver xl2tpd[8145]: Stopping xl2tpd: xl2tpd.
Feb 17 23:07:53 nix-adserver systemd[1]: xl2tpd.service: Deactivated successfully.
Feb 17 23:07:53 nix-adserver xl2tpd[8154]: Enabling IPsec SAref processing for L2TP transport mode SAs
Feb 17 23:07:53 nix-adserver xl2tpd[8154]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Feb 17 23:07:53 nix-adserver xl2tpd[8150]: Starting xl2tpd: xl2tpd.
Feb 17 23:07:53 nix-adserver xl2tpd[8154]: Not looking for kernel support.
Feb 17 23:07:53 nix-adserver xl2tpd[8155]: xl2tpd version xl2tpd-1.3.16 started on nix-adserver.trainzcity.myftp.org PID:8155
Feb 17 23:07:53 nix-adserver xl2tpd[8155]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Feb 17 23:07:53 nix-adserver xl2tpd[8155]: Forked by Scott Balmos and David Stipp, (C) 2001
Feb 17 23:07:53 nix-adserver xl2tpd[8155]: Inherited by Jeff McAdams, (C) 2002
Feb 17 23:07:53 nix-adserver xl2tpd[8155]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Feb 17 23:07:53 nix-adserver xl2tpd[8155]: Listening on IP address 0.0.0.0, port 1701
Feb 17 23:07:57 nix-adserver xl2tpd[8155]: handle_avps: AVP received with length > remaining packet length!
Feb 17 23:07:57 nix-adserver xl2tpd[8155]: Connection -1 closed to 8.219.250.199, port 44059 (Invalid AVP length)
Feb 17 23:08:28 nix-adserver xl2tpd[8155]: Unable to deliver closing message for tunnel 15095. Destroying anyway.
Feb 17 23:08:42 nix-adserver xl2tpd[8155]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Feb 17 23:08:42 nix-adserver xl2tpd[8155]: handle_control: bad control packet!
Feb 17 23:09:12 nix-adserver xl2tpd[8155]: control_finish: Peer requested tunnel 2 twice, ignoring second one.
Feb 17 23:09:13 nix-adserver xl2tpd[8155]: Maximum retries exceeded for tunnel 28126.  Closing.
Feb 17 23:09:13 nix-adserver xl2tpd[8155]: Connection 18275 closed to 192.168.2.106, port 47098 (Timeout)
Feb 17 23:09:35 nix-adserver xl2tpd[8155]: Maximum retries exceeded for tunnel 53809.  Closing.
Feb 17 23:09:35 nix-adserver xl2tpd[8155]: Connection 2 closed to 8.219.251.246, port 52899 (Timeout)
Feb 17 23:09:44 nix-adserver xl2tpd[8155]: Unable to deliver closing message for tunnel 28126. Destroying anyway.
  • Вопрос задан
  • 203 просмотра
Комментировать
Подписаться 2 Простой Комментировать
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы
Вакансии с Хабр Карьеры
DevOps-инженер/SRE-инженер
FS Travel Москва
от 260 000 ₽
Разработчик Java (Middle/Senior)
ДИКСИ Москва
от 150 000 до 270 000 ₽
Email Дизайнер
ProfitList, LLC
До 200 000 ₽
Ещё вакансии
Заказы с Хабр Фриланса
Автопостинг на вордпрессе
18 мая 2024, в 22:58
3000 руб./за проект
Отрисовать иллюстрацию
18 мая 2024, в 21:07
5000 руб./за проект
Анализ приложения на Flutter
18 мая 2024, в 20:58
5000 руб./за проект
Ещё заказы