Задать вопрос
@mmaerov

Сервер ubuntu 14.04, mikrotik как L2TP/iPSec клиент не работает?

Есть сервер под ubuntu 14.04, L2TP/IPSec, Windows 7 подключается, Nexus 7 подключается, mikrotik никак, причём без IPSec работает, а с ним ни в какую. У кого нибудь работает, поделитесь опытом?
Конфиг, если надо выложу.
  • Вопрос задан
  • 2862 просмотра
Подписаться 1 Оценить 2 комментария
Пригласить эксперта
Ответы на вопрос 2
@mmaerov Автор вопроса
mikrotik
address=46.28.xxx.xxx local-address=31.134.xxx.xxx passive=no port=500
auth-method=pre-shared-key
secret="xxxxxxxxxxxxxxxxxxxxxxxx" generate-policy=no
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=no nat-traversal=no hash-algorithm=sha1
enc-algorithm=3des,aes-128,aes-256 dh-group=modp1024 lifetime=8h
dpd-interval=disable-dpd dpd-maximum-failures=5

src-address=31.134.xxx.xxx/32 src-port=any dst-address=46.28.xxx.xxx/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=31.134.xxx.xxx
sa-dst-address=46.28.xxx.xxx proposal=default priority=0

ipsec.conf
version 2 # conforms to second version of ipsec.conf specification

config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through whi$

protostack=netkey
#decide which protocol stack is going to be used.

force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.

conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.

pfs=no
#Disable pfs

auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

keyingtries=3
#Only negotiate a conn. 3 times.

ikelifetime=8h
keylife=1h

ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-Ap...
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead o$

type=transport
#because we use l2tp as tunnel protocol

left=46.28.xxx.xxx
#fill in server IP above

leftprotoport=17/1701
right=%any
rightprotoport=17/%any

dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

не могу найти логов openswan, позже выложу.
Ответ написан
Комментировать
IlyaEvseev
@IlyaEvseev
Opensource geek
Уже было недавно: Mikrotik+Softether: L2TP over IPsec — как настроить Mikrotik?
Сервер другой, но проблема решилась тоже настройками Микротика.
Не помогло?
Ответ написан
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы