Сервер ubuntu 14.04, mikrotik как L2TP/iPSec клиент не работает?

Question

[mmaerov]

Есть сервер под ubuntu 14.04, L2TP/IPSec, Windows 7 подключается, Nexus 7 подключается, mikrotik никак, причём без IPSec работает, а с ним ни в какую. У кого нибудь работает, поделитесь опытом?
Конфиг, если надо выложу.

Comments

[Сергей]

Так трудно сказать, нужны конфиги и логи с обоих сторон.

[mmaerov]

mikrotik
address=46.28.xxx.xxx local-address=31.134.xxx.xxx passive=no port=500
auth-method=pre-shared-key
secret="xxxxxxxxxxxxxxxxxxxxxxxx" generate-policy=no
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=no nat-traversal=no hash-algorithm=sha1
enc-algorithm=3des,aes-128,aes-256 dh-group=modp1024 lifetime=8h
dpd-interval=disable-dpd dpd-maximum-failures=5

src-address=31.134.xxx.xxx/32 src-port=any dst-address=46.28.xxx.xxx/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=31.134.xxx.xxx
sa-dst-address=46.28.xxx.xxx proposal=default priority=0

ipsec.conf
version 2 # conforms to second version of ipsec.conf specification

config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through whi$

protostack=netkey
#decide which protocol stack is going to be used.

force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.

conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.

pfs=no
#Disable pfs

auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

keyingtries=3
#Only negotiate a conn. 3 times.

ikelifetime=8h
keylife=1h

ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-Ap...
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead o$

type=transport
#because we use l2tp as tunnel protocol

left=46.28.xxx.xxx
#fill in server IP above

leftprotoport=17/1701
right=%any
rightprotoport=17/%any

dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

не могу найти логов openswan, позже выложу

Answer 1

[mmaerov]

mikrotik
address=46.28.xxx.xxx local-address=31.134.xxx.xxx passive=no port=500
auth-method=pre-shared-key
secret="xxxxxxxxxxxxxxxxxxxxxxxx" generate-policy=no
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=no nat-traversal=no hash-algorithm=sha1
enc-algorithm=3des,aes-128,aes-256 dh-group=modp1024 lifetime=8h
dpd-interval=disable-dpd dpd-maximum-failures=5

src-address=31.134.xxx.xxx/32 src-port=any dst-address=46.28.xxx.xxx/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=31.134.xxx.xxx
sa-dst-address=46.28.xxx.xxx proposal=default priority=0

ipsec.conf
version 2 # conforms to second version of ipsec.conf specification

config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through whi$

protostack=netkey
#decide which protocol stack is going to be used.

force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.

conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.

pfs=no
#Disable pfs

auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

keyingtries=3
#Only negotiate a conn. 3 times.

ikelifetime=8h
keylife=1h

ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-Ap...
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead o$

type=transport
#because we use l2tp as tunnel protocol

left=46.28.xxx.xxx
#fill in server IP above

leftprotoport=17/1701
right=%any
rightprotoport=17/%any

dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

не могу найти логов openswan, позже выложу.

Answer 2

[Ilya Evseev]

Уже было недавно: Mikrotik+Softether: L2TP over IPsec — как настроить Mikrotik?
Сервер другой, но проблема решилась тоже настройками Микротика.
Не помогло?

Comments

[mmaerov]

Пробовал так, у меня не работает.

[Ilya Evseev]

mmaerov: основные спецы по Микротику сидят не здесь, а на (сюрприз!) forum.mikrotik.com и forum.nag.ru
Если даже там не сумеют помочь... на этом мысль останавливается

[mmaerov]

На наге был, косяк какой то, не могу создавать тем, писал в саппорт, реакции нет, про второй знаю, но еще не искал там. Там на англицком всё, но, видимо всё таки придётся искать ответ там))

[Ilya Evseev]

mmaerov: странно, что не дает создать тему, но кто мешает написать в существующую?
Гугл по запросу "site:forum.nag.ru l2tp ipsec" сразу находит: forum.nag.ru/forum/index.php?showtopic=87828

[mmaerov]

Видел эту тему, мне не помогло.
ЗЫ Писать в существующие темы тоже не могу.

[Ilya Evseev]

mmaerov: наговский саппорт лучше пинать через соцсети. На главной странице портала есть ссылки на сообщества. Пишите туда, если жалоба на виду, больше шансов, что её не проигнорируют.

[mmaerov]

Спасибо за наводку, попробую.