Проблема решилась использованием этого скрипта специально для настройки на aws.
Без проблем настроил PPTP VPN на облаке Амазона — всё работает.
Сейчас пытаюсь настроить IPSEC/L2TP подключение по
этому топику (потом нашёл
ещё одну инструкцию)
Сначала при попытку перезагрузить настройки консоль мне писала (с пустой строкой на месте ошибки):
Segmentation fault (core dumped)
failed to start openswan IKE daemon - the following error occured:
Опытным путём выяснилось, что причина в строке rightprotoport=17/%any в /etc/ipsec.conf. Заменил её на rightprotoport=17/0 (понятия не имею, что это значит). Перезагрузка настроек стала проходить без ошибок. Поменял обратно, магия, но все работает. Возможна причина была в отсутствии
перевода строки в файле конфигурации. В общем, уже неважно.
sudo ipsec verify сейчас пишет:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-31-virtual (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Вроде всё должно работать, но попытки подключиться не удаются. Win7 пишет: «Ошибка 789. Попытка L2TP-подключения не удалась из-за ошибки, произошедшей на уровне безопасности во время согласований с удаленным компьютером».
Айфон подключиться тоже не может.
Вот файлы настроек (собранные уже откуда только можно):
/etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
exit 0
/etc/ipsec.conf
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
type=transport
left=ELASTIC IP ADDRESS
leftprotoport=17/1701
right=%any
rightprotoport=17/0
/etc/ipsec.secret
ELASTIC IP %any: PSK "Passphrase"
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = ELASTIC IP
port = 1701 ; * Bind to port 1701
auth file = /etc/ppp/chap-secrets ; * Where our challenge secrets are
[lns default]
ip range = 172.16.1.30-172.16.1.100 ; ip range = range of IPs to give to the connecting clients
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = no ; yes for testing
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
/etc/ppp/chap-secrets
user1 pptpd Pass *
user2 l2tpd Pass *
Вроде бы всё. У кого-то есть идеи, в чем причина того, что всё это не работает?
А, да, в security group для инстанса открыты все tcp и udp порты на время экспериментов. Ubuntu 64 битная.
Вот что пишет auth.log о попытке подключения:
Скрытый текстDec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: received Vendor ID payload [RFC 3947] method set to=109
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [FRAGMENTATION]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [IKE CGA version 1]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: initial Main Mode message received on (instance local ip):500 but no connection has been authorized with policy=PSK
UPD: в общем, первая проблема заключалась в том, что на месте Elastic IP необходимо было прописывать Private IP 10.xxxx. Но пока всё равно не подключается.
Лог auth.log сейчас:Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: responding to Main Mode from unknown peer (my ip)
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.135'
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: deleting connection "L2TP-PSK-NAT" instance with peer (my ip) {isakmp=#0/ipsec=#0}
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: new NAT mapping for #8, was (my ip):500, now (my ip):4500
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: responding to Quick Mode proposal {msgid:01000000}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x35ff6b7f <0xa773bf4b xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: responding to Quick Mode proposal {msgid:02000000}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: keeping refhim=4294901761 during rekey
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xef37b4d9 <0xfe15824a xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0x35ff6b7f) payload: deleting IPSEC State #9
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: responding to Quick Mode proposal {msgid:03000000}
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: keeping refhim=4294901761 during rekey
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xa91336d8 <0xa61d7729 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0xef37b4d9) payload: deleting IPSEC State #10
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: responding to Quick Mode proposal {msgid:04000000}
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: keeping refhim=4294901761 during rekey
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x3bde910e <0x6886459f xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0xa91336d8) payload: deleting IPSEC State #11
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:13 (instance local ip) sshd[9247]: Accepted publickey for root from (my ip) port 6131 ssh2
Dec 21 22:28:13 (instance local ip) sshd[9247]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 21 22:28:14 (instance local ip) sshd[9247]: subsystem request for sftp by user root
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: responding to Quick Mode proposal {msgid:05000000}
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: keeping refhim=4294901761 during rekey
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xb3583b07 <0x5aad44cc xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0x3bde910e) payload: deleting IPSEC State #12
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message