在 CentOS 7 中診斷 L2TP VPN 連接失敗

我的本地機器CentOS Linux release 7.7.1908 (Core)使用帶有 PSK 的 LT2P IPSec 連接到我的工作場所 VPN。我有兩個網關，但由於它們都產生相似的日誌，我將在此處發布其中一個。

當我嘗試連接到我的 VPN（網關 IP 103.7.249.66）時，連接失敗（幾天前曾經連接過，很奇怪）這是我得到的/var/log/messages：

May 10 11:42:49 nid2_mig NetworkManager[1100]: <info>  [1589089369.6288] audit: op="connection-activate" uuid="20249836-0604-4082-b028-ec61462c2a8e" name="TigerIT1" pid=2653 uid=1002 result="success"
May 10 11:42:49 nid2_mig NetworkManager[1100]: <info>  [1589089369.6321] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: Started the VPN service, PID 6949
May 10 11:42:49 nid2_mig NetworkManager[1100]: <info>  [1589089369.6379] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: Saw the service appear; activating connection
May 10 11:42:49 nid2_mig NetworkManager[1100]: <info>  [1589089369.6811] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: VPN connection: (ConnectInteractive) reply received
May 10 11:42:49 nid2_mig journal: Check port 1701
May 10 11:42:49 nid2_mig NetworkManager: Redirecting to: systemctl restart ipsec.service
May 10 11:42:49 nid2_mig systemd: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
May 10 11:42:49 nid2_mig whack: 002 shutting down
May 10 11:42:49 nid2_mig ipsec: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig libipsecconf[6977]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig systemd: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
May 10 11:42:49 nid2_mig systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
May 10 11:42:49 nid2_mig addconn: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig libipsecconf[6983]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig _stackmanager: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig libipsecconf[6989]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig _stackmanager: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:49 nid2_mig libipsecconf[6994]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:50 nid2_mig ipsec: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:50 nid2_mig libipsecconf[7254]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:50 nid2_mig ipsec: nflog ipsec capture disabled
May 10 11:42:50 nid2_mig systemd: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
May 10 11:42:50 nid2_mig libipsecconf[7299]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
May 10 11:42:50 nid2_mig NetworkManager: 002 listening for IKE messages
May 10 11:42:50 nid2_mig NetworkManager: 002 forgetting secrets
May 10 11:42:50 nid2_mig NetworkManager: 002 loading secrets from "/etc/ipsec.secrets"
May 10 11:42:50 nid2_mig NetworkManager: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
May 10 11:42:50 nid2_mig NetworkManager: debugging mode enabled
May 10 11:42:50 nid2_mig NetworkManager: end of file /var/run/nm-l2tp-20249836-0604-4082-b028-ec61462c2a8e/ipsec.conf
May 10 11:42:50 nid2_mig NetworkManager: Loading conn 20249836-0604-4082-b028-ec61462c2a8e
May 10 11:42:50 nid2_mig NetworkManager: starter: left is KH_DEFAULTROUTE
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" labeled_ipsec=0
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" modecfgdns=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" modecfgdomains=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" modecfgbanner=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" mark=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" mark-in=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" mark-out=(null)
May 10 11:42:50 nid2_mig NetworkManager: conn: "20249836-0604-4082-b028-ec61462c2a8e" vti_iface=(null)
May 10 11:42:50 nid2_mig NetworkManager: opening file: /var/run/nm-l2tp-20249836-0604-4082-b028-ec61462c2a8e/ipsec.conf
May 10 11:42:50 nid2_mig NetworkManager: loading named conns: 20249836-0604-4082-b028-ec61462c2a8e
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 1, seeking_gateway = 1, has_peer = 1
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 0, seeking_gateway = 1, has_dst = 1
May 10 11:42:50 nid2_mig NetworkManager: dst  via 192.168.68.1 dev wlp2s0 src  table 254
May 10 11:42:50 nid2_mig NetworkManager: set nexthop: 192.168.68.1
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.0 via  dev wlp2s0 src 192.168.68.108 table 254
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254
May 10 11:42:50 nid2_mig NetworkManager: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.0 via  dev wlp2s0 src 192.168.68.108 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.108 via  dev wlp2s0 src 192.168.68.108 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.255 via  dev wlp2s0 src 192.168.68.108 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 1, seeking_gateway = 0, has_peer = 1
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 1, seeking_gateway = 0, has_dst = 1
May 10 11:42:50 nid2_mig NetworkManager: dst 192.168.68.1 via  dev wlp2s0 src 192.168.68.108 table 254
May 10 11:42:50 nid2_mig NetworkManager: set addr: 192.168.68.108
May 10 11:42:50 nid2_mig NetworkManager: seeking_src = 0, seeking_gateway = 0, has_peer = 1
May 10 11:42:50 nid2_mig NetworkManager: 002 "20249836-0604-4082-b028-ec61462c2a8e" #1: initiating Main Mode
May 10 11:42:50 nid2_mig NetworkManager: 104 "20249836-0604-4082-b028-ec61462c2a8e" #1: STATE_MAIN_I1: initiate
May 10 11:42:50 nid2_mig NetworkManager: 106 "20249836-0604-4082-b028-ec61462c2a8e" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May 10 11:42:50 nid2_mig NetworkManager: 108 "20249836-0604-4082-b028-ec61462c2a8e" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May 10 11:42:50 nid2_mig NetworkManager: 002 "20249836-0604-4082-b028-ec61462c2a8e" #1: Peer ID is ID_IPV4_ADDR: '103.7.249.66'
May 10 11:42:50 nid2_mig NetworkManager: 004 "20249836-0604-4082-b028-ec61462c2a8e" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1024}
May 10 11:42:50 nid2_mig NetworkManager: 002 "20249836-0604-4082-b028-ec61462c2a8e" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:a6c5fe68 proposal=AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP1024}
May 10 11:42:50 nid2_mig NetworkManager: 117 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: initiate
May 10 11:42:50 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
May 10 11:42:51 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
May 10 11:42:52 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
May 10 11:42:54 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
May 10 11:42:58 nid2_mig NetworkManager: 010 "20249836-0604-4082-b028-ec61462c2a8e" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
May 10 11:43:00 nid2_mig journal: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
May 10 11:43:00 nid2_mig NetworkManager[1100]: <info>  [1589089380.2142] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: VPN plugin: state changed: stopped (6)
May 10 11:43:00 nid2_mig NetworkManager[1100]: <info>  [1589089380.2161] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: VPN service disappeared
May 10 11:43:00 nid2_mig NetworkManager[1100]: <warn>  [1589089380.2168] vpn-connection[0x563b09ece4f0,20249836-0604-4082-b028-ec61462c2a8e,"TigerIT1",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

我的系統下沒有.conf文件/etc/ipsec.d/。

IP上的跟踪路由：

traceroute to 103.7.249.66 (103.7.249.66), 30 hops max, 60 byte packets
1  gateway (192.168.68.1)  6.709 ms  6.734 ms  6.703 ms
2  192.168.0.1 (192.168.0.1)  7.331 ms  7.401 ms  7.390 ms
3  10.0.0.1 (10.0.0.1)  10.848 ms  10.834 ms  10.811 ms
4  228.51.103-1-baninetworks.com (103.51.228.1)  10.786 ms  10.765 ms  10.739 ms
5  220.152.112.213 (220.152.112.213)  8.062 ms  8.091 ms  10.269 ms
6  103.7.248.109 (103.7.248.109)  15.651 ms  14.175 ms  14.188 ms
7  * * *
8  * * *
9  * * *
10  * * *
.........

本地 IP 路由表：

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.68.1    0.0.0.0         UG    600    0        0 wlp2s0
192.168.68.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp2s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

我nm-connection-editor用來創建/更新 VPN 連接。我沒有在 IPSec 或 PPP 設置下擺弄任何東西。目前配置如下所示：

我已嘗試多次刪除和創建連接。有時重新配置連接可以在 Windows 上工作，但在 CentOS 的情況下沒有幫助。

我的機器通過 WiFi 網狀路由器連接到網際網路，但是，我的另一台機器 (Windows) 和我的手機 (Android) 也連接在同一個網路中，我可以從這些設備連接到 VPN。我沒有更改任何與 IP 轉發或 MTU 相關的內容。嘗試聯繫我的網路管理員，但由於無法建立連接，他們無法透露太多資訊。但是，如果我知道要問什麼，我可以問他們任何具體問題。

我認為這與我的 ISP 無關，因為我可以從其他作業系統連接。

我想調查發生了什麼問題。我對網路通信介面知之甚少，但在嘗試從網際網路上進行隨機修復之前，我想了解更多。讓我知道我是否可以提供更多資訊。

從日誌中，IPsec 階段 1（主要模式）成功，但階段 2（快速模式）失敗。

也許 VPN 伺服器在第 2 階段（快速模式）中沒有使用完美前向保密 (PFS)。因此，請嘗試“禁用 PFS”複選框。

引用自：https://serverfault.com/questions/1016482