L2TP over IPSec strongswan/xl2tpd 適用於複製但不適用於原始版本
我正在建立從公司網路到客戶端的 VPN 連接。目前:L2TP VPN。我的第一步是複製目前的 router-VM(它是一台 Hyper-V 機器)。然後我開始配置和試驗複製。一旦我得到了我想要的結果,我就在原件上重新做了必要的步驟。設置現在是相同的(除了 IP 地址)。但是由於某種原因,只有複製可以連接(並且始終如此),而原始幾乎總是失敗 - 但出於某種原因確實連接了一次。
設置是這樣的。
- 作業系統:Debian GNU/Linux 10(破壞者)
- ipsec:Linux strongSwan U5.7.2/K4.19.0-9-amd64
- xl2tpd:xl2tpd-1.3.12
/etc/ipsec.conf
conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret ike=3des-sha1-modp1024 esp=3des-sha1-modp1024 conn vpnTheClient keyexchange=ikev1 left=%defaultroute auto=add authby=secret type=transport leftprotoport=17/%any rightprotoport=17/%any right=10.20.30.40
/etc/ipsec.secrets
%any 10.20.30.40 : PSK "somestrongstring"
/etc/xl2tpd/xl2tpd.conf
[global] debug tunnel = yes debug avp = yes debug network = yes debug packet = yes debug state = yes [lac vpnTheClient] lns = 10.20.30.40 ppp debug = yes pppoptfile = /etc/ppp/options.TheClient.l2tpd length bit = yes
/etc/ppp/options.TheClient.l2tpd
ipcp-accept-local ipcp-accept-remote refuse-eap require-chap noccp noauth noaccomp mtu 1280 mru 1280 noipdefault #defaultroute nodefaultroute #usepeerdns unit 3 connect-delay 5000 name vpnusername password vpnPasswrd!
現在我
sudo xl2tpd -D
從一個會話和sudo /bin/sh -c 'echo "c vpnTheClient" > /var/run/xl2tpd/l2tp-control'
另一個會話開始。最初的第一次失敗嘗試如下所示。
xl2tpd[11360]: Not looking for kernel SAref support. xl2tpd[11360]: Using l2tp kernel support. xl2tpd[11360]: xl2tpd version xl2tpd-1.3.12 started on debian-router PID:11360 xl2tpd[11360]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[11360]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[11360]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[11360]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[11360]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[11360]: get_call: allocating new tunnel for host 10.20.30.40, port 1701. xl2tpd[11360]: Connecting to host 10.20.30.40, port 1701 xl2tpd[11360]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. packet dump: HEX: { C8 02 00 6E 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 13 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 47 7A 80 08 00 00 00 0A 00 04 } ASCII: { n debian-router xelerance.com Gz } xl2tpd[11360]: control_finish: sending SCCRQ xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298 xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298 xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298 xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298 xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298 xl2tpd[11360]: Maximum retries exceeded for tunnel 18298. Closing.
現在從複製,完全相同的設置:
xl2tpd[2299]: Not looking for kernel SAref support. xl2tpd[2299]: Using l2tp kernel support. xl2tpd[2299]: xl2tpd version xl2tpd-1.3.12 started on debian-router-copy PID:2299 xl2tpd[2299]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[2299]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[2299]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[2299]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[2299]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[2299]: get_call: allocating new tunnel for host 10.20.30.40, port 1701. xl2tpd[2299]: Connecting to host 10.20.30.40, port 1701 xl2tpd[2299]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. packet dump: HEX: { C8 02 00 73 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 18 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 2D 63 6F 70 79 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 9C 82 80 08 00 00 00 0A 00 04 } ASCII: { s debian-router-copy xelerance.com } xl2tpd[2299]: control_finish: sending SCCRQ xl2tpd[2299]: network_thread: recv packet from 10.20.30.40, size = 96, tunnel = 40066, call = 0 ref=0 refhim=0 packet dump: <etc now everything is working>
然後我嘗試添加
noaccomp
選項,突然間原來的工作。xl2tpd[11881]: Not looking for kernel SAref support. xl2tpd[11881]: Using l2tp kernel support. xl2tpd[11881]: xl2tpd version xl2tpd-1.3.12 started on debian-router PID:11881 xl2tpd[11881]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[11881]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[11881]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[11881]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[11881]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[11881]: get_call: allocating new tunnel for host 10.20.30.40, port 1701. xl2tpd[11881]: Connecting to host 10.20.30.40, port 1701 xl2tpd[11881]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. packet dump: HEX: { C8 02 00 6E 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 13 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 64 83 80 08 00 00 00 0A 00 04 } ASCII: { n debian-router xelerance.com d } xl2tpd[11881]: control_finish: sending SCCRQ xl2tpd[11881]: network_thread: recv packet from 10.20.30.40, size = 96, tunnel = 25731, call = 0 ref=0 refhim=0 packet dump: <etc now everything is working>
但只有這一次。
問題:我如何調試這個東西(我只是一個非常新手的 Linux 使用者)?這可能是什麼原因?我想強調一下,複製從來沒有任何連接問題——據我所知,配置完全相同。
來自https://linux.die.net/man/5/ipsec.conf:
leftprotoport 允許通過連接的協議和埠,也稱為埠選擇器。參數的形式為protocol,可以是數字或名稱,會在/etc/protocols中查找,如leftprotoport=icmp,也可以為protocol/port的形式,如tcp/smtp。埠可以定義為數字(例如 25)或名稱(例如 smtp),它們將在 /etc/services 中查找。可以使用特殊關鍵字 %any 來允許某個協議的所有埠。
事實證明,它沒有按預期工作(我)。
leftprotoport=17/%any
連接中ipsec.conf
出現了ipsec
,但隨後ppp
沒有出現。用修復問題替換它
leftprotoport=17/1701
(在強制重啟之後ipsec
)。我也覺得很有趣,在
ipsec
%any 埠的輸出中看起來像1.2.3.4/32[udp] === 10.20.30.40/32[udp]
而像這樣的1702
1.2.3.4/32[udp/l2f] === 10.20.30.40/32[udp]
(埠由 name 明確指定
l2f
)