Debian

L2TP over IPSec strongswan/xl2tpd 適用於複製但不適用於原始版本

  • July 25, 2020

我正在建立從公司網路到客戶端的 VPN 連接。目前:L2TP VPN。我的第一步是複製目前的 router-VM(它是一台 Hyper-V 機器)。然後我開始配置和試驗複製。一旦我得到了我想要的結果,我就在原件上重新做了必要的步驟。設置現在是相同的(除了 IP 地址)。但是由於某種原因,只有複製可以連接(並且始終如此),而原始幾乎總是失敗 - 但出於某種原因確實連接了一次。

設置是這樣的。

  • 作業系統:Debian GNU/Linux 10(破壞者)
  • ipsec:Linux strongSwan U5.7.2/K4.19.0-9-amd64
  • xl2tpd:xl2tpd-1.3.12

/etc/ipsec.conf

conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev1
 authby=secret
 ike=3des-sha1-modp1024
 esp=3des-sha1-modp1024

conn vpnTheClient
 keyexchange=ikev1
 left=%defaultroute
 auto=add
 authby=secret
 type=transport
 leftprotoport=17/%any
 rightprotoport=17/%any
 right=10.20.30.40

/etc/ipsec.secrets

 %any 10.20.30.40 : PSK "somestrongstring"

/etc/xl2tpd/xl2tpd.conf

[global]
debug tunnel = yes
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes

[lac vpnTheClient]
lns = 10.20.30.40
ppp debug = yes
pppoptfile = /etc/ppp/options.TheClient.l2tpd
length bit = yes

/etc/ppp/options.TheClient.l2tpd

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
noaccomp
mtu 1280
mru 1280
noipdefault
#defaultroute
nodefaultroute
#usepeerdns
unit 3
connect-delay 5000
name vpnusername
password vpnPasswrd!

現在我sudo xl2tpd -D從一個會話和sudo /bin/sh -c 'echo "c vpnTheClient" > /var/run/xl2tpd/l2tp-control'另一個會話開始。

最初的第一次失敗嘗試如下所示。

xl2tpd[11360]: Not looking for kernel SAref support.
xl2tpd[11360]: Using l2tp kernel support.
xl2tpd[11360]: xl2tpd version xl2tpd-1.3.12 started on debian-router PID:11360
xl2tpd[11360]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[11360]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[11360]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[11360]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[11360]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[11360]: get_call: allocating new tunnel for host 10.20.30.40, port 1701.
xl2tpd[11360]: Connecting to host 10.20.30.40, port 1701
xl2tpd[11360]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
packet dump:
HEX: { C8 02 00 6E 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 13 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 47 7A 80 08 00 00 00 0A 00 04 }
ASCII: {    n                                                          debian-router      xelerance.com      Gz        }
xl2tpd[11360]: control_finish: sending SCCRQ
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: Maximum retries exceeded for tunnel 18298.  Closing.

現在從複製,完全相同的設置:

xl2tpd[2299]: Not looking for kernel SAref support.
xl2tpd[2299]: Using l2tp kernel support.
xl2tpd[2299]: xl2tpd version xl2tpd-1.3.12 started on debian-router-copy PID:2299
xl2tpd[2299]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[2299]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[2299]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[2299]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[2299]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[2299]: get_call: allocating new tunnel for host 10.20.30.40, port 1701.
xl2tpd[2299]: Connecting to host 10.20.30.40, port 1701
xl2tpd[2299]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
packet dump:
HEX: { C8 02 00 73 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 18 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 2D 63 6F 70 79 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 9C 82 80 08 00 00 00 0A 00 04 }
ASCII: {    s                                                          debian-router-copy      xelerance.com
}
xl2tpd[2299]: control_finish: sending SCCRQ
xl2tpd[2299]: network_thread: recv packet from 10.20.30.40, size = 96, tunnel = 40066, call = 0 ref=0 refhim=0
packet dump:
 <etc now everything is working>

然後我嘗試添加noaccomp選項,突然間原來的工作。

xl2tpd[11881]: Not looking for kernel SAref support.
xl2tpd[11881]: Using l2tp kernel support.
xl2tpd[11881]: xl2tpd version xl2tpd-1.3.12 started on debian-router PID:11881
xl2tpd[11881]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[11881]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[11881]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[11881]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[11881]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[11881]: get_call: allocating new tunnel for host 10.20.30.40, port 1701.
xl2tpd[11881]: Connecting to host 10.20.30.40, port 1701
xl2tpd[11881]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
packet dump:
HEX: { C8 02 00 6E 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 13 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 64 83 80 08 00 00 00 0A 00 04 }
ASCII: {    n                                                          debian-router      xelerance.com      d         }
xl2tpd[11881]: control_finish: sending SCCRQ
xl2tpd[11881]: network_thread: recv packet from 10.20.30.40, size = 96, tunnel = 25731, call = 0 ref=0 refhim=0
packet dump:
 <etc now everything is working>

但只有這一次。

問題:我如何調試這個東西(我只是一個非常新手的 Linux 使用者)?這可能是什麼原因?我想強調一下,複製從來沒有任何連接問題——據我所知,配置完全相同。

來自https://linux.die.net/man/5/ipsec.conf

leftprotoport 允許通過連接的協議和埠,也稱為埠選擇器。參數的形式為protocol,可以是數字或名稱,會在/etc/protocols中查找,如leftprotoport=icmp,也可以為protocol/port的形式,如tcp/smtp。埠可以​​定義為數字(例如 25)或名稱(例如 smtp),它們將在 /etc/services 中查找。可以使用特殊關鍵字 %any 來允許某個協議的所有埠。

事實證明,它沒有按預期工作(我)。

leftprotoport=17/%any連接中ipsec.conf出現了ipsec,但隨後ppp沒有出現。

用修復問題替換它leftprotoport=17/1701(在強制重啟之後ipsec)。

我也覺得很有趣,在ipsec%any 埠的輸出中看起來像

1.2.3.4/32[udp] === 10.20.30.40/32[udp]

而像這樣的1702

1.2.3.4/32[udp/l2f] === 10.20.30.40/32[udp]

(埠由 name 明確指定l2f

引用自:https://serverfault.com/questions/1026626