Ubuntu

我無法從 Windows 和 Android 客戶端連接到我的 L2TP 伺服器

  • July 12, 2017

在我的 Ubuntu 16.04 伺服器xl2tpd上執行成功。

我的/etc/ipsec.conf

version 2.0

config setup
   nat_traversal=yes
   oe=off
   protostack=netkey

conn L2TP-PSK
   authby=secret
   pfs=no
   rekey=no
   type=tunnel
   esp=aes128-sha1
   ike=aes128-sha-modp1024
   ikelifetime=8h
   keylife=1h
   left=51.15.67.126
   leftnexthop=%defaultroute
   leftprotoport=17/1701
   right=%any
   rightprotoport=17/%any
   rightsubnetwithin=0.0.0.0/0
   auto=add
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear

我的/etc/ipsec.secrets

%any %any: PSK "MySecret"

我的/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
[lns default]
ip range = 192.168.1.231-192.168.1.239
local ip = 192.168.1.230
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

我的/etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

我的/etc/ppp/chap-secrets

* * MyText *

我的/etc/rc.local

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

journalctl -xe輸出:

Jun 05 14:29:07 vkmarket.ru kernel: random: nonblocking pool is initialized
Jun 05 14:29:08 vkmarket.ru charon[3375]: 11[NET] received packet: from 92.63.69.35[478] to 10.8.76.29[500] (444 bytes)
Jun 05 14:29:08 vkmarket.ru charon[3375]: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
Jun 05 14:29:08 vkmarket.ru charon[3375]: 11[IKE] no IKE config found for 10.8.76.29...92.63.69.35, sending NO_PROPOSAL_CHOSEN
Jun 05 14:29:08 vkmarket.ru charon[3375]: 11[ENC] generating INFORMATIONAL_V1 request 1643143040 [ N(NO_PROP) ]
Jun 05 14:29:08 vkmarket.ru charon[3375]: 11[NET] sending packet: from 10.8.76.29[500] to 92.63.69.35[478] (40 bytes)
Jun 05 14:29:11 vkmarket.ru charon[3375]: 12[NET] received packet: from 92.63.69.35[478] to 10.8.76.29[500] (444 bytes)
Jun 05 14:29:11 vkmarket.ru charon[3375]: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
Jun 05 14:29:11 vkmarket.ru charon[3375]: 12[IKE] no IKE config found for 10.8.76.29...92.63.69.35, sending NO_PROPOSAL_CHOSEN
Jun 05 14:29:11 vkmarket.ru charon[3375]: 12[ENC] generating INFORMATIONAL_V1 request 2523483634 [ N(NO_PROP) ]
Jun 05 14:29:11 vkmarket.ru charon[3375]: 12[NET] sending packet: from 10.8.76.29[500] to 92.63.69.35[478] (40 bytes)
Jun 05 14:29:14 vkmarket.ru charon[3375]: 13[NET] received packet: from 92.63.69.35[478] to 10.8.76.29[500] (444 bytes)
Jun 05 14:29:14 vkmarket.ru charon[3375]: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
Jun 05 14:29:14 vkmarket.ru charon[3375]: 13[IKE] no IKE config found for 10.8.76.29...92.63.69.35, sending NO_PROPOSAL_CHOSEN
Jun 05 14:29:14 vkmarket.ru charon[3375]: 13[ENC] generating INFORMATIONAL_V1 request 3268885545 [ N(NO_PROP) ]
Jun 05 14:29:14 vkmarket.ru charon[3375]: 13[NET] sending packet: from 10.8.76.29[500] to 92.63.69.35[478] (40 bytes)
Jun 05 14:29:36 vkmarket.ru systemd[1]: sys-subsystem-net-devices-eth0.device: Job sys-subsystem-net-devices-eth0.device/start timed out.
Jun 05 14:29:36 vkmarket.ru systemd[1]: Timed out waiting for device sys-subsystem-net-devices-eth0.device.
-- Subject: Unit sys-subsystem-net-devices-eth0.device has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sys-subsystem-net-devices-eth0.device has failed.
--
-- The result is timeout.
Jun 05 14:29:36 vkmarket.ru systemd[1]: sys-subsystem-net-devices-eth0.device: Job sys-subsystem-net-devices-eth0.device/start failed with result 'timeout'.
Jun 05 14:29:36 vkmarket.ru systemd[1]: Startup finished in 19.348s (kernel) + 1min 30.912s (userspace) = 1min 50.261s.
-- Subject: System start-up is now complete
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- All system services necessary queued for starting at boot have been
-- successfully started. Note that this does not mean that the machine is
-- now idle as services might still be busy with completing start-up.
--
-- Kernel start-up required 19348529 microseconds.
--
-- Initial RAM disk start-up required INITRD_USEC microseconds.
--
-- Userspace start-up required 90912634 microseconds.
Jun 05 14:35:01 vkmarket.ru CRON[3950]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 05 14:35:01 vkmarket.ru CRON[3954]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jun 05 14:35:01 vkmarket.ru CRON[3950]: pam_unix(cron:session): session closed for user root
Jun 05 14:43:08 vkmarket.ru systemd[1]: Starting Cleanup of Temporary Directories...
-- Subject: Unit systemd-tmpfiles-clean.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-tmpfiles-clean.service has begun starting up.
Jun 05 14:43:08 vkmarket.ru systemd-tmpfiles[3979]: [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", ignoring.
Jun 05 14:43:08 vkmarket.ru systemd[1]: Started Cleanup of Temporary Directories.
-- Subject: Unit systemd-tmpfiles-clean.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-tmpfiles-clean.service has finished starting up.
--
-- The start-up result is done.

在您的日誌中,我看不到 xl2tp 執行的證據,可能服務未啟動或未啟動(配置錯誤?)。

試試這個設置,對我幫助很大:(來源:strongSwan + xl2tpd VPN 伺服器:如何配置幾個配置文件?

不要使用激進模式,連接會不太安全。無論如何嘗試使用此配置。我用 strongswan-5.3.5 和 xl2tpd-1.3.6 在我的 VPN 伺服器上使用它

ipsec.conf

config setup
    cachecrls=yes
    uniqueids=yes
    charondebug=""

conn %default
    keyingtries=%forever
    dpddelay=30s
    dpdtimeout=120s


conn L2TP
    dpdaction=clear
  #Server IP
    left=192.168.1.130
  #Server default gateway
    leftnexthop=192.168.1.254
    leftprotoport=17/1701
    rightprotoport=17/%any
    right=%any
    rightsubnet=0.0.0.0/0
    leftauth=psk
    rightauth=psk
    leftid="<insert-the-public-ip-here>"
    ikelifetime=1h
    keylife=8h
    ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
    esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
    auto=add
    keyexchange=ike
    type=transport

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore

ipsec.secrets

<insert-the-left-id-here> %any : PSK "<my-password>"

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no


[lns default]
ip range = 10.0.0.20-10.0.0.30
local ip = 10.0.0.1
require authentication = yes
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes

/etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
auth
idle 1800
mtu 1200
mru 1200
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
login

/etc/ppp/chap-secrets

username  *   "l2tppassword"  *

重啟服務

sudo service strongswan restart
sudo service xl2tpd restart

引用自:https://serverfault.com/questions/854043