Ubuntu

strongSwan + xl2tpd VPN 伺服器:如何配置幾個配置文件?

  • July 5, 2017

我在 Ubuntu 伺服器 16.04 上使用 strongSwan 和 xl2tpd 設置了我的 VPN 伺服器。配置後,我嘗試從 iPad 連接,但出現以下錯誤:

Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (788 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received NAT-T (RFC 3947) vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received FRAGMENTATION vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received DPD vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] 61.205.5.249 is initiating a Main Mode IKE_SA
Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] generating ID_PROT response 0 [ SA V V V ]
Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (136 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (380 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] local host is behind NAT, sending keep alives
Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] remote host is behind NAT
Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (396 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] received packet: from 61.205.5.249[4500] to 192.168.193.3[4500] (108 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[CFG] looking for pre-shared key peer configs matching 192.168.193.3...61.205.5.249[100.75.130.131]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode
Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] generating INFORMATIONAL_V1 request 2960834334 [ HASH N(AUTH_FAILED) ]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] sending packet: from 192.168.193.3[4500] to 61.205.5.249[4500] (108 bytes)

我認為錯誤的關鍵點是“找到 1 個匹配的配置,但沒有一個允許使用主模式進行預共享密鑰身份驗證”。有誰知道如何解決這個錯誤?

我找到了這個問題的答案,建議將“aggressiveness=yes”添加到 /etc/ipsec.conf 並嘗試但沒有奏效……(也許我在錯誤的位置添加了“aggressiveness=yes”行…… .我是Linux的初學者…)


我通過以下站點設置了配置文件:http: //qiita.com/namoshika/items/30c348b56474d422ef64 (對不起,它是用日語寫的……我認為您至少可以閱讀程式碼部分。)


如果有人告訴我使用 L2TP/IPsec 在 Ubuntu16.04 上設置 VPN 伺服器的可靠說明文件,我將不勝感激。

不要使用激進模式,連接會不太安全。無論如何嘗試使用此配置。我用 strongswan-5.3.5 和 xl2tpd-1.3.6 在我的 VPN 伺服器上使用它

ipsec.conf

config setup
   cachecrls=yes
   uniqueids=yes
   charondebug=""

conn %default
   keyingtries=%forever
   dpddelay=30s
   dpdtimeout=120s


conn L2TP
   dpdaction=clear
   #Server IP
   left=192.168.1.130
   #Server default gateway
   leftnexthop=192.168.1.254
   leftprotoport=17/1701
   rightprotoport=17/%any
   right=%any
   rightsubnet=0.0.0.0/0
   leftauth=psk
   rightauth=psk
   leftid="<insert-the-public-ip-here>"
   ikelifetime=1h
   keylife=8h
   ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
   esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
   auto=add
   keyexchange=ike
   type=transport

conn block
   auto=ignore
conn private
   auto=ignore
conn private-or-clear
   auto=ignore
conn clear-or-private
   auto=ignore
conn clear
   auto=ignore
conn packetdefault
   auto=ignore

ipsec.secrets

<insert-the-left-id-here> %any : PSK "<my-password>"

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no


[lns default]
ip range = 10.0.0.20-10.0.0.30
local ip = 10.0.0.1
require authentication = yes
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes

/etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
auth
idle 1800
mtu 1200
mru 1200
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
login

/etc/ppp/chap-secrets

username    *   "l2tppassword"  *

重啟服務

sudo service strongswan restart
sudo service xl2tpd restart

引用自:https://serverfault.com/questions/840586