Ubuntu
strongSwan + xl2tpd VPN 伺服器:如何配置幾個配置文件?
我在 Ubuntu 伺服器 16.04 上使用 strongSwan 和 xl2tpd 設置了我的 VPN 伺服器。配置後,我嘗試從 iPad 連接,但出現以下錯誤:
Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (788 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ] Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received NAT-T (RFC 3947) vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received FRAGMENTATION vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received DPD vendor ID Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] 61.205.5.249 is initiating a Main Mode IKE_SA Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] generating ID_PROT response 0 [ SA V V V ] Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (136 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (380 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] local host is behind NAT, sending keep alives Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] remote host is behind NAT Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (396 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] received packet: from 61.205.5.249[4500] to 192.168.193.3[4500] (108 bytes) Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Mar 26 02:22:13 myname-ubuntu-server charon: 06[CFG] looking for pre-shared key peer configs matching 192.168.193.3...61.205.5.249[100.75.130.131] Mar 26 02:22:13 myname-ubuntu-server charon: 06[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] generating INFORMATIONAL_V1 request 2960834334 [ HASH N(AUTH_FAILED) ] Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] sending packet: from 192.168.193.3[4500] to 61.205.5.249[4500] (108 bytes)
我認為錯誤的關鍵點是“找到 1 個匹配的配置,但沒有一個允許使用主模式進行預共享密鑰身份驗證”。有誰知道如何解決這個錯誤?
我找到了這個問題的答案,建議將“aggressiveness=yes”添加到 /etc/ipsec.conf 並嘗試但沒有奏效……(也許我在錯誤的位置添加了“aggressiveness=yes”行…… .我是Linux的初學者…)
我通過以下站點設置了配置文件:http: //qiita.com/namoshika/items/30c348b56474d422ef64 (對不起,它是用日語寫的……我認為您至少可以閱讀程式碼部分。)
如果有人告訴我使用 L2TP/IPsec 在 Ubuntu16.04 上設置 VPN 伺服器的可靠說明文件,我將不勝感激。
不要使用激進模式,連接會不太安全。無論如何嘗試使用此配置。我用 strongswan-5.3.5 和 xl2tpd-1.3.6 在我的 VPN 伺服器上使用它
ipsec.conf
config setup cachecrls=yes uniqueids=yes charondebug="" conn %default keyingtries=%forever dpddelay=30s dpdtimeout=120s conn L2TP dpdaction=clear #Server IP left=192.168.1.130 #Server default gateway leftnexthop=192.168.1.254 leftprotoport=17/1701 rightprotoport=17/%any right=%any rightsubnet=0.0.0.0/0 leftauth=psk rightauth=psk leftid="<insert-the-public-ip-here>" ikelifetime=1h keylife=8h ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024 esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024 auto=add keyexchange=ike type=transport conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore
ipsec.secrets
<insert-the-left-id-here> %any : PSK "<my-password>"
/etc/xl2tpd/xl2tpd.conf
[global] ipsec saref = no debug tunnel = no debug avp = no debug network = no debug state = no [lns default] ip range = 10.0.0.20-10.0.0.30 local ip = 10.0.0.1 require authentication = yes name = l2tp pass peer = yes ppp debug = no pppoptfile = /etc/ppp/options.xl2tpd length bit = yes unix authentication = yes
/etc/ppp/options.xl2tpd
ipcp-accept-local ipcp-accept-remote ms-dns 10.0.0.1 auth idle 1800 mtu 1200 mru 1200 nodefaultroute lock proxyarp connect-delay 5000 name l2tpd ifname l2tp login
/etc/ppp/chap-secrets
username * "l2tppassword" *
重啟服務
sudo service strongswan restart sudo service xl2tpd restart