Vpn
L2TP VPN 連接不工作 - PAYLOAD_MALFORMED
我正在嘗試用新的 (ESXI 6.7.0) 替換舊的 VMWare 伺服器 (ESXI 5.1.0),為此我們正在嘗試複製舊伺服器的設置。我們有另一台物理伺服器需要連接到虛擬伺服器。
所以我試圖通過 lt2p 在 Windows 2012R2 伺服器(客戶端)和 Vyatta 路由器之間建立 VNP 連接。
**更新:**我們現在正在嘗試使用最新版本的 Vyos 路由器,但結果是一樣的。
之前多次這樣做,目前我只是根據已經工作的解決方案複製雙方的設置,但不知何故這次它只是不想連接。
同一台伺服器已經成功連接到其他兩個具有相同設置的其他 VPN,也使用 l2tp 和 vyatta 路由器。
在vyatta方面,我可以在日誌中看到以下錯誤:
Apr 5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001] Apr 5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009] Apr 5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: received Vendor ID payload [RFC 3947] Apr 5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Apr 5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [FRAGMENTATION] Apr 5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] Apr 5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [Vid-Initial-Contact] Apr 5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [IKE CGA version 1] Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: responding to Main Mode from unknown peer XX.YYY.ZZZ.86 Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag Apr 5 10:34:56 vyatta kernel: [262404.703564] [NAT-DST-2] IN=eth1 OUT= MAC=00:0c:29:0f:29:52:00:22:bd:f8:19:zz:08:00 SRC=XX.YYY.ZZZ.86 DST=VVV.MMM.WW.168 LEN=436 TOS=0x00 PREC=0x00 TTL=126 ID=28719 PROTO=UDP SPT=500 DPT=500 LEN=416 Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: NAT-Traversal: Result using RFC 3947: no NAT detected Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77 Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500 Apr 5 10:34:57 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77 Apr 5 10:34:57 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 5 10:34:57 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500 Apr 5 10:34:58 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77 Apr 5 10:34:58 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 5 10:34:58 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500 Apr 5 10:35:01 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77 Apr 5 10:35:01 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 5 10:35:01 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500 Apr 5 10:35:08 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77 Apr 5 10:35:08 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 5 10:35:08 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500 Apr 5 10:35:23 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77 Apr 5 10:35:23 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 5 10:35:23 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500 Apr 5 10:35:38 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77 Apr 5 10:35:38 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Apr 5 10:35:38 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500 Apr 5 10:36:06 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: max number of retransmissions (2) reached STATE_MAIN_R2 Apr 5 10:36:06 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86: deleting connection "remote-access-mac-zzz" instance with peer XX.YYY.ZZZ.86 {isakmp=#0/ipsec=#0}
在日誌中它說“ISAKMP 辨識有效負載的下一個有效負載類型具有未知值:77”,每個連接的值都不同。
日誌中 Windows 端的內容不多。它只是計算沒有結束的秒數。
Log Name: Application Source: RasClient Date: 05/04/2019 10:34:56 Event ID: 20221 Task Category: None Level: Information Keywords: Classic User: N/A Computer: *******.******.local Description: CoId={104D3F70-1CB1-40A1-A229-7F7E5A943E64}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named ZZZZZZZ. The connection settings are: Dial-in User = ****** VpnStrategy = L2TP DataEncryption = Require PrerequisiteEntry = AutoLogon = No UseRasCredentials = Yes Authentication Type = CHAP/MS-CHAPv2 Ipv4DefaultGateway = No Ipv4AddressAssignment = By Phonebook Entry Ipv4DNSServerAssignment = By Phonebook Entry Ipv6DefaultGateway = Yes Ipv6AddressAssignment = By Server Ipv6DNSServerAssignment = By Server IpDnsFlags = IpNBTEnabled = No UseFlags = Private Connection ConnectOnWinlogon = No IPsec authentication for L2TP = Pre-shared key. Log Name: Application Source: RasClient Date: 05/04/2019 10:34:56 Event ID: 20222 Task Category: None Level: Information Keywords: Classic User: N/A Computer: *******.******.local Description: CoId={104D3F70-1CB1-40A1-A229-7F7E5A943E64}: The user SYSTEM is trying to establish a link to the Remote Access Server for the connection named ZZZZZZZ using the following device: Server address/Phone Number = VVV.MMM.WW.168 Device = WAN Miniport (L2TP) Port = VPN0-3 MediaType = VPN.
這是vyatta路由器的配置:
interfaces { ethernet eth0 { address 192.168.1.254/24 duplex auto hw-id 00:0c:29:0f:29:48 smp_affinity auto speed auto } ethernet eth1 { address VVV.MMM.WW.168/24 duplex auto hw-id 00:0c:29:0f:29:52 smp_affinity auto speed auto } loopback lo { } } nat { destination { rule 2 { description "IPSEC TUNNELING PORT 500" destination { port 500 } inbound-interface eth1 log enable protocol tcp_udp translation { port 500 } } rule 3 { description "IPSEC TUNNELING PORT 4500" destination { port 4500 } inbound-interface eth1 log enable protocol tcp_udp translation { port 4500 } } rule 4 { description "VPN CLIENT TUNNELING PORT 1701" destination { port 1701 } inbound-interface eth1 log enable protocol tcp_udp translation { port 1701 } } } source { rule 10 { description "OUTSIDE CONNECTION" outbound-interface eth1 source { address 192.168.1.0/24 } translation { address masquerade } } } } protocols { rip { network 192.168.1.0/24 } static { route 10.1.1.0/24 { next-hop 192.168.1.1 { } } route 192.168.2.0/24 { next-hop 192.168.1.1 { } } route 192.168.3.0/24 { next-hop 192.168.1.1 { } } } } service { ssh { disable-password-authentication port 22 } } system { config-management { commit-revisions 20 } console { } gateway-address VVV.MMM.WW.1 host-name vyatta login { user vyatta { authentication { encrypted-password **************** public-keys vyatta@vyatta { key **************** type ssh-rsa } } level admin } } name-server 8.8.8.8 name-server 192.168.1.2 name-server 192.168.3.2 ntp { server 0.vyatta.pool.ntp.org { } } package { auto-sync 1 repository community { components main distribution stable password **************** url http://packages.vyatta.com/vyatta username "" } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone GMT } vpn { ipsec { ipsec-interfaces { interface eth1 } nat-networks { allowed-network 10.1.1.0/24 { } allowed-network 192.168.1.0/24 { } allowed-network 192.168.2.0/24 { } allowed-network 192.168.3.0/24 { } } nat-traversal enable } l2tp { remote-access { authentication { local-users { username XYZ { password **************** } } mode local } client-ip-pool { start 192.168.1.100 stop 192.168.1.110 } dns-servers { server-1 192.168.1.2 } ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret **************** } ike-lifetime 3600 } outside-address VVV.MMM.WW.168 outside-nexthop 0.0.0.0 } } }
我知道並嘗試過的:
- 多次檢查預共享的秘密和身份驗證,多次重新輸入,我 100% 確定這不是問題。
- 在某處讀取 NAT 可能會弄亂數據包,但沒有 NAT(據我所知)並且啟用了 nat-traversal。
- 嘗試更改虛擬路由器上的網路適配器,嘗試了所有可能的選項,發生同樣的錯誤
- 此設置是其他兩個工作連接的精確副本。多次檢查配置是否有拼寫錯誤或錯誤的IP地址等。
如果您知道可能導致此問題的原因,請告訴我。
我真的很感激任何提示、想法,甚至是關於我可以檢查什麼的猜測。:)
謝謝。
解決辦法是重啟windows伺服器…
經過三週的努力,現在它正在工作,我沒有更改vyatta或windows伺服器上的任何配置。
我們嘗試了許多不同的東西,不同的虛擬路由器,不同的協議等,但都沒有奏效。
我對任何有相同或類似問題的人的觀察和提示(也適用於未來的自己):
- Windows 遠端和路由模組充滿了錯誤,很多時候它只是無緣無故無法工作,並且沒有調試消息可以告訴您原因。如果您有任何其他選項,請改用該選項。
- 如果您創建一個新的撥號連接並且它不起作用,則將其刪除並使用不同的名稱創建它。出於某種原因,不同的名稱很重要。有時,即使在刪除它們之後,先前的連接仍保留在系統資料庫和其他地方,並在 4 秒後拋出相同的錯誤或一些神秘的錯誤,如“介面已斷開連接”而沒有任何日誌。
- 重新啟動服務會有所幫助,但並非總是如此。如果您有幸重新啟動整個伺服器,請嘗試一下。
- 兩個 L2tp 連接很好,但三個對我不起作用。
- 埠的分配方式很奇怪,最初我們有五個 L2tp 埠,伺服器選擇了最後兩個(可能前 3 次連接失敗……我只是在這裡猜測)。對我們來說,它有助於將埠數增加到 10。如果您無法增加 UI 上的埠數(由於另一個錯誤),請在系統資料庫中執行此操作並重新啟動伺服器(再一次,重新啟動服務不會做的伎倆)。