Vpn

L2TP VPN 連接不工作 - PAYLOAD_MALFORMED

  • April 23, 2019

我正在嘗試用新的 (ESXI 6.7.0) 替換舊的 VMWare 伺服器 (ESXI 5.1.0),為此我們正在嘗試複製舊伺服器的設置。我們有另一台物理伺服器需要連接到虛擬伺服器。

所以我試圖通過 lt2p 在 Windows 2012R2 伺服器(客戶端)和 Vyatta 路由器之間建立 VNP 連接。

**更新:**我們現在正在嘗試使用最新版本的 Vyos 路由器,但結果是一樣的。

之前多次這樣做,目前我只是根據已經工作的解決方案複製雙方的設置,但不知何故這次它只是不想連接。

同一台伺服器已經成功連接到其他兩個具有相同設置的其他 VPN,也使用 l2tp 和 vyatta 路由器。

在vyatta方面,我可以在日誌中看到以下錯誤:

Apr  5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Apr  5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Apr  5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: received Vendor ID payload [RFC 3947]
Apr  5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Apr  5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr  5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Apr  5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Apr  5 10:34:56 vyatta pluto[3061]: packet from XX.YYY.ZZZ.86:500: ignoring Vendor ID payload [IKE CGA version 1]
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: responding to Main Mode from unknown peer XX.YYY.ZZZ.86
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
Apr  5 10:34:56 vyatta kernel: [262404.703564] [NAT-DST-2] IN=eth1 OUT= MAC=00:0c:29:0f:29:52:00:22:bd:f8:19:zz:08:00 SRC=XX.YYY.ZZZ.86 DST=VVV.MMM.WW.168 LEN=436 TOS=0x00 PREC=0x00 TTL=126 ID=28719 PROTO=UDP SPT=500 DPT=500 LEN=416
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: NAT-Traversal: Result using RFC 3947: no NAT detected
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Apr  5 10:34:56 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500
Apr  5 10:34:57 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77
Apr  5 10:34:57 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Apr  5 10:34:57 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500
Apr  5 10:34:58 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77
Apr  5 10:34:58 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Apr  5 10:34:58 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500
Apr  5 10:35:01 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77
Apr  5 10:35:01 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Apr  5 10:35:01 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500
Apr  5 10:35:08 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77
Apr  5 10:35:08 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Apr  5 10:35:08 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500
Apr  5 10:35:23 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77
Apr  5 10:35:23 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Apr  5 10:35:23 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500
Apr  5 10:35:38 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: next payload type of ISAKMP Identification Payload has an unknown value: 77
Apr  5 10:35:38 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Apr  5 10:35:38 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: sending encrypted notification PAYLOAD_MALFORMED to XX.YYY.ZZZ.86:500
Apr  5 10:36:06 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86 #6: max number of retransmissions (2) reached STATE_MAIN_R2
Apr  5 10:36:06 vyatta pluto[3061]: "remote-access-mac-zzz"[6] XX.YYY.ZZZ.86: deleting connection "remote-access-mac-zzz" instance with peer XX.YYY.ZZZ.86 {isakmp=#0/ipsec=#0}

在日誌中它說“ISAKMP 辨識有效負載的下一個有效負載類型具有未知值:77”,每個連接的值都不同。

日誌中 Windows 端的內容不多。它只是計算沒有結束的秒數。

Log Name:      Application
Source:        RasClient
Date:          05/04/2019 10:34:56
Event ID:      20221
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      *******.******.local
Description:
CoId={104D3F70-1CB1-40A1-A229-7F7E5A943E64}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named ZZZZZZZ. The connection settings are: 
Dial-in User = ******
VpnStrategy = L2TP
DataEncryption = Require
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = CHAP/MS-CHAPv2 
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Phonebook Entry
Ipv4DNSServerAssignment = By Phonebook Entry
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = 
IpNBTEnabled = No
UseFlags = Private Connection
ConnectOnWinlogon = No
IPsec authentication for L2TP = Pre-shared key.

Log Name:      Application
Source:        RasClient
Date:          05/04/2019 10:34:56
Event ID:      20222
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      *******.******.local
Description:
CoId={104D3F70-1CB1-40A1-A229-7F7E5A943E64}: The user SYSTEM is trying to establish a link to the Remote Access Server for the connection named ZZZZZZZ using the following device: 
Server address/Phone Number = VVV.MMM.WW.168
Device = WAN Miniport (L2TP)
Port = VPN0-3
MediaType = VPN.

這是vyatta路由器的配置:

interfaces {
   ethernet eth0 {
       address 192.168.1.254/24
       duplex auto
       hw-id 00:0c:29:0f:29:48
       smp_affinity auto
       speed auto
   }
   ethernet eth1 {
       address VVV.MMM.WW.168/24
       duplex auto
       hw-id 00:0c:29:0f:29:52
       smp_affinity auto
       speed auto
   }
   loopback lo {
   }
}
nat {
   destination {
       rule 2 {
           description "IPSEC TUNNELING PORT 500"
           destination {
               port 500
           }
           inbound-interface eth1
           log enable
           protocol tcp_udp
           translation {
               port 500
           }
       }
       rule 3 {
           description "IPSEC TUNNELING PORT 4500"
           destination {
               port 4500
           }
           inbound-interface eth1
           log enable
           protocol tcp_udp
           translation {
               port 4500
           }
       }
       rule 4 {
           description "VPN CLIENT TUNNELING PORT 1701"
           destination {
               port 1701
           }
           inbound-interface eth1
           log enable
           protocol tcp_udp
           translation {
               port 1701
           }
       }
   }
   source {
       rule 10 {
           description "OUTSIDE CONNECTION"
           outbound-interface eth1
           source {
               address 192.168.1.0/24
           }
           translation {
               address masquerade
           }
       }
   }
}
protocols {
   rip {
       network 192.168.1.0/24
   }
   static {
       route 10.1.1.0/24 {
           next-hop 192.168.1.1 {
           }
       }
       route 192.168.2.0/24 {
           next-hop 192.168.1.1 {
           }
       }
       route 192.168.3.0/24 {
           next-hop 192.168.1.1 {
           }
       }
   }
}
service {
   ssh {
       disable-password-authentication
       port 22
   }
}
system {
   config-management {
       commit-revisions 20
   }
   console {
   }
   gateway-address VVV.MMM.WW.1
   host-name vyatta
   login {
       user vyatta {
           authentication {
               encrypted-password ****************
               public-keys vyatta@vyatta {
                   key ****************
                   type ssh-rsa
               }
           }
           level admin
       }
   }
   name-server 8.8.8.8
   name-server 192.168.1.2
   name-server 192.168.3.2
   ntp {
       server 0.vyatta.pool.ntp.org {
       }
   }
   package {
       auto-sync 1
       repository community {
           components main
           distribution stable
           password ****************
           url http://packages.vyatta.com/vyatta
           username ""
       }
   }
   syslog {
       global {
           facility all {
               level notice
           }
           facility protocols {
               level debug
           }
       }
   }
   time-zone GMT
}
vpn {
   ipsec {
       ipsec-interfaces {
           interface eth1
       }
       nat-networks {
           allowed-network 10.1.1.0/24 {
           }
           allowed-network 192.168.1.0/24 {
           }
           allowed-network 192.168.2.0/24 {
           }
           allowed-network 192.168.3.0/24 {
           }
       }
       nat-traversal enable
   }
   l2tp {
       remote-access {
           authentication {
               local-users {
                   username XYZ {
                       password ****************
                   }
               }
               mode local
           }
           client-ip-pool {
               start 192.168.1.100
               stop 192.168.1.110
           }
           dns-servers {
               server-1 192.168.1.2
           }
           ipsec-settings {
               authentication {
                   mode pre-shared-secret
                   pre-shared-secret ****************
               }
               ike-lifetime 3600
           }
           outside-address VVV.MMM.WW.168
           outside-nexthop 0.0.0.0
       }
   }
}

我知道並嘗試過的:

  • 多次檢查預共享的秘密和身份驗證,多次重新輸入,我 100% 確定這不是問題。
  • 在某處讀取 NAT 可能會弄亂數據包,但沒有 NAT(據我所知)並且啟用了 nat-traversal。
  • 嘗試更改虛擬路由器上的網路適配器,嘗試了所有可能的選項,發生同樣的錯誤
  • 此設置是其他兩個工作連接的精確副本。多次檢查配置是否有拼寫錯誤或錯誤的IP地址等。

如果您知道可能導致此問題的原因,請告訴我。

我真的很感激任何提示、想法,甚至是關於我可以檢查什麼的猜測。:)

謝謝。

解決辦法是重啟windows伺服器…

經過三週的努力,現在它正在工作,我沒有更改vyatta或windows伺服器上的任何配置。

我們嘗試了許多不同的東西,不同的虛擬路由器,不同的協議等,但都沒有奏效。

我對任何有相同或類似問題的人的觀察和提示(也適用於未來的自己):

  • Windows 遠端和路由模組充滿了錯誤,很多時候它只是無緣無故無法工作,並且沒有調試消息可以告訴您原因。如果您有任何其他選項,請改用該選項。
  • 如果您創建一個新的撥號連接並且它不起作用,則將其刪除並使用不同的名稱創建它。出於某種原因,不同的名稱很重要。有時,即使在刪除它們之後,先前的連接仍保留在系統資料庫和其他地方,並在 4 秒後拋出相同的錯誤或一些神秘的錯誤,如“介面已斷開連接”而沒有任何日誌。
  • 重新啟動服務會有所幫助,但並非總是如此。如果您有幸重新啟動整個伺服器,請嘗試一下。
  • 兩個 L2tp 連接很好,但三個對我不起作用。
  • 埠的分配方式很奇怪,最初我們有五個 L2tp 埠,伺服器選擇了最後兩個(可能前 3 次連接失敗……我只是在這裡猜測)。對我們來說,它有助於將埠數增加到 10。如果您無法增加 UI 上的埠數(由於另一個錯誤),請在系統資料庫中執行此操作並重新啟動伺服器(再一次,重新啟動服務不會做的伎倆)。

引用自:https://serverfault.com/questions/961683