Windows 10(192.168.1.11)을 Debian 10(192.168.1.31)의 IPSec/L2TP에 연결하려고 합니다.
Windows 방화벽이 꺼져 있고 AssumeUDPEncapsulationContextOnSendRule레지스트리에 (값 2)를 추가하고 재부팅했습니다.
iptables계속되는 유일한 일은 네트워크에서 인터넷으로 192.168.1.31의 IP 가장 무도회입니다 .192.168.1.0/24
아래와 같이 Debian을 설정했고 사용자 이름과 비밀번호를 사용하여 Windows에서 VPN을 구성했습니다. 그러나 Windows는 이벤트 뷰어의 시스템 부분에 연결되지 않습니다.
사용자 RWB-LAPTOP-DELL\User가 VPN@mini31이라는 연결에 전화를 걸었지만 실패 시 반환된 오류 코드는 809입니다.
/etc/ipsec.conf
config setup
conn wep-ap
type=transport
authby=secret
pfs=no
rekey=no
keyingtries=1
left=%any
leftid=%any
right=%any
auto=add
esp=aes128-sha1-modp1536
ike=aes128-sha1-modp1536
include /var/lib/strongswan/ipsec.conf.inc
/etc/strongswan.conf
charon {
plugins {
eap_dynamic {
preferred = eap-mschapv2, eap-tls
}
}
}
/etc/ipsec.secrets
%any %any : PSK "password"
/etc/ppp/chap-secrets
laptop * password *
/etc/ppp/options.xl2tpd
noccp
auth
mtu 1410
mru 1410
nodefaultroute
proxyarp
silent
debug
ms-dns 192.168.3.31
/etc/xl2tpd/xl2tpd.conf
[global] ; Global parameters:
port = 1701 ; * Bind to port 1701
access control = no
[lns default] ; Our fallthrough LNS definition
ip range = 192.168.3.100-192.168.3.254 ; * But this one is okay
local ip = 192.168.3.31 ; * Our local IP to use
name = mini31 ; * Report this as our hostname
pppoptfile = /etc/ppp/options.xl2tpd
Windows의 경우:
그리고 syslog:
mini31 # cat -n syslog | tail +3203
3203 Nov 20 20:24:45 mini31 charon: 13[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (408 bytes)
3204 Nov 20 20:24:45 mini31 charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
3205 Nov 20 20:24:45 mini31 charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
3206 Nov 20 20:24:45 mini31 charon: 13[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
3207 Nov 20 20:24:45 mini31 charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
3208 Nov 20 20:24:45 mini31 charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
3209 Nov 20 20:24:45 mini31 charon: 13[IKE] received FRAGMENTATION vendor ID
3210 Nov 20 20:24:45 mini31 charon: 13[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
3211 Nov 20 20:24:45 mini31 charon: 13[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
3212 Nov 20 20:24:45 mini31 charon: 13[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
3213 Nov 20 20:24:45 mini31 charon: 13[IKE] 192.168.1.11 is initiating a Main Mode IKE_SA
3214 Nov 20 20:24:45 mini31 charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
3215 Nov 20 20:24:45 mini31 charon: 13[ENC] generating ID_PROT response 0 [ SA V V V V ]
3216 Nov 20 20:24:45 mini31 charon: 13[NET] sending packet: from 192.168.1.31[500] to 192.168.1.11[500] (160 bytes)
3217 Nov 20 20:24:45 mini31 charon: 14[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (228 bytes)
3218 Nov 20 20:24:45 mini31 charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
3219 Nov 20 20:24:45 mini31 charon: 14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
3220 Nov 20 20:24:45 mini31 charon: 14[NET] sending packet: from 192.168.1.31[500] to 192.168.1.11[500] (212 bytes)
3221 Nov 20 20:24:45 mini31 charon: 15[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (76 bytes)
3222 Nov 20 20:24:45 mini31 charon: 15[ENC] parsed ID_PROT request 0 [ ID HASH ]
3223 Nov 20 20:24:45 mini31 charon: 15[CFG] looking for pre-shared key peer configs matching 192.168.1.31...192.168.1.11[192.168.1.11]
3224 Nov 20 20:24:45 mini31 charon: 15[CFG] selected peer config "wep-ap"
3225 Nov 20 20:24:45 mini31 charon: 15[IKE] IKE_SA wep-ap[6] established between 192.168.1.31[192.168.1.31]...192.168.1.11[192.168.1.11]
3226 Nov 20 20:24:45 mini31 charon: 15[ENC] generating ID_PROT response 0 [ ID HASH ]
3227 Nov 20 20:24:45 mini31 charon: 15[NET] sending packet: from 192.168.1.31[500] to 192.168.1.11[500] (76 bytes)
3228 Nov 20 20:24:45 mini31 charon: 06[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (316 bytes)
3229 Nov 20 20:24:45 mini31 charon: 06[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID ]
3230 Nov 20 20:24:45 mini31 charon: 06[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
3231 Nov 20 20:24:45 mini31 charon: 06[IKE] received 3600s lifetime, configured 0s
3232 Nov 20 20:24:45 mini31 charon: 06[IKE] received 250000000 lifebytes, configured 0
3233 Nov 20 20:24:45 mini31 charon: 06[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID ]
3234 Nov 20 20:24:45 mini31 charon: 06[NET] sending packet: from 192.168.1.31[500] to 192.168.1.11[500] (188 bytes)
3235 Nov 20 20:24:45 mini31 charon: 05[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (60 bytes)
3236 Nov 20 20:24:45 mini31 charon: 05[ENC] parsed QUICK_MODE request 1 [ HASH ]
3237 Nov 20 20:24:45 mini31 charon: 05[IKE] CHILD_SA wep-ap{6} established with SPIs c2b5d044_i 1726a3e2_o and TS 192.168.1.31/32[udp/l2f] === 192.168.1.11/32[udp/l2f]
3238 Nov 20 20:24:46 mini31 xl2tpd[12817]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
3239 Nov 20 20:24:48 mini31 xl2tpd[12817]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
3240 Nov 20 20:24:52 mini31 xl2tpd[12817]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
3241 Nov 20 20:25:00 mini31 xl2tpd[12817]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
3242 Nov 20 20:25:10 mini31 xl2tpd[12817]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
3243 Nov 20 20:25:16 mini31 xl2tpd[12817]: Maximum retries exceeded for tunnel 13486. Closing.
3244 Nov 20 20:25:16 mini31 xl2tpd[12817]: Connection 3 closed to 192.168.1.11, port 1701 (Timeout)
3245 Nov 20 20:25:20 mini31 charon: 09[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (76 bytes)
3246 Nov 20 20:25:20 mini31 charon: 09[ENC] parsed INFORMATIONAL_V1 request 3379181600 [ HASH D ]
3247 Nov 20 20:25:20 mini31 charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 1726a3e2
3248 Nov 20 20:25:20 mini31 charon: 09[IKE] closing CHILD_SA wep-ap{6} with SPIs c2b5d044_i (696 bytes) 1726a3e2_o (0 bytes) and TS 192.168.1.31/32[udp/l2f] === 192.168.1.11/32[udp/l2f]
3249 Nov 20 20:25:20 mini31 charon: 10[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (92 bytes)
3250 Nov 20 20:25:20 mini31 charon: 10[ENC] parsed INFORMATIONAL_V1 request 309590672 [ HASH D ]
3251 Nov 20 20:25:20 mini31 charon: 10[IKE] received DELETE for IKE_SA wep-ap[6]
3252 Nov 20 20:25:20 mini31 charon: 10[IKE] deleting IKE_SA wep-ap[6] between 192.168.1.31[192.168.1.31]...192.168.1.11[192.168.1.11]
mini31 #
업데이트: eap및ike
내가 사용한다면
esp=aes-sha1,3des-sha1,aes128-sha1,3des-sha1,aes128-sha256,aes128-sha1-modp1536
ike=aes-sha,3des-sha,aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024,aes128-sha1-modp1536
(어떤 값을 사용할지 어떻게 알 수 있나요?) 그런 다음 다른 일이 발생합니다.
Nov 21 13:40:04 mini31 charon: 07[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (408 bytes)
Nov 21 13:40:04 mini31 charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Nov 21 13:40:04 mini31 charon: 07[IKE] no IKE config found for 192.168.1.31...192.168.1.11, sending NO_PROPOSAL_CHOSEN
Nov 21 13:40:04 mini31 charon: 07[ENC] generating INFORMATIONAL_V1 request 1021960079 [ N(NO_PROP) ]
Nov 21 13:40:04 mini31 charon: 07[NET] sending packet: from 192.168.1.31[500] to 192.168.1.11[500] (40 bytes)
Nov 21 13:40:05 mini31 charon: 08[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (408 bytes)
Nov 21 13:40:05 mini31 charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Nov 21 13:40:05 mini31 charon: 08[IKE] no IKE config found for 192.168.1.31...192.168.1.11, sending NO_PROPOSAL_CHOSEN
Nov 21 13:40:05 mini31 charon: 08[ENC] generating INFORMATIONAL_V1 request 440253701 [ N(NO_PROP) ]
Nov 21 13:40:05 mini31 charon: 08[NET] sending packet: from 192.168.1.31[500] to 192.168.1.11[500] (40 bytes)
Nov 21 13:40:06 mini31 charon: 09[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (408 bytes)
Nov 21 13:40:06 mini31 charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Nov 21 13:40:06 mini31 charon: 09[IKE] no IKE config found for 192.168.1.31...192.168.1.11, sending NO_PROPOSAL_CHOSEN
Nov 21 13:40:06 mini31 charon: 09[ENC] generating INFORMATIONAL_V1 request 101389495 [ N(NO_PROP) ]
Nov 21 13:40:06 mini31 charon: 09[NET] sending packet: from 192.168.1.31[500] to 192.168.1.11[500] (40 bytes)
Nov 21 13:40:09 mini31 charon: 10[NET] received packet: from 192.168.1.11[500] to 192.168.1.31[500] (408 bytes)
Nov 21 13:40:09 mini31 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Nov 21 13:40:09 mini31 charon: 10[IKE] no IKE config found for 192.168.1.31...192.168.1.11, sending NO_PROPOSAL_CHOSEN
Nov 21 13:40:09 mini31 charon: 10[ENC] generating INFORMATIONAL_V1 request 171333823 [ N(NO_PROP) ]
Nov 21 13:40:09 mini31 charon: 10[NET] sending packet: from 192.168.1.31[500] to 192.168.1.11[500] (40 bytes)
또 다른 업데이트
Windows가 연결하는 동안 ipsec showall연결이 표시되므로 xl2tpd특히 문제가 있다고 생각합니다 Maximum retries exceeded for tunnel... Closing.
다시 업데이트
새로운 증거 dmesg:
[2106321.117169] audit: type=1400 audit(1611348027.206:30): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/20839/fd/" pid=20839 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2106356.184250] audit: type=1400 audit(1611348062.273:31): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/20858/fd/" pid=20858 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
m
하버
# aa-complain /usr/lib/ipsec/charon
아무런 차이가 없었습니다.
답변1
IPSEC를 통한 Windows 10 L2TP의 경우 Windows 시스템에서 보내는 제안입니다. 제안(클라이언트)과 제안(서버)을 볼 수 있도록 디버그에서 설정하세요.
charondebug="ike, knl 3, cfg 2"
Strongswan conn 정의에 이것을 설정하면 작동합니다.
ike=aes256-sha1-ecp384 esp=aes256-sha1
/etc/ppp/options.xl2tpd에서 이 줄을 설정하는 것을 잊지 마세요.
요구 사항-chap
요구 사항-mschap-v2