나는 Debian 홈 서버에 IPSec VPN을 설정하려고 합니다. 그러면 대학 네트워크에 의해 인터넷이 필터링되지 않고 홈 네트워크에 액세스하고 탐색할 수 있습니다. 그러면 대학에 있는 동안 홈 네트워크에 대한 유지 관리를 할 수 있습니다. . 나는 다음을 통해 서버를 설정했습니다.이 링크, Mac OS를 통해 연결하려고 하면 콘솔에 다음이 인쇄됩니다.
8/11/12 7:11:11.532 PM configd: SCNC: start, triggered by SystemUIServer, type L2TP, status 0
8/11/12 7:11:11.669 PM pppd: pppd 2.4.2 (Apple version 560.13) started by Jon, uid 501
8/11/12 7:11:11.687 PM pppd: L2TP connecting to server '10.0.1.100' (10.0.1.100)...
8/11/12 7:11:11.688 PM pppd: IPSec connection started
8/11/12 7:11:11.708 PM racoon: Connecting.
8/11/12 7:11:11.709 PM racoon: IPSec Phase1 started (Initiated by me).
8/11/12 7:11:11.709 PM racoon: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
8/11/12 7:11:14.712 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
8/11/12 7:11:17.716 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
8/11/12 7:11:20.719 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
8/11/12 7:11:21.710 PM pppd: IPSec connection failed
디버깅을 레벨 3으로 설정하고 다시 시도하여 서버에서 로그를 가져오면 로그에 아무 것도 인쇄되지 않습니다. 존재하지 않는 서버에 연결하려고 하면 로그에 동일한 내용이 인쇄되기 때문에 서버가 VPN 연결 시도를 가져오거나 인식하지 못하는 것 같습니다. 서버의 IP는 10.0.1.100인데, 라우터의 포트 전달에 문제가 있을 경우를 대비해 연결하려는 IP입니다. 위에 나열된 방법 가이드에 따라 구성된 세 가지 구성 파일은 다음과 같습니다. (비밀번호를 별표로 대체했습니다)
/etc/freeradius/clients.conf
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id$
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
ipaddr = 127.0.0.1
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#
# One client definition can be applied to an entire network.
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
# "netmask = 8"
#
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
# are usually other, better ways to achieve the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
# Clients can also be defined dynamically at run time, based
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
# etc.
# See raddb/sites-available/dynamic-clients for details.
#
# netmask = 32
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognizable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = ********
#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in 2.0
#
# shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
#
# A pointer to the "home_server_pool" OR a "home_server"
# section that contains the CoA configuration for this
# client. For an example of a coa home server or pool,
# see raddb/sites-available/originate-coa
# coa_server = coa
}
# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
#}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}
/etc/l2tpns/startup 구성
# Debugging level
set debug 2
# Log file: comment out to use stderr, use "syslog:facility" for syslog
set log_file "/var/log/l2tpns"
# Write pid to this file
set pid_file "/var/run/l2tpns.pid"
# Shared secret with LAC
set l2tp_secret ""
# MTU of interface for L2TP traffic
#set l2tp_mtu 1500
# PPP counter and timer values
#set ppp_restart_time 3
#set ppp_max_configure 10
#set ppp_max_failure 5
# Only 2 DNS server entries are allowed
set primary_dns 10.0.1.1
set secondary_dns 8.8.8.8
# Can have multiple radius server entries, but ony one radius secret
set primary_radius 127.0.0.1
#set primary_radius_port 1645
#set secondary_radius 0.0.0.0
#set secondary_radius_port 1645
set radius_secret "********"
# Acceptable authentication types (pap, chap) in order of preference
#set radius_authtypes "pap"
# Turn on or off Radius Accounting
#set radius_accounting no
# Port for DAE RADIUS requests
#set radius_dae_port 3799
# Allow multiple logins for the same username
#set allow_duplicate_users no
# Write usage accounting files into specified directory
set accounting_dir "/var/run/l2tpns/acct"
# Listen address for L2TP
set bind_address 10.0.1.100
# Send a gratiuitous ARP for bind address
set send_garp yes
# Gateway address given to clients
set peer_address 10.0.1.1
# Default throttle rate in kb/s
#set throttle_speed 0
# Number of buckets to allocate for throttling
#set throttle_buckets 3000
# If set to anything other than 0, setuid when initialised.
#set setuid 0
# If set to true, dump current speed to stderr every second
#set dump_speed no
# Number of packets to read from tun/udp/cluster fd when select
# returns readable
#set multi_read_count 10
# Set scheduling priority of process to SCHED_FIFO
#set scheduler_fifo no
# Lock pages into memory
#set lock_pages no
# Maximum number of host unreachable packets to send per second
#set icmp_rate 0
# Maximum number of downstream packets per 0.1s to handle for each
# session (0 = ulimited)
#set packet_limit 0
# Cluster multicast address, interface
#set cluster_address 239.192.13.13
set cluster_interface eth1
# Cluster multicast TTL
#set cluster_mcast_ttl 1
# Cluster timers (1/10th second)
set cluster_hb_interval 100
set cluster_hb_timeout 20
# Minimum number of slaves before master withdraws routes
#set cluster_master_min_adv 1
# Drop/kill sessions
#load plugin "sessionctl"
# Throttle/snoop based on RADIUS
#load plugin "autothrottle"
#load plugin "autosnoop"
# Control throttle/snoop with nsctl
#load plugin "throttlectl"
#load plugin "snoopctl"
# Punt RX speed if not supplied
#load plugin "setrxspeed"
# Remove domain from username
#load plugin "stripdomain"
# Walled garden
#load plugin "garden"
/etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12:!10.0.1.0/24
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
#
#interfaces="ipsec0=br0"
uniqueids=no
conn road_warrior
rekey=no
authby=secret
pfs=no
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
compress=yes
#
left=10.0.0.100
leftprotoport=17/1701
leftnexthop=10.0.1.1
#
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%no,%priv
#
auto=add
/etc/ipsec.secrets
# /etc/ipsec.secrets
# The IPSec Secrets File
10.0.1.100: PSK "********"
이 구성 파일에서 문제를 발견한 사람이 있습니까? 혼란스러워요 ...