너구리 IPSec/L2TP 클라이언트

tag-icon tag-icon windows vpn ipsec
너구리 IPSec/L2TP 클라이언트

Windows 2003 서버에 연결하기 위해 racoon IPSec/L2TP 클라이언트를 구성하려고 합니다. 서버는 원래 Windows XP 클라이언트와 작동하도록 설계되었습니다(Windows XP SP3에서는 성공적으로 테스트되었지만 XP SP1 또는 Windows 7에서는 작동하지 않습니다). 상황을 더 복잡하게 만들려면 사전 공유 키와 x509 인증서를 모두 사용하세요. 나는 작업 중인 클라이언트에서 다음을 추론하고 racoon에서 구성을 복제해 보았습니다.

  • NAT-T 없음(Windows XP SP2부터 제거됨)
  • 아니요 tunneling mode(Windows XP에서는 지원되지 않음)
  • 아니요 AH(Windows XP에서는 지원되지 않음)
  • 3des암호화 알고리즘에 사용
  • sha1해싱 알고리즘의 경우
  • dh_group 2
  • 인증 모드에 대해 잘 모르겠고 pre_shared_key둘 다 시도했습니다.rsasig

내 거 racoon.conf:

log debug2;

path certificate "/home/ipsec/out/etc/certs";
path pre_shared_key "/etc/psk.txt";
path script "/etc/racoon/scripts";

remote 10.0.1.2 {

       exchange_mode main;

       my_identifier user_fqdn "[email protected]";
       certificate_type x509 "client.example.crt" "client.example.key";
       ca_type x509 "ca.crt";

       passive off;
       generate_policy on;
       dpd_delay 20;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
}

sainfo anonymous {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

내 거setkey.conf

# Flush the SAD and SPD
flush;
spdflush;


spdadd 0.0.0.0/0 vpn.example.com[1701] any -P out ipsec
        esp/transport//require;


spdadd vpn.example.com [1701] 0.0.0.0/0 any -P in ipsec
        esp/transport//require;

나는 달리고 setkey -f /etc/setkey.conf또 달렸다 racoon -F. 내 너구리 로그는 다음과 같습니다.

Foreground mode.
2015-07-18 17:25:25: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
2015-07-18 17:25:25: INFO: @(#)This product linked OpenSSL 1.0.0a 1 Jun 2010 (http://www.openssl.org/)
2015-07-18 17:25:25: INFO: Reading configuration from "/home/ipsec/out/etc/racoon.conf"
2015-07-18 17:25:26: DEBUG: filename: /home/ipsec/out/etc/certs/client.example.crt
2015-07-18 17:25:26: DEBUG: filename: /home/ipsec/out/etc/certs/ca.crt
2015-07-18 17:25:26: DEBUG2: lifetime = 28800
2015-07-18 17:25:26: DEBUG2: lifebyte = 0
2015-07-18 17:25:26: DEBUG2: encklen=0
2015-07-18 17:25:26: DEBUG2: p:1 t:1
2015-07-18 17:25:26: DEBUG2: 3DES-CBC(5)
2015-07-18 17:25:26: DEBUG2: SHA(2)
2015-07-18 17:25:26: DEBUG2: 1024-bit MODP group(2)
2015-07-18 17:25:26: DEBUG2: pre-shared key(1)
2015-07-18 17:25:26: DEBUG2: 
2015-07-18 17:25:26: DEBUG2: Etype mismatch: got 2, expected 4.
2015-07-18 17:25:26: DEBUG: no check of compression algorithm; not supported in sadb message.
2015-07-18 17:25:26: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0
2015-07-18 17:25:26: DEBUG2: parse successed.
2015-07-18 17:25:26: DEBUG: open /home/ipsec/out/var/racoon/racoon.sock as racoon management.
2015-07-18 17:25:26: DEBUG: Netlink: address 192.168.110.57 added
2015-07-18 17:25:26: INFO: 192.168.110.57[500] used as isakmp port (fd=7)
2015-07-18 17:25:26: DEBUG: Netlink: address 127.0.0.1 added
2015-07-18 17:25:26: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
2015-07-18 17:25:26: DEBUG: Netlink: address 127.0.0.0 added
2015-07-18 17:25:26: INFO: 127.0.0.0[500] used as isakmp port (fd=9)
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 01000000 2d0d0000 03000500 ff200000 020006a5 d401c161
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4a10aa55 00000000 00000000 00000000
04001200 02000300 7a010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 02000000 2d0d0000 03000500 ff200000 020006a5 d401c161
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4a10aa55 00000000 00000000 00000000
04001200 02000100 70010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 03000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff200000 020006a5 d401c161 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4410aa55 00000000 00000000 00000000
04001200 02000200 69010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 04000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 2c000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 05000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 23000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 06000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 1c000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 07000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 13000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 08000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 0c000000 00000000
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:27: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:27: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:27: DEBUG2: 
02120000 16000100 00000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 03000000 00000000
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out

그 후에는 트래픽이 설정된 VPN을 통과하지 않으며(연결이 설정되었는지조차 확실하지 않음) setkey -DSAD가 보고되지 않습니다.

편집하다:

찾아보니 가장 큰 문제는라우팅. L2TP 모드이기는 하지만 transport서버는 서버 뒤의 네트워크에 대한 게이트웨이 역할을 해야 하지만 트래픽은 l2tp를 통해 서버에 도달하지 않습니다. 따라서 터널이 시작되지 않습니다. 나는 성공하지 못한 채 경로를 추가하려고 시도했습니다.

관련 정보