Buradan talimatları takip ettim: http://samsclass.info/ipv6/proj/proj-L5-VPN-Server.html
Bu sitede yayınlanan aynı dosyaları kullandım. Yönlendiricimde, bağlantı noktasını Ubuntu kutusuna 500 UDP ve 4500 UDP yönlendirdim. Android'de, denediğimde, "Bağlantı ..." ve ardından "Zaman Aşımı" seçeneğine gidiyor. Ayrıca iOS'ta (iPad) test edilmiştir ve çalışmaz. Her bağlantı denemesi için syslog'un xl2tpd'den hiçbir özelliği olmadığını fark ettim, bu nedenle openswan ipsec'in trafiği xl2tpd'ye geçirmediğini tahmin ediyorum?
Kılavuzdaki tüm adımlar tamamlandı:
added local ip address 172.22.1.1 eth0:0 (the Ubuntu box has eth0 192.168.0.50)
installed openswan
edited ipsec.conf, ipsec.secrets
stopped redirects
ipsec verify
restarted openswan
installed xl2tpd
edited xl2tpd.conf
ppp was already installed, so skipped this step
edited options.xl2tpd and chaps-secrets
restarted xl2tpd
[İpsec.conf]
# diff ipsec.conf ipsec.conf.template
21c21
< left=192.168.0.50
---
> left=YOUR.SERVER.IP.ADDRESS
.50 IP adresi, LAN'ımdaki Ubuntu sunucusunun eth0 IP adresidir.
[İpsec.secrets]
# cat /etc/ipsec.secrets
192.168.0.50 %any: PSK "YourSharedSecret"
[xl2tpd.conf / options.xl2tpd / chap-sırları]
Sitede verilen örneklerle aynı 3 dosya.
=== /var/log/auth.log
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [RFC 3947] method set to=115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [Dead Peer Detection]
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: responding to Main Mode from unknown peer 166.147.67.29
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: Main mode peer ID is ID_IPV4_ADDR: '10.4.23.140'
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: deleting connection "L2TP-PSK-NAT" instance with peer 166.147.67.29 {isakmp=#0/ipsec=#0}
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: new NAT mapping for #1, was 166.147.67.29:58529, now 166.147.67.29:37048
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: received and ignored informational message
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: the peer proposed: 98.201.212.153/32:17/1701 -> 10.4.23.140/32:17/0
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: responding to Quick Mode proposal {msgid:76a9dec2}
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: us: 192.168.0.50<192.168.0.50>:17/1701
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: them: 166.147.67.29[10.4.23.140]:17/0===10.4.23.140/32
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x01bbb0b5 <0xee2829cb xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=166.147.67.29:37048 DPD=none}
=== /var/log/syslog
Sep 20 02:00:52 sbowne kernel: [28283.272399] NET: Unregistered protocol family 15
Sep 20 02:00:52 sbowne ipsec_setup: ...Openswan IPsec stopped
Sep 20 02:00:52 sbowne kernel: [28283.357232] NET: Registered protocol family 15
Sep 20 02:00:52 sbowne ipsec_setup: Starting Openswan IPsec U2.6.38/K3.8.0-19-generic...
Sep 20 02:00:52 sbowne ipsec_setup: Using NETKEY(XFRM) stack
Sep 20 02:00:52 sbowne kernel: [28283.414490] Initializing XFRM netlink socket
Sep 20 02:00:52 sbowne kernel: [28283.446177] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.450489] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.459554] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.462983] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.470054] AVX or AES-NI instructions are not detected.
Sep 20 02:00:52 sbowne ipsec_setup: multiple ip addresses, using 192.168.0.50 on eth0
Sep 20 02:00:52 sbowne ipsec_setup: ...Openswan IPsec started
Sep 20 02:00:52 sbowne ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Sep 20 02:00:52 sbowne pluto: adjusting ipsec.d to /etc/ipsec.d
Sep 20 02:00:52 sbowne ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Sep 20 02:00:52 sbowne ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Sep 20 02:03:17 sbowne xl2tpd[8264]: death_handler: Fatal signal 15 received
Sep 20 02:03:19 sbowne xl2tpd[12634]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Sep 20 02:03:19 sbowne xl2tpd[12634]: setsockopt recvref[30]: Protocol not available
Sep 20 02:03:19 sbowne xl2tpd[12634]: This binary does not support kernel L2TP.
Sep 20 02:03:19 sbowne xl2tpd[12635]: xl2tpd version xl2tpd-1.3.1 started on sbowne PID:12635
Sep 20 02:03:19 sbowne xl2tpd[12635]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 20 02:03:19 sbowne xl2tpd[12635]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 20 02:03:19 sbowne xl2tpd[12635]: Inherited by Jeff McAdams, (C) 2002
Sep 20 02:03:19 sbowne xl2tpd[12635]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 20 02:03:19 sbowne xl2tpd[12635]: Listening on IP address 0.0.0.0, port 1701
L2TP olmak zorunda mı ? Pek çok insan bana L2TP'nin kurulması ve bakımı için korkunç olduğunu ve bunun yerine sadece OpenVPN'e gitmesi gerektiğini söyledi .
—
Blacklight
Cevabınız için teşekkür ederim. Her uzak istemciye sertifika üretmeyi ve itmeyi içermeyen bir şey kullanmak istiyorum. Tek seçimler o zaman: 1) PPTP (Cloud Cracker kullanarak 1 gün içinde hacklenebilir), 2) PSK özellikli IPSEC-IKEv1 (ancak Windows 7 yerel desteklemiyor; yalnızca sertifika gerektiren IKEv2'yi destekliyor) veya 3) L2TP- PSK ile IPSEC.
—
Lawrence Chiu
Sanırım sorun şu yazıyor: “İhtiyacınız olan şey: Bir Linux makinesi. Amazon E2C sanal makinesi gibi halka açık bir IPv4 adresi olan bir makine kullanıyorsanız en iyisidir.” Ubuntu sunucum 192.168.0.50'de bir yönlendiricinin arkasında. Yani ipsec.conf muhtemelen bir sorun.
—
Lawrence Chiu
Aşağıdaki bloğu silerek çalışmasını sağladım: {conn L2TP-PSK-NAT rightsubnet = vhost:% priv ayrıca = L2TP-PSK-noNAT}
—
Lawrence Chiu
“Forceencaps = yes” ve “dpdaction = clear” ekleyerek iPad ile çalışmasını sağladım, ancak yine de yardıma ihtiyacım var. Windows 7, kayıt defteri kesmekle bile bağlantı kurmayacak : support.microsoft.com/kb/926179/en-us Ben AssumeUDPEncapsulationContextOnSendRule = 2'yi farketmedim. Hata 809: "Bilgisayarınızla VPN sunucusu arasındaki ağ bağlantısı, uzak sunucu yanıt vermediği için kurulamadı"
—
Lawrence Chiu 20:13